HOT TOPICS >> Cloud computing | Cybersecurity | Gov 2.0 | Fiscal 2012 | Mobile | Transparency | GAO reports
AGENCY NEWS >> Defense | NASA | Homeland Security | NIST | OMB | Veterans Affairs | NARA | GSA
Latest News
Media Partner
Free Newsletter
FierceGovernmentIT tracks the latest technological developments in the U.S. government. Join more than 17,000 federal/state decision makers and IT executives who get FierceGovernmentIT via email. Sign up today!
About | View Sample | Privacy
Whitepapers
- End-of-life solution management for mobile devices reduces MNCs' security, compliance and sustainability risks
- Efficiency On Demand
- Migrating enterprise digital communication to the Cloud
- Virtual Game Changer
- Business Intelligence: It's All in the Data
- Innovative Solutions for Database and DBA Management
NIST encourages agencies to adopt SCAP
The National Institute of Standards and Technology has new guidelines out for using an automated cybersecurity settings compliance method called SCAP--pronounced ess-cap--or Security Content Automation Protocol. Technical specifications for SCAP Version 1.0 were published in November 2009.
Before the July publication of the guidelines, NIST Special Publication 800-117, there was little guidance on how the new protocol should be applied.
"SCAP is designed to organize, express, and measure security-related information in standardized ways, as well as related reference data, such as identifiers for post-compilation software flaws and security configuration issues," explains NIST in it's latest guidance.
"SCAP can be used to maintain the security of enterprise systems, such as automatically verifying the installation of patches, checking system security configuration settings, and examining systems for signs of compromise," it adds.
SCAP is not a replacement for the security software that agencies and contractors are using, but a suite of specifications that existing software should be configured to support. In the guidance, NIST recommends that organizations:
- Improve and monitor IT security by using SCAP's security configuration checklists;
- use SCAP to demonstrate compliance with high-level security requirements that originate from mandates, standards and guidelines, by using SCAP-enabled tools along with SCAP-expressed checklists.
- standardized SCAP enumerations--Common Configuration Enumeration (CCE) and Common Platform Enumeration (CPE)--such as identifiers and product names; and
- reference SCAP for vulnerability measurement and scoring--Common Vulnerabilities and Exposures (CVE) and Common Vulnerability Scoring System (CVSS).
NIST also recommends that product vendors and developers of standards checklists incorporate SCAP into their practices.
For more:
- see NIST's latest guidance Special Publication 800-117 (.pdf)
- see SCAP version 1.0 technical specifications Special Publication 800-126 (.pdf)
Related Articles:
NIST promotes common cybersecurity controls
NIST: Continuous monitoring can lead to false sense of security
Cloud computing standards and procurement processes take shape
Ross: Defense only goes so far, real cybersecurity is agile
SHARE WITH:
Home
| Subscribe | Advertise | Mobile Edition | RSS |
Privacy
| Site Map
| EditorsTHE FIERCEMARKETS NETWORKFierceEnergy | FierceSmartGrid | FierceFinance | FierceFinanceIT | FierceComplianceIT | FierceHealthcare | FierceHealthFinance | FierceHealthIT | Hospital Impact | FierceMobileHealthcare | FierceHealthPayer | FiercePracticeManagement | FierceEMR | FierceCIO | FierceCIO:TechWatch | FierceContentManagement | FierceMobileIT | FierceGovernmentIT | FierceGovernment | FierceHomelandSecurity | FierceBiotech | FierceBiotech Research | FiercePharma | FierceVaccines | FierceBiotechIT | FiercePharma Manufacturing | FierceMedicalDevices | FierceDrugDelivery | FierceIPTV | FierceOnlineVideo | FierceTelecom | FierceEnterpriseCommunications | FierceBroadbandWireless | FierceDeveloper | FierceMobileContent | FierceWireless | FierceWireless:Europe | FierceCable© 2011 FierceMarkets. All rights reserved. |
 |
