FDCC

1 August 2007 Update

Matt BarrettNational Institute of Standards and Technology

Current State of Compliance and Configuration ManagementBasis for SCAPSCAP PrimerUse of SCAP during FDCC TestingAccomplishing FDCC with SCAPRelationship Between FDCC and SCAP Product ComplianceApplicability for SCAP Beyond FDCCConclusion

Agenda

Current Compliance and Configuration ManagementSOX

???

HIPAA

???

Windows XP

SP1

SP2

Enterprise

Mobile

Stand Alone

SSLF

High

Moderate

Low

OS orApplication

Version/Role

Major PatchLevel

Environment Impact Ratingor MAC/CONF

Agency TailoringMgmt, Operational, Technical

Risk Controls

Millions ofsettings tomanage

ISO

17799/27001

???

DoD

DoD IA Controls

DISA STIGS& Checklists

COMSEC ‘97

NSA Req

NSA Guides

Vendor

Guide

FISMA

SP 800-53

SP 800-68

3rd Party

Guide

Finite Set of Possible Known IT Risk Controls & Application Configuration Options

DCID

DCID6/3

AgencyGuides

Corresponding OMB Memo to CIOs:• Requires, “Implementing andautomating enforcement of theseconfigurations;”•“NIST has established a program todevelop and maintain common securityconfigurations for many operatingsystems and applications, and the“Security Content Automation[Protocol]” can help your agency usecommon security configurations.Additionally, NIST’s revisions to SpecialPublication 800-70, “SecurityConfiguration Checklist Program for ITProducts,” will provide your agencyadditional guidance for implementingcommon security configurations. Foradditional information about NIST’sprograms, please contact StephenQuinn, at Stephen.Quinn@nist.gov.”

OMB Memo M-07-11Implementation of Commonly Accepted Security Configurations forWindows Operating Systems

CVECommonVulnerabilityEnumeration

Standard nomenclature anddictionary of security related softwareflaws

CCECommonConfigurationEnumeration

Standard nomenclature anddictionary of softwaremisconfigurations

CPE Common PlatformEnumeration

Standard nomenclature anddictionary for product naming

XCCDF

eXtensibleChecklistConfigurationDescription Format

Standard XML for specifyingchecklists and for reporting results ofchecklist evaluation

OVALOpen VulnerabilityAssessmentLanguage

Standard XML for test procedures

CVSSCommonVulnerabilityScoring System

Standard for measuring the impact ofvulnerabilities

Cisco, Qualys,Symantec, Carnegie

Mellon University

Security Content Automation ProtocolStandardizing How We Communicate

AssetManagement

Vulnerability Management

ConfigurationManagement

CVE

CPE CCESCAP

OVALCVSS

Compliance Management

XCCDF

Misconfiguration

Integrating IT and IT Security Through SCAP

50 million hits per year20 new vulnerabilities per dayMis-configuration cross references to:

NIST SP 800-53 Security Controls(All 17 Families and 163 controls)DoD IA ControlsDISA VMS Vulnerability IDsGold Disk VIDsDISA VMS PDI IDsNSA ReferencesDCIDISO 17799

Reconciles software flaws from:US CERT Technical AlertsUS CERT Vulnerability Alerts(CERTCC)MITRE OVAL Software FlawChecksMITRE CVE Dictionary

Produces XML feed for NVD content

In response to NIST being named inthe Cyber Security R&D Act of 2002Encourages vendor development andmaintenance of security guidanceCurrently hosts 112 separate guidancedocuments for over 125 IT productsParticipating organizations: DISA,NSA, NIST, Hewlett-Packard, CIS,ITAA, Oracle, Sun, Apple, Microsoft,Citadel, LJK, Secure Elements,ThreatGuard, MITRE Corporation, G2,Verisign, Verizon Federal, Kyocera,Hewlett-Packard, ConfigureSoft,McAfee, etc.Translating this backlog of checklistsinto the Security Content AutomatingProtocol (SCAP)

