Automating STIGs: The Transition to CCI and SRG

heavyweightuttermostMechanics

Nov 5, 2013 (3 years and 10 months ago)

361 views

Defense Information Systems Agency

A Combat Support Agency

UNCLASSIFIED

UNCLASSIFIED

DISA Field Security Operations

17 August 2011

Automating STIGs: The Transition to CCI and SRG

A Combat Support Agency

2

UNCLASSIFIED

UNCLASSIFIED


What problems did we see?


Automation of STIGs


CCIs


SRGs & Automation


Future Direction


Q&A


Agenda

A Combat Support Agency

3

UNCLASSIFIED

UNCLASSIFIED

Secure Product Development


No master list of all requirements for products


Vendors do not know, in detail, what requirements they have to meet.


Not knowing “when they are done”


IA Compliance Reporting


Determining compliance statistics


Inability to be able to validate that all requirements are addressed in current
checklists


Inconsistent reporting of findings and compliance status


Security Guide Development


High Demand for New & Updated Security Guidance


Duplication of requirements


Vague / General guidance in DoD IA Controls


Various interpretations of the requirements


Requirements not written in a measurable format


Inconsistency in documents from different sources


Content Authors have to interpret the policies to determine what
requirements they have to address. Not knowing “when they are done”






What Problems did we see ?

A Combat Support Agency

4

UNCLASSIFIED

UNCLASSIFIED


Automating STIGs


Task 1.1.4.2.2.2


Title:
Change the DISA Security Technical Implementation
Guides (STIGs) so they are machine consumable and
support automatic configuration management tools.


DISA Campaign Plan

A Combat Support Agency

5

UNCLASSIFIED

UNCLASSIFIED

Our Way Ahead




A standards based approach to develop IA configuration
guidance, publish IA guidance, assess assets, and report
compliance



Benefits


Enables vendor community to develop standardized
guidance once for use by all communities


Allow more commercial assessment tools to utilize DoD
configuration guidance


Requires less time to develop and publish additional
guidance

CND Data Strategy and

Security Content Automation Protocol (SCAP)

A Combat Support Agency

6

UNCLASSIFIED

UNCLASSIFIED

Transformation Progress


Combination of STIG and Checklist into a STIG that looks
like a Checklist but has the authority of the STIG



Publication of DoD Content (STIGs) in eXtensible
Configuration Checklist Description Format (XCCDF)


XCCDF is an XML definition of a checklist


One of the NIST SCAP (protocols)



Mapping STIGs to new DoD Control Set



Breakdown of DoD Control Set into measurable Control
Correlation Identifiers (CCI)



Publication of automated benchmarks for use in SCAP
tool (i.e., HBSS Policy Auditor)


A Combat Support Agency

7

UNCLASSIFIED

UNCLASSIFIED

Control Correlation

Identifiers (CCI)

CCI

A Combat Support Agency

8

UNCLASSIFIED

UNCLASSIFIED

What is a Control Correlation Identifier (CCI)?


Based on the NIST SP 800
-
53


Decomposition of an IA Control or an IA industry best practice into single, actionable
statements


A foundational element of an IA policy or standard, written with a neutral position on
an IA practice so as not to imply the specifics of the requirement


Not specific to a product or a Common Platform Enumeration (CPE).


CCI links requirements to policy


reduces ambiguity for consumers


CCI should not require any changes to SCAP tools


CCI used as a reference


The CCI List is:


A collection of CCI Items, which express common IA practices or controls at the
federal level


The CCI data specification is:



Proposed to work in conjunction with the National Institute of Standards and
Technology (NIST) Security Content Automation Protocol (SCAP)


Status of CCI


Initial Draft list of CCIs complete


Reference Security Requirements Guides to CCIs


VMS changes to accommodate CCIs/SRG

First Phase CCI Creation

A Combat Support Agency

9

UNCLASSIFIED

UNCLASSIFIED


Secure Product Development



Vendors can use CCI to incorporate security requirements into their
products as part of the development cycle


They

‘will know when they are done’



IA Compliance Reporting



CCI allows detailed reporting of compliance to IA Controls. Includes the
ability to report partial compliance



Security Guide Development



CCI data model in VMS will supports dynamic STIG generation based
on asset characteristics


Supports Consistent Guide Development from External Sources

CCI Use Cases

A Combat Support Agency

10

UNCLASSIFIED

UNCLASSIFIED

CCI Business Rules

A CCI must meet certain criteria to be considered a valid CCI.



