AOH :: ISNQ5197.HTM

NIST lists SCAP-validated tools

NIST lists SCAP-validated tools
NIST lists SCAP-validated tools


http://www.gcn.com/online/vol1_no1/45794-1.html 

By William Jackson
GCN.com
02/06/08

A new Web page [1] hosted by the National Institute of Standards and 
Technology lists products that have been validated to scan the security 
configurations of Windows operating systems on federal desktop PCs.

The scanners use the Security Content Automation Protocol to check for 
compliance with the Federal Desktop Core Configuration (FDCC) standards. 
So far, three products have been validated by independent laboratories 
under NISTs National Voluntary Laboratory Accreditation Program.

The Office of Management and Budget required agencies that use Windows 
XP and Vista to comply with the FDCC by Feb. 1. OMB also required 
agencies to use SCAP scanning tools to ensure that configurations were 
not being altered.

Your agency can now acquire information technology products that are 
self-asserted by information technology providers as compliant with the 
Windows XP & Vista FDCC, and use NISTs Security Content Automation 
Protocol to help evaluate providers self-assertions, OMB wrote in a July 
31 memo to federal chief information officers. However, information 
technology providers must use SCAP-validated tools, as they become 
available, to certify their products do not alter these configurations, 
and agencies must use these tools when monitoring use of these 
configurations.

NIST developed SCAP in cooperation with the Defense and Homeland 
Security departments and Mitre Corp. to provide technical specifications 
for identifying, enumerating, assigning and sharing security-related 
data. Vendors have developed tools using the protocol to help automate 
IT security operations, but as with any protocol, proper implementation 
must be validated.

NIST established a SCAP validation program last summer, accrediting 
three laboratories, and the first FDCC scanners have recently been 
evaluated. The new page is hosted in NISTs National Vulnerability 
Database Web site. Currently validated products all scan only Windows XP 
Professional SP 2. They are:

    * SecureFusion v3.501 from Gideon Technologies Inc. of Duluth, Ga.

    * C5 Compliance Platform v. 3.3.1 from Secure Elements Inc. of 
      Herndon, Va.

    * Secutor Prime v2.0.4 from ThreatGuard Inc. of San Antonio.

Meanwhile, a number of other products are in the process of being 
evaluated.

Currently accredited laboratories are EWA-Canada, of Ottawa; SAIC 
Accredited Testing and Evaluation Laboratories, of Columbia, Md.; and 
ICSA Labs of Mechanicsburg, Pa.

[1] http://nvd.nist.gov/scapproducts.cfm 


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn

Site design & layout copyright © 1986- CodeGods