National Vulnerability Database

The National Vulnerability Database (NVD, http://nvd.nist.gov) has expanded its scope to enable organizations to automate and standardize vulnerability management, security measurement, and compliance reporting (e.g., FISMA). Thus, NVD now enables Federal agencies and other organizations to ensure that information technology assets are configured securely, automate technical control FISMA compliance checking, customize secure configuration requirements, standardize measurement of low-level vulnerabilities, and integrate vulnerability and product databases using a standards-based approach.

This capability is achieved through the Information Security Automation Program (ISAP). ISAP, pronounced “I Sap”, is a U.S. government multi-agency initiative to enable automation and standardization of technical security operations. While a U.S. government initiative, its standards-based design can benefit all information technology security operations. The ISAP high-level goals include standards-based automation of security checking and remediation as well as automation of technical compliance activities (e.g. FISMA). ISAP’s low-level objectives include enabling standards-based communication of vulnerability data, customizing and managing configuration baselines for various IT products, assessing information systems and reporting compliance status, using standard metrics to weight and aggregate potential vulnerability impact, and remediating identified vulnerabilities.

ISAP’s technical specifications are contained in the related Security Content Automation Protocol (SCAP), see below and at http://nvd.nist.gov/scap.cfm Also on this web page are vendor compatibility requirements. ISAP’s security automation content is either contained within or referenced by, the National Vulnerability Database (http://nvd.nist.gov).

ISAP is being formalized through a trilateral memorandum of agreement (MOA) between Defense Information Systems Agency (DISA), the National Security Agency (NSA), and the National Institute of Standards and Technology (NIST).  The Office of Secretary of Defense (OSD) also participates and the Department of Homeland Security (DHS) funds the operation infrastructure on which ISAP relies (i.e., the National Vulnerability Database).

Benefiting from NVD, ISAP, and SCAP

There are a variety of ways in which agencies and other organizations can use NVD and ISAP to their benefit. To achieve these benefits, organizations will generally need to acquire SCAP compatible tools (see http://nvd.nist.gov/tools.cfm for a preliminary list of participating vendors). Additional benefits can be obtained by aligning internal security operations with SCAP vulnerability, product, and scoring enumerations and mappings. Here is a list of benefits:

Secure Configurations

Agencies and other organizations should consistently monitor their operating systems and applications, using SCAP tools and content, to ensure that they maintain a secure configuration. Such tools can also assist with automating implementing an initial secure configuration for new assets (secure images may also be used for this purpose in some cases). Within the U.S. government, SCAP should be used to ensure that operating systems and applications conform to NIST security configuration guidance. The DOD also publishes SCAP content and DOD profiles are often available within NIST SCAP content.

FISMA Technical Control Compliance Automation

Agencies and other organizations can automate much of their FISMA technical security control compliance activities by regularly scanning information technology assets using SCAP checklists.  SCAP checklists have FISMA compliance mappings embedded within the checklist so that SCAP-compatible tools can automatically generate NIST Special Publication 800-53 assessment and compliance evidence.  Each low-level security configuration check is mapped to the appropriate high-level NIST SP 800-53 security controls. As draft NIST SP 800-53A progresses towards final publication, there will be a direct linkage, where appropriate, of the assessment procedures found in NIST SP 800-53A to the SCAP automated testing of information system mechanisms and associated security configuration settings. In addition, the SCAP checklists also contain mappings to other high-level policies (e.g., ISO, DOD 8500, FISCAM) and SCAP tools may also output those compliance mappings.

Customization of Recommended Secure Configurations

Agencies and other organizations should customize recommended SCAP secure configurations (e.g., NIST checklists) to tailor them to specific environments. SCAP checklists, being represented in standards-based XML formats, are an ideal format for customization. Organizations can modify checks, delete checks, add new checks, and digitally sign their changes. Then SCAP compatible tools will be able to automatically process the customized checklists (without any additional coding being required or even any involvement from the SCAP tool vendor).

Security Measurement

Agencies and other organizations should measure the security, relative to known security related software flaws and misconfigurations, of all operating units using standard impact scores that can be customized to each particular environment. Agencies and other organizations should be able to aggregate these measurements to understand the relative security of the organization over time. Adoption of SCAP enables this by providing a vulnerability measurement system, standard impact scores for virtually all vulnerabilities, and a methodology by which to customize those scores to particular environments (e.g., by FIPS 199 and DOD MAC/CONF levels).

Integration and Automation of Security Operations

Agencies and other organizations should integrate and automate disjoint security operations activities and databases through adoption of SCAP. This can be achieved by integrating vulnerability databases, incident databases, intrusion detection databases, and asset databases using SCAP data as primary keying material. For example, all security products and databases should use standard names for software flaws, configuration issues, and product names.

Communications Involving Vulnerabilities

Agencies and other organizations should use SCAP vulnerability and product naming enumeration standards when communicating about vulnerabilities (security related software flaws and misconfigurations). Agencies and other organizations should report incident details (both internally and externally) using SCAP vulnerability and product names to the greatest extent possible. This ensures that all vulnerability communications precisely identify the relevant low-level issues, enable integration of data feeds using this same standardized language, and enable easy correlation with other data repositories that may have additional information on the relevant vulnerabilities.

NVD SCAP Overview

The Security Content Automation Protocol (SCAP), pronounced “S Cap”, is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance). More specifically, SCAP is a suite of selected open standards that enumerate software flaws, security related configuration issues, and product names; measure systems to determine the presence of vulnerabilities, and provide mechanisms to rank (score) the results of these measurements in order to evaluate the impact of the discovered security issues. SCAP defines how these standards are combined. The National Vulnerability Database provides a repository and data feeds of content that utilize the SCAP standards.

The U.S. National Institute of Standards and Technology (NIST) defines and maintains the protocol and the data feeds of content in the SCAP standards. Thus, NIST defines how to use the open standards within the SCAP context and defines the mappings between the SCAP enumeration standards. However, NIST does not control the underlying standards that are used within the protocol. SCAP is comprised of the following standards:

  • Common Vulnerabilities and Exposures (CVE®)
  • Common Configuration Enumeration (CCE™)
  • Common Platform Enumeration (CPE™)
  • Common Vulnerability Scoring System (CVSS)
  • Extensible Configuration Checklist Description Format (XCCDF)
  • Open Vulnerability and Assessment Language (OVAL™)

These open standards were created and are maintained by a number of different institutions including the MITRE Corporation, the NSA, and a special interest group within the Forum of Incident Response and Security Teams (FIRST).  NIST recommends the use of SCAP for security automation and policy compliance activities.