Single requirement



The CCI represents a single capability that was
decomposed from the source policy document.



Actionable



The CCI represents an action that can be taken against the
system or an organizational policy.



Measurable



The action that the CCI is describing will be something that
can be determined or measured.




Example:




The organization manages information system authenticators

for users and devices by establishing minimum password length

requirements.


A Combat Support Agency

11

UNCLASSIFIED

UNCLASSIFIED

Decomposition of

New Controls

剥煵楲R浥湴s

NIST SP 800
-
53v3

Control Correlation Identifiers

A decomposition of an IA Control or an IA industry best practice into
single, actionable statements

CCI
-
000213:
The organization enforces minimum password length.

CCI
-
000197:
The organization enforces password complexity by the number of special characters used.

CCI
-
000188:
The organization manages information system authenticators for users and devices by establishing the time period for
changing/refreshing authenticators.

CCI
-
000186:

The organization manages information system authenticators for users and devices by establishing maximum lifetime
restrictions for authenticators (if appropriate).

CCI
-
xxxxxx:
………………………………


IA
-
5 AUTHENTICATOR MANAGEMENT

Control: The organization manages information system authenticators for users and devices by: Verifying, as part of the
initial authenticator distribution, the identity of the individual and/or device receiving the authenticator; Establishing
initial authenticator content for authenticators defined by the organization; Ensuring that authenticators have sufficient
strength of mechanism for their intended use; Establishing and implementing administrative procedures for initial
authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators; Changing
default content of authenticators upon information system installation; Establishing minimum and maximum lifetime
restrictions and reuse conditions for authenticators (if appropriate); Changing/refreshing authenticators
[
Assignment:
organization
-
defined time period by authenticator type
];

Protecting authenticator content from unauthorized disclosure
and modification; and Requiring users to take, and having devices implement, specific measures to safeguard
authenticators.

A Combat Support Agency

12

UNCLASSIFIED

UNCLASSIFIED

CCI > Security Automation

Our View

IA Source

Policy


CCE

CVE

XCCDF

SP 800
-
53


IA Source

Policy


CCI

SCAP

Framework

A Combat Support Agency

13

UNCLASSIFIED

UNCLASSIFIED

SRG

A Combat Support Agency

14

UNCLASSIFIED

UNCLASSIFIED

Security Requirement Guide:


A compilation of CCIs


Requirements grouped into more applicable,
specific technology areas


Documents baselines established by DoD
through the CNSS 1253


Layer to bridge gap between policy, STIGs,
and tools


Provides DoD specificity to CCI requirements


Non
-
vendor specific


No check and fix


just the requirement


Can be used by guide developers to build
STIGs


Product vendors can use SRG to develop
product specific guidance and submit to DoD
for validation before being used in C&A
process.


Can be further broken down into technology
SRGs


What is an SRG?

A Combat Support Agency

15

UNCLASSIFIED

UNCLASSIFIED

Requirements Guides & CCI

DoD Policy Document

NIST SP 800
-
53v3

Control Correlation Identifier (CCI)

Security Requirements Guide

Applications

Operating Systems

Network Infrastructure Devices

Organizational Policy

A Combat Support Agency

16

UNCLASSIFIED

UNCLASSIFIED

Security Requirements Guide (SRG)


Efforts begin in 2010 and will continue



Used UNIX STIG (UNIX SRG Profile) update to flesh out process/concept


Planned for FY11


Network SRG


Operating System SRG


Application SRG


Policy SRG



Will be expressed in XCCDF to automate the generation of
guidance documents (SRG and STIGs)



A method to convey additional technology specific details about
the CCIs to product vendors by using SRG Baselines



Provides the necessary details or values (organizationally defined
parameters)