Existing Federal ServicesStandardizing What We Communicate

Report XCCDFPlatform CPE Misconfiguration CCE

Software Flaw CVE

Checklist XCCDFPlatform CPE Misconfiguration CCE

Software Flaw CVE

General Impact CVSS

General Impact CVSS

Specific Impact CVSSResults

Specific Impact CVSSResults

Test Procedures OVAL

How SCAP Works

Patches OVAL

COTS/GOTSTools

FDCC Testing

1. Implement FDCC settings onvirtual machine images

2. Use SCAP to verify FDCC settingswere implemented correctly

Windows XPWindows VistaWindows XP FirewallWindows Vista FirewallInternet Explorer 7.0

3. Reconcile any “failed” SCAP tests

4. Record any exceptions

Generate FDCC compliance and deviationreports

Monitor previous implementations for FDCCcompliance

Assess new implementations for FDCCcompliance

Test to ensure products do not change theFDCC settings

FunctionProductTeams

OperationsTeams

Accomplishing FDCC with SCAP

Quote from OMB Memo Establishment of Windows XP and VISTA Virtual Machine andProcedures for Adopting the Federal Desktop Core Configurations“Information technology providers must use S-CAP validated tools, as theybecome available, to certify their products do not alter these configurations,and agencies must use these tools when monitoring use of theseconfigurations. “

“The provider of information technology shallcertify applications are fully functional andoperate correctly as intended on systems usingthe Federal Desktop Core Configuration (FDCC).This includes Internet Explorer 7 configured tooperate on Windows XP and Vista (in ProtectedMode on Vista).“

“Applications designed for normal end users shallrun in the standard user context without elevatedsystem administration privileges.”

“The National Institute of Standards and Technology(NIST) and the Department of Homeland Securitycontinue to work with Microsoft to establish a virtualmachine to provide agencies and informationtechnology providers’ access to Windows XP andVISTA images. The images will be pre-configuredwith the recommended security settings for testand evaluation purposes to help certifyapplications operate correctly. “

OMB Memo M-07-18Ensuring New Acquisitions Include Common Security Configurations

OMB 31 July 2007 Memo to CIOsEstablishment of Windows XP and VISTA Virtual Machine and Proceduresfor Adopting the Federal Desktop Core Configurations

“As we noted in the June 1, 2007 follow-up policymemorandum M-07-18, “Ensuring New Acquisitions IncludeCommon Security Configurations,” a virtual machinewould be established “to provide agencies andinformation technology providers’ access to WindowsXP and VISTA images.” The National Institute ofStandards and Technology (NIST), Microsoft, theDepartment of Defense, and the Department of HomelandSecurity have now established a website hosting the virtualmachine images, which can be found at:http://csrc.nist.gov/fdcc.”

“Your agency can now acquire information technologyproducts that are self-asserted by information technologyproviders as compliant with the Windows XP & VISTAFDCC, and use NIST’s Security Content AutomationProtocol (S-CAP) to help evaluate providers’ self-assertions. Information technology providers must useS-CAP validated tools, as they become available, tocertify their products do not alter these configurations,and agencies must use these tools when monitoringuse of these configurations.”

The Relationship Between FDCC andSCAP Product Compliance

Federal AgencyProduct Vendor

Self Asserts

FDCC Compliance

SCAPCompliantProducts

SCAP Product

Self Asserts

SCAP Compliance

NVLAP

Test Effort

SCAPCompliantProduct+ = Compliant with M-07-18?

Implement Product?+FDCC Virtual

Machine ImageStakeholders Value

Determine security control effectiveness (i.e.,controls implemented correctly, operating as

intended, meeting security requirements)

SP 800-53A

AssessSecurity Controls

Continuously track changes to the informationsystem that may affect security controls and

reassess control effectiveness

SP 800-37 / SP 800-53A

MonitorSecurity Controls

Document in the security plan, the securityrequirements for the information system and

the security controls planned or in place

SP 800-18

DocumentSecurity Controls

SP 800-37

AuthorizeInformation System

Determine risk to agency operations, agencyassets, or individuals and, if acceptable,authorize information system operation

SP 800-53 / SP 800-30

SupplementSecurity Controls

Use risk assessment results to supplement thetailored security control baseline as needed toensure adequate security and due diligence

