IETF Logo Mail Archive

[scap_interest] FW: Just throwing this out there: Compliance Frameworks

Adam Montville <amontville@tripwire.com> Wed, 15 February 2012 14:24 UTC

Return-Path: <amontville@tripwire.com>
X-Original-To: scap_interest@ietfa.amsl.com
Delivered-To: scap_interest@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC4B321F863F for <scap_interest@ietfa.amsl.com>; Wed, 15 Feb 2012 06:24:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.288
X-Spam-Level:
X-Spam-Status: No, score=-4.288 tagged_above=-999 required=5 tests=[AWL=-0.689, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tYIdwtwKPgvq for <scap_interest@ietfa.amsl.com>; Wed, 15 Feb 2012 06:24:40 -0800 (PST)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe003.messaging.microsoft.com [216.32.181.183]) by ietfa.amsl.com (Postfix) with ESMTP id 488CD21F865B for <scap_interest@ietf.org>; Wed, 15 Feb 2012 06:24:40 -0800 (PST)
Received: from mail108-ch1-R.bigfish.com (10.43.68.230) by CH1EHSOBE003.bigfish.com (10.43.70.53) with Microsoft SMTP Server id 14.1.225.23; Wed, 15 Feb 2012 14:24:39 +0000
Received: from mail108-ch1 (localhost [127.0.0.1]) by mail108-ch1-R.bigfish.com (Postfix) with ESMTP id 92E8AE019D; Wed, 15 Feb 2012 14:24:39 +0000 (UTC)
X-SpamScore: -31
X-BigFish: VPS-31(zz9f17R1454Izz1202hzz1033IL8275bh8275dhz2dh2a8h668h839h946h)
X-Forefront-Antispam-Report: CIP:174.47.84.216; KIP:(null); UIP:(null); IPV:NLI; H:PDXHB01.tripwire.com; RD:174-47-84-216.static.twtelecom.net; EFVD:NLI
Received: from mail108-ch1 (localhost.localdomain [127.0.0.1]) by mail108-ch1 (MessageSwitch) id 1329315876896622_26649; Wed, 15 Feb 2012 14:24:36 +0000 (UTC)
Received: from CH1EHSMHS005.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.252]) by mail108-ch1.bigfish.com (Postfix) with ESMTP id D5CE0320209; Wed, 15 Feb 2012 14:24:36 +0000 (UTC)
Received: from PDXHB01.tripwire.com (174.47.84.216) by CH1EHSMHS005.bigfish.com (10.43.70.5) with Microsoft SMTP Server (TLS) id 14.1.225.23; Wed, 15 Feb 2012 14:24:36 +0000
Received: from PDXHB01.tripwire.com (172.30.0.53) by PDXED01.tripwire.com (192.168.192.5) with Microsoft SMTP Server (TLS) id 14.1.355.2; Wed, 15 Feb 2012 06:33:20 -0800
Received: from PDXMB02.tripwire.com ([fe80::f997:7b65:8e64:438e]) by PDXHB01.tripwire.com ([fe80::d495:98d2:7df4:2154%11]) with mapi id 14.01.0355.002; Wed, 15 Feb 2012 06:24:34 -0800
From: Adam Montville <amontville@tripwire.com>
To: "CCI@disa.mil" <CCI@disa.mil>, "dcougias@unifiedcompliance.com" <dcougias@unifiedcompliance.com>
Thread-Topic: [scap_interest] Just throwing this out there: Compliance Frameworks
Thread-Index: AQHM61zzLrfS/zdxiEO6WzDF7i2DSZY9c+GAgACQOAA=
Date: Wed, 15 Feb 2012 14:24:33 +0000
Message-ID: <CB60FD24.92E4%amontville@tripwire.com>
In-Reply-To: <CB602F34.2C555%kent_landfield@mcafee.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.14.0.111121
x-originating-ip: [172.30.0.234]
x-exclaimer-md-config: 79afcaa7-fdf4-4fa6-abe0-afeaa4640a4f
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <3B85B92CB090DC4CB03C58D927A88046@tripwire.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: tripwire.com
Cc: "scap_interest@ietf.org" <scap_interest@ietf.org>
Subject: [scap_interest] FW: Just throwing this out there: Compliance Frameworks
X-BeenThere: scap_interest@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion List for IETFers interested in the Security Content Automation Protocol \(SCAP\)." <scap_interest.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scap_interest>, <mailto:scap_interest-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/scap_interest>
List-Post: <mailto:scap_interest@ietf.org>
List-Help: <mailto:scap_interest-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scap_interest>, <mailto:scap_interest-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Feb 2012 14:24:45 -0000