SRG not intended for use for assessments, STIGs will be used for
assessments


A Combat Support Agency

17

UNCLASSIFIED

UNCLASSIFIED

DoD Policy

Analyze Policies
ONCE

For
Each Product Family to
Identify Requirements and

Implementation Guidance

Process Changes

Security

Requirement

Guides

And

STIGs

Publish

Guidance


4 SRGs


Additional SRG


Unlimited STIGs


45,000+ vulnerabilities and
requirements in VMS


DoD 8500 Series


IAVMs


CTO’s


SP 800
-
53 & CNSS
1253


CJCSM & more…

Status


High Demand for New & Updated Security
Guidance


Automated Process to Author Guidance


Define Requirements once, Use them
many times


Saves Time and Allows for better
Resource Utilization

Product Family


Operating Systems


Applications


Network
Infrastructure


Non
-
Computing &
Policy


Additional
Requirements Child
SRGs

A Combat Support Agency

18

UNCLASSIFIED

UNCLASSIFIED

Draft SRGs


Overview “TIM” was held on 28 Jun 11


High interest/attendance


Network and Application SRGs


comment period over 12 Jul


Policy SRG (Pt 1) and OS SRG


comments due early August


Working with NSA to map Network SRG to Network Device PP


A Combat Support Agency

19

UNCLASSIFIED

UNCLASSIFIED

Requirements


卒䝳


CCI
-
000213: The organization enforces
minimum password length.


CCI
-
000197: The organization enforces
password complexity by the number of
special characters used.


CCI
-
000188: The organization manages
information system authenticators for
users and devices by establishing the time
period for changing/refreshing
authenticators.


CCI
-
000186: The organization manages
information system authenticators for
users and devices by establishing
maximum lifetime restrictions for
authenticators (if appropriate).


CCI
-
xxxxxx:
………………………………




CCI List

CCI
-
000213:
The organization enforces minimum password length.

CCI
-
000197:
The organization enforces password complexity by the number of special characters used.

CCI
-
000188:
The organization manages information system authenticators for users and devices by establishing the time period for
changing/refreshing authenticators.

CCI
-
000186:

The organization manages information system authenticators for users and devices by establishing maximum lifetime
restrictions for authenticators (if appropriate).

CCI
-
xxxxxx:
………………………………


Operating System SRG

Network SRG

Application SRG

Policy SRG


CCI
-
000213: The organization enforces
minimum password length.


CCI
-
000197: The organization enforces
password complexity by the number of
special characters used.


CCI
-
000188: The organization manages
information system authenticators for
users and devices by establishing the time
period for changing/refreshing
authenticators.


CCI
-
000186: The organization manages
information system authenticators for
users and devices by establishing
maximum lifetime restrictions for
authenticators (if appropriate).


CCI
-
xxxxxx:
………………………………





CCI
-
000213: The organization enforces
minimum password length.


CCI
-
000197: The organization enforces
password complexity by the number of
special characters used.


CCI
-
000188: The organization manages
information system authenticators for
users and devices by establishing the time
period for changing/refreshing
authenticators.


CCI
-
000186: The organization manages
information system authenticators for
users and devices by establishing
maximum lifetime restrictions for
authenticators (if appropriate).


CCI
-
xxxxxx:
………………………………





CCI
-
000213: The organization defines
minimum password length.


CCI
-
000197: The organization defines
password complexity by the number of
special characters used.


CCI
-
000188: The organization defines
information system authenticators for
users and devices by establishing the time
period for changing/refreshing
authenticators.


CCI
-
000186: The organization defines
information system authenticators for
users and devices by establishing
maximum lifetime restrictions for
authenticators (if appropriate).


CCI
-
xxxxxx:
………………………………




A Combat Support Agency

20

UNCLASSIFIED

UNCLASSIFIED


CCI
-
000213: The organization enforces minimum password length.


CCI
-
000197: The organization enforces password complexity by the number of
special characters used.


CCI
-
000188: The organization manages information system authenticators for users
and devices by establishing the time period for changing/refreshing authenticators.


CCI
-
000186: The organization manages information system authenticators for users
and devices by establishing maximum lifetime restrictions for authenticators (if
appropriate).