FIPS 200 / SP 800-53

SelectSecurity Controls

Select baseline (minimum) security controls toprotect the information system; apply tailoring

guidance as appropriate

Implement security controls; applysecurity configuration settings

ImplementSecurity Controls

SP 800-70

Define criticality /sensitivity ofinformation system according to

potential impact of loss

FIPS 199 / SP 800-60

CategorizeInformation System

Starting Point

Federal Risk Management Framework

<Group id="IA-5" hidden="true"> <title>Authenticator Management</title> <reference>ISO/IEC 17799: 11.5.2, 11.5.3</reference> <reference>GAO FISCAM: AC-3.2</reference> <reference>DOD 8500.2: IAKM-1, IATS-1</reference> <reference>DCID 6/3: 4.B.2.a(7), 4.B.3.a(11)</reference></Group>

<Rule id="minimum-password-length" selected="false"weight="10.0">

<reference>CCE-100</reference> <reference>DISA STIG Section 5.4.1.3</reference> <reference>DISA Gold Disk ID 7082</reference> <reference>PDI IAIA-12B</reference> <reference>800-68 Section 6.1 - Table A-

1.4</reference> <reference>NSA Chapter 4 - Table 1 Row 4</reference> <requires idref="IA-5"/> [pointer to OVAL test procedure]</Rule>

Rational for securityconfiguration

Traceability to Mandates

Traceability to Guidelines

Compliance Traceability within SCAP

Enables interoperability for products and servicesof various manufacture

Standardizes how computers communicatevulnerability information – the protocol

Feature Benefit

Standardizes what vulnerability informationcomputers communicate – the content

Enables repeatability across products andservices of various manufactureReduces content-based variance in operationaldecisions and actions

Based on open standards Harnesses the collective brain power of themasses for creation and evolutionCreated and evolved with the broadestperspective

Utilizes configuration and assetmanagement standards

Mobilizes asset inventory and configurationinformation for use in vulnerability and compliancemanagement

Applicable to Federal Risk ManagementFramework – Assess, Monitor, Implement

Reduces time, effort, and expense of riskmanagement process

Traceable to security mandates andguidelines

Automates portions of compliance demonstrationand reporting

Keyed on NIST SP 800-53 security controls Automates portions of FISMA compliancedemonstration and reporting

SCAP Value

DHS Providing fundingNVD partner, Supplying threat and patch info

NSA Providing resourcesApplying the technology

DISAProviding resources, Integrating into Host BasedSystem Security (HBSS) and Enterprise SecuritySolutions

OSD Incorporating into Computer Network Defense(CND) Data Strategy

DOJ Incorporating into FISMA Cyber SecurityAssessment and Management (CSAM) tool

ArmyIntegrating Asset & Vulnerability TrackingResource (AVTR) with DoD and SCAP content,Contributing patch dictionary

DOS Incorporating into security posture by mappingSCAP to certification and accreditation process

Stakeholders and Contributors

3rd Annual Security Automation Conference and Expo19-20 SeptemberSpeakers

The Honorable Karen S. Evans (OMB)Robert F. Lentz DAS DIIA (OSD)Cita Furlani, Director ITL (NIST)Tim Grance, Program Manager (NIST)Dennis Heretick, CISO (DoJ)Richard Hale, CIAO (DISA)Sherrill Nicely, Deputy Associate Director (DNI)Alan Paller, Director of Research (SANS)Tony Sager, Chief (NSA)Ron Ross, Program Manager (NIST)

ExpoTechnology DemonstrationsBeta Testing and Use Case Presentation

Upcoming Events

http://csrc.nist.gov/fdccNIST FDCC Web Site

• FDCC Settings

• Virtual Machine Images

• FDCC SCAP Checklists

• Group Policy Objects

• SCAP Checklists

• SCAP Capable Products

http://checklists.nist.govNational Checklist Program

National Vulnerability Database http://nvd.nist.gov

More Information

100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA 20899-8930

ISAP NIST Project Lead NVD Project LeadSteve Quinn Peter Mell(301) 975-6967 (301) 975-5572

stephen.quinn@nist.gov mell@nist.gov

Senior Information Security Researchers and Technical SupportKaren Scarfone Murugiah Souppaya (301) 975-8136 (301) 975-4758 karen.scarfone@nist.gov murugiah.souppaya@nist.govMatt Barrett Information and Feedback(301) 975-3390 Web: http://nvd.nist.gov/scapmatthew.barrett@nist.gov Comments: scap-update@nist.gov