Hello,

If you're not already aware, there is an effort underway to migrate security automation development to the Internet Engineering Task Force.  I have proposed that part of that effort seek to expand how frameworks can be represented.  I believe that CCI and/or  UCF formats may be of use and invite you to join the discussion at scap_interest@itef.org: https://www.ietf.org/mailman/listinfo/scap_interest.

There is a need to accurately represent frameworks, and I'd like to see DISA and UCF join in the discussion.

If you have any comments, questions, or concerns, feel free to contact me directly.

Regards,

Adam W. Montville | Security and Compliance Architect

Direct: 503 276-7661
Mobile: 360 471-7815

TRIPWIRE | Take CONTROL
http://www.tripwire.com

From: kent_landfield <kent_landfield@mcafee.com<mailto:kent_landfield@mcafee.com>>
Date: Tue, 14 Feb 2012 15:47:29 -0600
To: Adam Montville <amontville@tripwire.com<mailto:amontville@tripwire.com>>, <scap_interest@ietf.org<mailto:scap_interest@ietf.org>>
Subject: Re: [scap_interest] Just throwing this out there: Compliance Frameworks

Adam,

I agree that an effort such as this has great potential.  Think of the content authors today. They use XML Editors or internally developed tools to create OVAL to do the compliance checking.  This is very time consuming and very costly, while limiting the available checks and benchmarks.

If there was a means where all regulations and security policies could be universally mapped and the specifics around them, based on individual platforms, were also attached to each unified record, it is possible to auto generate not just the benchmarks but the individual checks.  Some of this research has been successful in the past.  This is doable. The problem has been there is not an authoritative source for that data.

Today too many people are manually writing content that could be auto generated from a database with the right schema and software.  The problem though is as much on the front end as it is on the generation side.  Someone needs to maintain that information or have an infrastructure put in place where guidance authors for regulations or security policies can update their information in the shared datastore.

I think this is one of the missing pieces and it may be useful to have a discussion with interested parties but you would need to include participants from the two mentioned efforts below.

Kent Landfield
Director Content Strategy, Architecture and Standards

McAfee | An Intel Company
5000 Headquarters Dr.
Plano, Texas 75024

Direct: +1.972.963.7096
Mobile: +1.817.637.8026
Web: www.mcafee.com<http://www.mcafee.com/>

From: Adam Montville <amontville@tripwire.com<mailto:amontville@tripwire.com>>
Date: Tue, 14 Feb 2012 15:09:34 -0600
To: "scap_interest@ietf.org<mailto:scap_interest@ietf.org>" <scap_interest@ietf.org<mailto:scap_interest@ietf.org>>
Subject: [scap_interest] Just throwing this out there: Compliance Frameworks

All,

I had a brief discussion with several members of this list with respect to compliance frameworks, which met some resistance.  Still, I think presenting the idea to a larger audience to solicit feedback is a good idea.

>From an automation perspective, it seems that some method of being able to map benchmark-level tests to some higher level policy representation may be warranted.  At the end of the day, we perform assessments to ensure that we are in a secure state – to be compliant with a particular set of policies.

Is there any interest in being able to represent a compliance framework with either a new specification or potentially revitalizing and extending an existing specification (CCI: http://iase.disa.mil/stigs/cci.html), or to simply rely upon any existing commercial efforts, such as UCF (https://www.unifiedcompliance.com)?

Or, is this type of representation simply not needed – there's enough there, the present demand doesn't justify the work, or something else?

Thoughts?

Regards,

Adam W. Montville | Security and Compliance Architect

Direct: 503 276-7661
Mobile: 360 471-7815

TRIPWIRE | Take CONTROL
http://www.tripwire.com

_______________________________________________
scap_interest mailing list
scap_interest@ietf.org<mailto:scap_interest@ietf.org>
https://www.ietf.org/mailman/listinfo/scap_interest

v2.23.0 | Report a Bug | By Email