CCI
-
xxxxxx: ………………………………




Operating System SRG

Network SRG

Application SRG

Policy SRG


CCI
-
000213: The organization enforces minimum password length.


CCI
-
000197: The organization enforces password complexity by the number of
special characters used.


CCI
-
000188: The organization manages information system authenticators for users
and devices by establishing the time period for changing/refreshing authenticators.


CCI
-
000186: The organization manages information system authenticators for users
and devices by establishing maximum lifetime restrictions for authenticators (if
appropriate).


CCI
-
xxxxxx: ………………………………





CCI
-
000213: The organization enforces minimum password length.


CCI
-
000197: The organization enforces password complexity by the number of
special characters used.


CCI
-
000188: The organization manages information system authenticators for
users and devices by establishing the time period for changing/refreshing
authenticators.


CCI
-
000186: The organization manages information system authenticators for
users and devices by establishing maximum lifetime restrictions for authenticators
(if appropriate).


CCI
-
xxxxxx: ………………………………





CCI
-
000213: The organization defines minimum password length.


CCI
-
000197: The organization defines password complexity by the number of
special characters used.


CCI
-
000188: The organization defines information system authenticators for users
and devices by establishing the time period for changing/refreshing authenticators.


CCI
-
000186: The organization defines information system authenticators for users
and devices by establishing maximum lifetime restrictions for authenticators (if
appropriate).


CCI
-
xxxxxx: ………………………………




Database SRG

Web Server SRG

eMail Server SRG

App Server SRG


CCI
-
000213: The organization enforces
minimum password length.


CCI
-
000197: The organization enforces
password complexity by the number of
special characters used.


CCI
-
000188: The organization manages
information system authenticators for
users and devices by establishing the time
period for changing/refreshing
authenticators.


CCI
-
000186: The organization manages
information system authenticators for
users and devices by establishing
maximum lifetime restrictions for
authenticators (if appropriate).


CCI
-
xxxxxx:
………………………………





CCI
-
000213: The organization enforces
minimum password length.


CCI
-
000197: The organization enforces
password complexity by the number of
special characters used.


CCI
-
000188: The organization manages
information system authenticators for
users and devices by establishing the time
period for changing/refreshing
authenticators.


CCI
-
000186: The organization manages
information system authenticators for
users and devices by establishing
maximum lifetime restrictions for
authenticators (if appropriate).


CCI
-
xxxxxx:
………………………………





CCI
-
000213: The organization enforces
minimum password length.


CCI
-
000197: The organization enforces
password complexity by the number of
special characters used.


CCI
-
000188: The organization manages
information system authenticators for
users and devices by establishing the time
period for changing/refreshing
authenticators.


CCI
-
000186: The organization manages
information system authenticators for
users and devices by establishing
maximum lifetime restrictions for
authenticators (if appropriate).


CCI
-
xxxxxx:
………………………………





CCI
-
000213: The organization defines
minimum password length.


CCI
-
000197: The organization defines
password complexity by the number of
special characters used.


CCI
-
000188: The organization defines
information system authenticators for
users and devices by establishing the time
period for changing/refreshing
authenticators.


CCI
-
000186: The organization defines
information system authenticators for
users and devices by establishing
maximum lifetime restrictions for
authenticators (if appropriate).


CCI
-
xxxxxx:
………………………………




Requirements


卒䝳

A Combat Support Agency

21

UNCLASSIFIED

UNCLASSIFIED
















Technology SRGs >
Configs

Web Server SRG


CCI
-
000213: The organization enforces minimum password length.


CCI
-
000197: The organization enforces password complexity by the
number of special characters used.


CCI
-
000188: The organization manages information system authenticators
for users and devices by establishing the time period for changing/refreshing
authenticators.


CCI
-
000186: The organization manages information system authenticators
for users and devices by establishing maximum lifetime restrictions for
authenticators (if appropriate).


CCI
-
xxxxxx: ………………………………




Web Server SRG
Config 1

Web Server SRG
Config 2

Web Server SRG
Config 3
-
8

Web Server SRG
Config 9
-
12


CCI
-
000213: The organization enforces minimum password length of 18


CCI
-
000197: The organization enforces password complexity by the number
of special characters used.