Contact Information

National Institute of Standards & TechnologyInformation Technology Laboratory

Computer Security Division

Questions

Supplemental – Connecting Compliancewith Platform Assessment

Application to Automated ComplianceThe Connected Path

Result800-53 Security Control

800-68 Security Guidance

ISAP Produced SecurityGuidance in XML Format

COTS Tool Ingest

API Call

Result

AC-7 Unsuccessful Login Attempts

AC-7: Account Lockout DurationAC-7: Account Lockout Threshold

- <registry_test id="wrt-9999"comment=“Account Lockout Duration Set to5" check="at least 5">- <object> <hive>HKEY_LOCAL_MACHINE</hive> <key>Software\Microsoft\Windows</key> <name>AccountLockoutDuration</name> </object>- <data operation="AND"> <value operator=“greater than">5*</value>

lpHKey = “HKEY_LOCAL_MACHINE”Path = “Software\Microsoft\Windows\”Value = “5”sKey = “AccountLockoutDuration”Op = “>“

800-53 Security ControlDoD IA Control

800-68 Security GuidanceDISA STIG/Checklist

NSA Guide

ISAP Produced SecurityGuidance in XML Format

COTS Tool Ingest

API Call

RegQueryValue (lpHKey, path, value, sKey,Value, Op);If (Op == ‘>” )if ((sKey < Value )return (1); elsereturn (0);

Application to Automated ComplianceThe Connected Path

Supplemental – SCAPPlatform Assessment Tutorial

XML Made Simple

XCCDF - eXtensible CarCare Description Format

OVAL – Open VehicleAssessment Language

<Car> <Description> <Year> 1997 </Year> <Make> Ford </Make> <Model> Contour </Model> <Maintenance> <Check1> Gas Cap = On <> <Check2>Oil Level = Full <> </Maintenance> </Description></Car>

<Checks> <Check1> <Location> Side of Car <> <Procedure> Turn <> </Check1> <Check2> <Location> Hood <> </Procedure> … <> </Check2></Checks>

Error Report

Problem: Air Pressure Loss

Diagnosis Accuracy:All Sensors Reporting

Expected Cost: $25.00

Diagnosis:Replace Gas Cap

XML Made SimpleXCCDF - eXtensibleChecklist ConfigurationDescription Format

OVAL – Open VulnerabilityAssessment Language

<Document ID> NIST SP 800-68 <Date> 04/22/06 </Date> <Version> 1 </Version> <Revision> 2 </Revision> <Platform> Windows XP <> <Check1> Password >= 8 <> <Check2> Win XP Vuln <> </Maintenance> </Description></Car>

<Checks> <Check1> <Registry Check> … <> <Value> 8 </Value> </Check1> <Check2> <File Version> … <> <Value> 1.0.12.4 </Value> </Check2></Checks>

CVECCECPE

Supplemental – FAQ for NISTFISMA Documents

Fundamental FISMA QuestionsWhat are the NIST Technical Security

Controls?

What are the Specific NIST recommendedsettings for individual technical controls?

Am I compliant to NIST Recs & Can I usemy COTS Product?

How do I implement the recommendedsetting for technical controls? Can I use my

COTS Product?

Will I be audited against the same criteria Iused to secure my systems?

What are the NIST Technical SecurityControls?

What are the Specific NIST recommendedsettings for individual technical controls?

Am I compliant to NIST Recs & Can I usemy COTS Product?

How do I implement the recommendedsetting for technical controls? Can I use my

COTS Product?

Will I be audited against the same criteria Iused to secure my systems?

SP 800-18

Security ControlDocumentation

FIPS 200 / SP 800-53

Security ControlSelection

SP 800-53A / SP 800-26/ SP 800-37

Security ControlAssessment

SP 800-53 / FIPS 200 / SP 800-30

Security ControlRefinement

SP 800-37

SystemAuthorization

SP 800-37

Security ControlMonitoring

Security ControlImplementation

SP 800-70

Fundamental FISMA Documents