Associations

Revised Security Content Automation Protocol includes digital trust model.

National Institute of Standards & Technology Jul 21, 2011

Press Release Summary:



NIST Researchers released, for public comment, updated specifications for Security Content Automation Protocol (SCAP), which helps organizations effectively find and manage computer-system vulnerabilities by standardizing way vulnerabilities are identified, prioritized, and reported. SCAP has been updated to incorporate 3 new underlying specifications that add asset reporting, asset identification, and digital trust model to help ensure integrity of SCAP data itself.


Original Press Release:



New Version of Security Automation Protocol Includes Digital Trust Model



Researchers at the National Institute of Standards and Technology (NIST) have released for public comment updated specifications for the Security Content Automation Protocol (SCAP), which helps organizations find and manage computer-system vulnerabilities more effectively by standardizing the way vulnerabilities are identified, prioritized and reported.

SCAP unites and organizes a collection of computer security specifications and reference data to support automated security programs that check vulnerabilities in information systems, such as configuration errors, missing software "patches," misapplied security settings and many others. SCAP-based security tools are particularly valuable for securing large, complex information systems and organizations with many distributed computing systems.

System operations and security professionals use SCAP-based software products to determine the system's status, particularly information about software flaws and security configuration information in an efficient, accurate way. For example, SCAP enables automated assessment of software patches present on a system that identifies the potential security risk to an organization due to an unpatched vulnerability. Using SCAP, information system administrators can address critical vulnerabilities mitigating the risk of attack.

In The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2 (NIST Special Publication 800-126 Revision 2) some underlying specifications have been enhanced in response to requests from SCAP content authors and product developers. SCAP has been updated to incorporate three new underlying specifications to the protocol that add asset reporting, asset identification and a digital trust model to help ensure the integrity of SCAP data itself.

The digital trust model in SP 800-126 Rev. 2 is described in the draft NIST Interagency Report 7802: Trust Model for Security Automation Data 1.0. The model has applications beyond the security automation environment. It permits users to establish integrity, authentication and traceability of security automation XML data using a 21st century version of a 17th century king's wax seal on a scroll. The trust model is based on existing specifications from the World Wide Web Consortium and describes features that will enhance the trustworthiness of information.

The U.S. federal government employs SCAP to support security activities and initiatives. Academia and private industry, such as finance, manufacturing and health care, also use the protocol as it provides a standardized situational awareness view of IT systems that can be used by system administrators, security officers and executives to make security decisions.

SCAP is expected to evolve and expand to support the growing needs to define and measure effective security controls, assess and monitor ongoing aspects of information security, and successfully manage systems in accordance with risk management frameworks such as NIST SP 800-53, Department of Defense Instruction 8500.2, and the Payment Card Industry (PCI) framework.

Authors request comments on both publications by August 1, 2011. The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2 (NIST Draft Special Publication 800-126 Revision 2) can be found at csrc.nist.gov/publications/drafts/800-126r2/draft-SP800-126r2.pdf. Comments should be sent to 800-126comments@nist.gov with "Comments SP 800-126" in the subject line. Trust Model for Security Automation Data 1.0 can be found at csrc.nist.gov/publications/drafts/nistir-7802/Draft-nistir-7802.pdf. Comments should be sent to ir7802comments@nist.gov with "Comments IR 7802" in the subject line.

Media Contact: Evelyn Brown, evelyn.brown@nist.gov, 301-975-5661

White Papers & Case Studies

View All White Papers & Case Studies

View All Resources

All Topics

Manufacturing Innovation

Industry Trends

Engineering & Design

Sales & Marketing

Supply Chain

Career & Workforce

Company News

New Products

Thomas Index

Daily Bite

Find Suppliers, Insights, Tools and More...

Become part of North America's largest and most active network of B2B buyers and industrial/commercial suppliers.

Select From Over 500,000
Industrial Suppliers

Find and evaluate OEMs, Custom Manufacturers, Service Companies and Distributors.

Receive Daily
Industry Updates

Stay up to date on industry news and trends, product announcements and the latest innovations.

Search Over
6 Million Products

Find materials, components, equipment, MRO supplies and more.

Download 2D & 3D
CAD Models

10+ million models from leading OEMs, compatible with all major CAD software systems.
Start Sourcing Suppliers Claim Your Company Profile ico-arrow-default-right
Cookie Policy
Close
Thomas uses cookies to ensure that we give you the best experience on our website. By using this site, you agree to our Privacy Statement and our Terms of Use.
Accept