CCI
-
000188: The organization manages information system authenticators
for users and devices by establishing the time period for changing/refreshing
authenticators.


CCI
-
000186: The organization manages information system authenticators
for users and devices by establishing maximum lifetime restrictions for
authenticators (if appropriate).


CCI
-
xxxxxx: ………………………………





CCI
-
000213: The organization enforces minimum password length of 15


CCI
-
000197: The organization enforces password complexity by the
number of special characters used.


CCI
-
000188: The organization manages information system authenticators
for users and devices by establishing the time period for changing/refreshing
authenticators.


CCI
-
000186: The organization manages information system authenticators
for users and devices by establishing maximum lifetime restrictions for
authenticators (if appropriate).


CCI
-
xxxxxx: ………………………………





CCI
-
000213: The organization enforces minimum password length pf 12


CCI
-
000197: The organization enforces password complexity by the
number of special characters used.


CCI
-
000188: The organization manages information system
authenticators for users and devices by establishing the time period for
changing/refreshing authenticators.


CCI
-
000186: The organization manages information system
authenticators for users and devices by establishing maximum lifetime
restrictions for authenticators (if appropriate).


CCI
-
xxxxxx: ………………………………





CCI
-
000213: The organization enforces minimum password length pf 8


CCI
-
000197: The organization enforces password complexity by the
number of special characters used.


CCI
-
000188: The organization manages information system
authenticators for users and devices by establishing the time period for
changing/refreshing authenticators.


CCI
-
000186: The organization manages information system
authenticators for users and devices by establishing maximum lifetime
restrictions for authenticators (if appropriate).


CCI
-
xxxxxx: ………………………………




Apache 2.0 Win STIG

Config 1

CCI
-
Xxxxxxx
-

CCE

CCI
-
xxxxxxx
-

CCE

……..

Apache 2.0 Win STIG

Config 2

CCI
-
Xxxxxxx
-

CCE

CCI
-
xxxxxxx
-

CCE

……..

IIS 6 STIG

Config 3
-
8

CCI
-
Xxxxxxx
-

CCE

CCI
-
xxxxxxx
-

CCE

……..

IIS 7 STIG

Config 9
-
12

CCI
-
Xxxxxxx
-

CCE

CCI
-
xxxxxxx
-

CCE

……..

Apache 2.0 Unix
STIG

Config 1

CCI
-
Xxxxxxx
-

CCE

CCI
-
xxxxxxx
-

CCE

……..

STIGs contain the Product Specific Check and Fix Information


A Combat Support Agency

22

UNCLASSIFIED

UNCLASSIFIED

Applying Technology

SRGs > Assets

Vulnerabiltiy Management System (VMS)

Windows 2003

IIS 6 Web Server

Web Site1

Web Site 2

Web Site 3

Config 2


CCI
-
000213: The organization enforces minimum password length.


CCI
-
000197: The organization enforces password complexity by the number of special characters used.


CCI
-
000188: The organization manages information system authenticators for users and devices by establishing the time period for

changing/refreshing authenticators.


CCI
-
000186: The organization manages information system authenticators for users and devices by establishing maximum lifetime re
strictions for authenticators (if appropriate).


CCI
-
xxxxxx: ………………………………




Operating System SRG

Network SRG

Application SRG


CCI
-
000213: The organization enforces minimum password length.


CCI
-
000197: The organization enforces password complexity by the number of special characters used.


CCI
-
000188: The organization manages information system authenticators for users and devices by establishing the time period for

changing/refreshing authenticators.


CCI
-
000186: The organization manages information system authenticators for users and devices by establishing maximum lifetime re
strictions for authenticators (if appropriate).


CCI
-
xxxxxx: ………………………………





CCI
-
000213: The organization enforces minimum password length.


CCI
-
000197: The organization enforces password complexity by the number of special characters used.


CCI
-
000188: The organization manages information system authenticators for users and devices by establishing the time period for

changing/refreshing authenticators.


