Re: [scap_interest] Just throwing this out there: Compliance Frameworks

<> Tue, 14 February 2012 21:48 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 843B521E80D3 for <>; Tue, 14 Feb 2012 13:48:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id thOeL64rcOlR for <>; Tue, 14 Feb 2012 13:48:04 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 5E20521E8016 for <>; Tue, 14 Feb 2012 13:48:04 -0800 (PST)
Received: from (unknown []) by with smtp id 0239_6dc7_8e4e1736_5755_11e1_93fc_00219b929abd; Tue, 14 Feb 2012 15:47:56 -0600
Received: from ([fe80::387d:3d79:ad3b:b517]) by ([::1]) with mapi; Tue, 14 Feb 2012 15:46:57 -0600
Date: Tue, 14 Feb 2012 15:47:29 -0600
Thread-Topic: [scap_interest] Just throwing this out there: Compliance Frameworks
Thread-Index: AczrYiurhX3t074lStyhuKNG40cHyg==
Message-ID: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_CB602F342C555kentlandfieldmcafeecom_"
MIME-Version: 1.0
Subject: Re: [scap_interest] Just throwing this out there: Compliance Frameworks
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion List for IETFers interested in the Security Content Automation Protocol \(SCAP\)." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 14 Feb 2012 21:48:05 -0000


I agree that an effort such as this has great potential.  Think of the content authors today. They use XML Editors or internally developed tools to create OVAL to do the compliance checking.  This is very time consuming and very costly, while limiting the available checks and benchmarks.

If there was a means where all regulations and security policies could be universally mapped and the specifics around them, based on individual platforms, were also attached to each unified record, it is possible to auto generate not just the benchmarks but the individual checks.  Some of this research has been successful in the past.  This is doable. The problem has been there is not an authoritative source for that data.

Today too many people are manually writing content that could be auto generated from a database with the right schema and software.  The problem though is as much on the front end as it is on the generation side.  Someone needs to maintain that information or have an infrastructure put in place where guidance authors for regulations or security policies can update their information in the shared datastore.

I think this is one of the missing pieces and it may be useful to have a discussion with interested parties but you would need to include participants from the two mentioned efforts below.

Kent Landfield
Director Content Strategy, Architecture and Standards

McAfee | An Intel Company
5000 Headquarters Dr.
Plano, Texas 75024

Direct: +1.972.963.7096
Mobile: +1.817.637.8026

From: Adam Montville <<>>
Date: Tue, 14 Feb 2012 15:09:34 -0600
To: "<>" <<>>
Subject: [scap_interest] Just throwing this out there: Compliance Frameworks


I had a brief discussion with several members of this list with respect to compliance frameworks, which met some resistance.  Still, I think presenting the idea to a larger audience to solicit feedback is a good idea.

>From an automation perspective, it seems that some method of being able to map benchmark-level tests to some higher level policy representation may be warranted.  At the end of the day, we perform assessments to ensure that we are in a secure state – to be compliant with a particular set of policies.

Is there any interest in being able to represent a compliance framework with either a new specification or potentially revitalizing and extending an existing specification (CCI: or to simply rely upon any existing commercial efforts, such as UCF (

Or, is this type of representation simply not needed – there's enough there, the present demand doesn't justify the work, or something else?



Adam W. Montville | Security and Compliance Architect

Direct: 503 276-7661
Mobile: 360 471-7815


scap_interest mailing list<>