C5 Compliance Platform - OVAL and XCCDF

Industry's first compliance platform built on open XML standards and compliant with Security Content Automation Protocol (SCAP).

Who benefits from this work and how?  You benefit, that's who! These are vendor- and application-independent open XML document formats protects your content from being locked into an application- or vendor-specific file format.  And its been proven many times over the last few years that XML standards-based solutions drive down costs while increasing interoperability.  In addition to several public repositories being created as sources for some of this content, our Security Lab consolidates, validates, and publishes both the public, and Secure Elements developed, content as XML subscriptions for the C5 Element Manager.

First, a brief overview of the two L's, or languages...

    Open Vulnerability Assessment Language (OVAL) - OVAL is an international, information security community baseline standard for how to check for the presence of vulnerabilities and configuration issues on computer systems.

OVAL standardizes the three main steps of the process with an OVAL System Characteristics Schema for collecting configuration data from systems for testing; OVAL Definitions to test for the presence of specific vulnerabilities, configuration issues, and/or patches; and an OVAL Results Schema for reporting the results from the evaluated systems.

The tests are standardized, machine-readable XML Vulnerability Definitions, Compliance Definitions, and Patch Definitions. OVAL's schemas and definitions are all free to download, use, reference, and implement.

eXtensible Configuration Checklist Description Format (XCCDF) - XCCDF is an XML specification language for writing security checklists, benchmarks, and related kinds of documents.  An XCCDF document represents a structured collection of security configuration rules for some set of target systems. The specification is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance scoring. The specification also defines a data model and format for storing results of benchmark compliance testing.

Development of the XCCDF specification has been led by National Security Agency (NSA) and sponsored by the Department of Homeland Security (DHS), with contributions from other agencies and commercial organizations.  XCCDF provides a uniform foundation for expression of security checklists, benchmarks, and other configuration guidance, and thereby foster more widespread application of good security practices.  In addition, the National Institute of Standards and Technology (NIST) has selected XCCDF to be standard format that vendors use to publish recommended security configuration checklists, which NIST then distributes for free to the public as part of their Information Security Automation Program.

These checklists are designed to include mappings to regulatory, or other, IS control coding schemes to standardize reporting for audit and compliance purposes.  

NIST has published that vendors that adhere to these standards based languages, and that also support the additional standards (Common Platform Enumeration (CPE), Common Vulnerability Scoring System (CVSS), Common Vulnerability Enumeration (CVE), and Common Configuration Enumeration (CCE) are to be considered SCAP tools that are compliant for procurement purposes and to satisfy requirements traceability mandates. 

OMB guidance compliance for Enterprise and Federal Core image desktop configurations made simple!