CCI
-
000186: The organization manages information system authenticators for users and devices by establishing maximum lifetime re
strictions for authenticators (if appropriate).


CCI
-
xxxxxx: ………………………………




Database SRG


CCI
-
000213: The organization enforces minimum password length.


CCI
-
000197: The organization enforces password complexity by the number of special characters used.


CCI
-
000188: The organization manages information system authenticators for users and devices by establishing the time period for

changing/refreshing authenticators.


CCI
-
000186: The organization manages information system authenticators for users and devices by establishing maximum lifetime re
strictions for authenticators (if appropriate).


CCI
-
xxxxxx: ………………………………





CCI
-
000213: The organization enforces minimum password length.


CCI
-
000197: The organization enforces password complexity by the number of special characters used.


CCI
-
000188: The organization manages information system authenticators for users and devices by establishing the time period for

changing/refreshing authenticators.


CCI
-
000186: The organization manages information system authenticators for users and devices by establishing maximum lifetime re
strictions for authenticators (if appropriate).


CCI
-
xxxxxx: ………………………………





CCI
-
000213: The organization enforces minimum password length.


CCI
-
000197: The organization enforces password complexity by the number of special characters used.


CCI
-
000188: The organization manages information system authenticators for users and devices by establishing the time period for

changing/refreshing authenticators.


CCI
-
000186: The organization manages information system authenticators for users and devices by establishing maximum lifetime re
strictions for authenticators (if appropriate).


CCI
-
xxxxxx: ………………………………




Web Server SRG Config 1

Web Server SRG Config 2

Web Server SRG Config 9
-
12


CCI
-
000213: The organization enforces minimum
password length of 18


CCI
-
000197: The organization enforces password
complexity by the number of special characters used.


CCI
-
000188: The organization manages information
system authenticators for users and devices by
establishing the time period for changing/refreshing
authenticators.


CCI
-
000186: The organization manages information
system authenticators for users and devices by
establishing maximum lifetime restrictions for
authenticators (if appropriate).


CCI
-
xxxxxx: ………………………………





CCI
-
000213: The organization enforces minimum password length of 15


CCI
-
000197: The organization enforces password complexity by the
number of special characters used.


CCI
-
000188: The organization manages information system authenticators
for users and devices by establishing the time period for changing/refreshing
authenticators.


CCI
-
000186: The organization manages information system authenticators
for users and devices by establishing maximum lifetime restrictions for
authenticators (if appropriate).


CCI
-
xxxxxx: ………………………………





CCI
-
000213: The organization enforces minimum password length pf
12


CCI
-
000197: The organization enforces password complexity by the
number of special characters used.


CCI
-
000188: The organization manages information system
authenticators for users and devices by establishing the time period
for changing/refreshing authenticators.


CCI
-
000186: The organization manages information system
authenticators for users and devices by establishing maximum
lifetime restrictions for authenticators (if appropriate).


CCI
-
xxxxxx: ………………………………




Web SRG

eMail SRG

1

2


CCI
-
000213: The organization enforces minimum
password length of 15


CCE000


CCI
-
000186: The organization manages
information system authenticators for users and
devices by establishing maximum lifetime
restrictions for authenticators (if appropriate).


CCE001


CCI
-
xxxxxx: ………………………………

IIS 6 STIG

Config 2

1.
Apply Asset Posture to VMS CCI /
SRG / Technology SRG Information


2.
VMS Returns Asset Specific
Requirements based on
Technologies and Configurations


Windows 2003 STIG

Config 2



CCI
-
000213: The organization enforces minimum
password length of 15


CCE099


CCI
-
000186: The organization manages
information system authenticators for users and
devices by establishing maximum lifetime
restrictions for authenticators (if appropriate).


