Re: [scap_interest] FW: Just throwing this out there: Compliance Frameworks

Dorian Cougias <> Wed, 15 February 2012 16:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 80CFD21F8581 for <>; Wed, 15 Feb 2012 08:08:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id JZTtIOATunIM for <>; Wed, 15 Feb 2012 08:08:38 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 858D521F8549 for <>; Wed, 15 Feb 2012 08:08:34 -0800 (PST)
Received: from ( []) by with SMTP id 1329322109207811.1541127371954; Wed, 15 Feb 2012 08:08:29 -0800 (PST)
Date: Wed, 15 Feb 2012 08:08:28 -0800
From: Dorian Cougias <>
To: Adam Montville <>
Message-ID: <>
In-Reply-To: <>
References: <>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_10235_1835691541.1329322108785"
X-Priority: Medium
User-Agent: Zoho Mail
X-Mailer: Zoho Mail
X-ZohoMail: Si CHF_MF_NL SS_10 UW48 UB48 UW48 UB48 SGR3_15022_585
X-Zoho-Virus-Status: 2
X-Mailman-Approved-At: Wed, 15 Feb 2012 08:48:37 -0800
Subject: Re: [scap_interest] FW: Just throwing this out there: Compliance Frameworks
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion List for IETFers interested in the Security Content Automation Protocol \(SCAP\)." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 15 Feb 2012 16:44:21 -0000

We at the UCF believe that we can work together with the IETF, or any other organization, to ensure that our commercial mapping efforts and those performed in the public sector can co-exist and be mutually beneficial to each other's efforts.

Dorian J. Cougias
Compliance Scientist
Unified Compliance Framework

---- On Wed, 15 Feb 2012 06:24:33 -0800 Adam Montville &lt;; wrote ---- 

If you're not already aware, there is an effort underway to migrate security automation development to the Internet Engineering Task Force. I have proposed that part of that effort seek to expand how frameworks can be represented. I believe that CCI and/or UCF formats may be of use and invite you to join the discussion at 
There is a need to accurately represent frameworks, and I'd like to see DISA and UCF join in the discussion. 
If you have any comments, questions, or concerns, feel free to contact me directly. 
Adam W. Montville | Security and Compliance Architect 
Direct: 503 276-7661 
Mobile: 360 471-7815 
From: kent_landfield &lt;;;&gt; 
Date: Tue, 14 Feb 2012 15:47:29 -0600 
To: Adam Montville &lt;;;&gt;, &lt;;;&gt; 
Subject: Re: [scap_interest] Just throwing this out there: Compliance Frameworks 
I agree that an effort such as this has great potential. Think of the content authors today. They use XML Editors or internally developed tools to create OVAL to do the compliance checking. This is very time consuming and very costly, while limiting the available checks and benchmarks. 
If there was a means where all regulations and security policies could be universally mapped and the specifics around them, based on individual platforms, were also attached to each unified record, it is possible to auto generate not just the benchmarks but the individual checks. Some of this research has been successful in the past. This is doable. The problem has been there is not an authoritative source for that data. 
Today too many people are manually writing content that could be auto generated from a database with the right schema and software. The problem though is as much on the front end as it is on the generation side. Someone needs to maintain that information or have an infrastructure put in place where guidance authors for regulations or security policies can update their information in the shared datastore. 
I think this is one of the missing pieces and it may be useful to have a discussion with interested parties but you would need to include participants from the two mentioned efforts below. 
Kent Landfield 
Director Content Strategy, Architecture and Standards 
McAfee | An Intel Company 
5000 Headquarters Dr. 
Plano, Texas 75024 
Direct: +1.972.963.7096 
Mobile: +1.817.637.8026 
From: Adam Montville &lt;;;&gt; 
Date: Tue, 14 Feb 2012 15:09:34 -0600 
To: ";;" &lt;;;&gt; 
Subject: [scap_interest] Just throwing this out there: Compliance Frameworks 
I had a brief discussion with several members of this list with respect to compliance frameworks, which met some resistance. Still, I think presenting the idea to a larger audience to solicit feedback is a good idea. 
>From an automation perspective, it seems that some method of being able to map benchmark-level tests to some higher level policy representation may be warranted. At the end of the day, we perform assessments to ensure that we are in a secure state – to be compliant with a particular set of policies. 
Is there any interest in being able to represent a compliance framework with either a new specification or potentially revitalizing and extending an existing specification (CCI:, or to simply rely upon any existing commercial efforts, such as UCF ( 
Or, is this type of representation simply not needed – there's enough there, the present demand doesn't justify the work, or something else? 
Adam W. Montville | Security and Compliance Architect 
Direct: 503 276-7661 
Mobile: 360 471-7815 
scap_interest mailing list;;