From: GCN
By William Jackson
Building on the success of the U.S. government’s Security Content Automation Protocol (SCAP), an Internet Engineering Task Force working group is developing international standards for automating the job of assessing and monitoring the security of IT systems.
Automation is seen as essential to improving cybersecurity, and ensuring that tools from different vendors can work together in a global online environment requires industry standards. The National Institute of Standards and Technology, together with the Homeland Security Department and the National Security Agency, began the process with SCAP, a suite of interoperable specifications for conveying security information that vendors to government agencies must comply with. The working group is expanding that limited set of specs for international use.
“The end-game here is the logical next step to SCAP,” said Adam Montville, co-chair of the Security Automation and Continuous Monitoring Working Group.
Chartered in September 2012, the IETF Security Automation and Continuous Monitoring (SACM) Working Group initially is charged with developing standardized protocols to “collect, verify and update system security configurations.” This focuses on the “security automation” portion of SACM. Continuous monitoring is expected to be addressed in future phases of the project.
NIST was among the early advocates for the effort.
“That’s what NIST does,” said Dave Waltermire, security automation architect in NIST’s Computer Security Division. “We develop specifications and best practices, and once that work achieves a level of maturity we want to transfer it to industry with international standards.”
SCAP in its present form, version 1.2, deals primarily with endpoint compliance for configuration requirements. The specifications, contained in Special Publication 800-126, support automated configuration, vulnerability and patch checking, technical control compliance and security measurement.
The SCAP specifications are the building blocks used by vendors to provide standards-based tools that can interoperate with each other in automating these processes. They create a common format for developing and enforcing baselines and producing standardized results. This requires common methods of expressing information about hardware, software and vulnerabilities.
SCAP version 1.2 includes 11 component specifications in five categories:
Leave a Reply