CCE187


CCI
-
xxxxxx: ………………………………

A Combat Support Agency

23

UNCLASSIFIED

UNCLASSIFIED

Guidance


Guidance


STIG Automation Way Ahead

VMS

Develop

OVAL

Automated

Content

Community

Guidance

Technology

Family

Security
Requirements

Guide (SRG)

Published

From

VMS

Automated

Imported

Into Tools

Automated

Upload to VMS

Common Format

For All SCAP tools

Technology

STIG

Automated

w/ OVAL

Direct

Entry

Into VMS

Automated

Assessment

Assessment

Results

Automated

D

O

D


P

O

L

I

C

Y

Content Created


FSO OVAL

Creation

Content Created
Vendor

Some with OVAL

Content Created
Consensus

Some with OVAL

C

C

I

/

S

R

G

STDs

Structure

Filtering

A Combat Support Agency

24

UNCLASSIFIED

UNCLASSIFIED

Future

SP
800
-
53
Control Correlation Identifiers
Policy
SRG
OS SRG
App SRG
Networking
SRG
DoD IA Policy
Documents
CCI
Security
Requirements
Guide
STIG
(
Specific
technology
,
products
,
and
system guidance
and procedures
)
Checklists
NECC
NOC
DKO
SME
/
PED
DoD DMZ
System STIGs
Input from multiple SRG source
requirements are used to build
System or specialized STIGs
CTO’s
CJCS Policy
DoD Directives
&
Instructions
SCAP
Standards
CVSS
CPE
CCE
CVE
CVSS
XCCDF
STIGs
Generic OS
Solaris
10
Z
/
OS
Red Hat
4
Windows XP
STIGs
Enclave
T
&
D Zone B
Traditional
Access Control
Data Center
STIGs
App
Development
MS IIS
6
Generic
Application
Sametime
Connect
Oracle
9
i
STIGs
Cisco Perimeter
Router
IAP Reverse
Proxy
Juniper DISN
CORE PE Router
Nortel VoIP
Phone
Generic Firewall




OS SRG

-----------------------------

Unix SRG | Win SRG

Application SRG

---------------------------

DB SRG | Web SRG

Network SRG

-----------------------------

Router SRG | IDS SRG

Policy


SRG


A Combat Support Agency

25

UNCLASSIFIED

UNCLASSIFIED

Automation Status: Windows


Automated Benchmarks (with OVAL) available for
the following Windows platforms:


Windows XP


Windows Vista


Windows 2003 Domain Controller & Member Server


Windows 2008 Domain Controller & Member Server


Windows 7 (August release)


Windows STIGs published in XCCDF for:


Windows 2003


Windows 2008


Windows XP


Windows Vista


Windows 7

A Combat Support Agency

26

UNCLASSIFIED

UNCLASSIFIED

Automation Status: UNIX


OS SRG UNIX Published 19 Nov 2010


Automated Benchmarks (with OVAL) will be
available for the following UNIX platforms by end
of CY11:



Red Hat 4


Red Hat 5


Solaris 9


Solaris 10


HP
-
UX 11.23


HP
-
UX 11.31


AIX 5.3


AIX 6.1



UNIX STIGs in XCCDF for all versions of UNIX

A Combat Support Agency

27

UNCLASSIFIED

UNCLASSIFIED

Future


As SCAP evolves



Use of SCAP Benchmarks for
Assessments



Use of IAVM Benchmarks for Patch
Validation



Phase out of Gold Disk



Phase out of UNIX Scripts


A Combat Support Agency

28

UNCLASSIFIED

UNCLASSIFIED

Questions ?

Discussion

A Combat Support Agency

29

UNCLASSIFIED

UNCLASSIFIED

Security Content
Automation Protocol


CVE®
-

Common Vulnerabilities and Exposures


Common naming of emerging vulnerabilities


CCE™
-

Common Configuration Enumeration


Common naming of configuration (STIG) vulnerabilities


CPE™
-

Common Platform Enumeration


Language to describe Operating Systems/Platforms


CVSS
-

Common Vulnerability Scoring System


Scoring System to describe severity of a vulnerability


XCCDF
-

Extensible Configuration Checklist Description Format


XML definition of a checklist


OVAL™
-

Open Vulnerability and Assessment Language


Common language for assessing status of a vulnerability



CCI


Control Correlation Identifiers


Common identifier for policy based requirements


Currently not under SCAP umbrella, but within the Framework



Data sources maintained in and published from National Vulnerability
Database (NVD)