[scap_interest] Just throwing this out there: Compliance Frameworks

Adam Montville <amontville@tripwire.com> Tue, 14 February 2012 21:09 UTC

Return-Path: <amontville@tripwire.com>
X-Original-To: scap_interest@ietfa.amsl.com
Delivered-To: scap_interest@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 4F3FC21F85CD for <scap_interest@ietfa.amsl.com>; Tue, 14 Feb 2012 13:09:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.539
X-Spam-Status: No, score=-4.539 tagged_above=-999 required=5 tests=[AWL=-0.940, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id NFRk1DXLOevM for <scap_interest@ietfa.amsl.com>; Tue, 14 Feb 2012 13:09:39 -0800 (PST)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe005.messaging.microsoft.com []) by ietfa.amsl.com (Postfix) with ESMTP id A159E21F85B8 for <scap_interest@ietf.org>; Tue, 14 Feb 2012 13:09:39 -0800 (PST)
Received: from mail103-ch1-R.bigfish.com ( by CH1EHSOBE016.bigfish.com ( with Microsoft SMTP Server id; Tue, 14 Feb 2012 21:09:35 +0000
Received: from mail103-ch1 (localhost []) by mail103-ch1-R.bigfish.com (Postfix) with ESMTP id AC9384C02B0 for <scap_interest@ietf.org>; Tue, 14 Feb 2012 21:09:39 +0000 (UTC)
X-SpamScore: -10
X-BigFish: VPS-10(zz9f17Rzz1202hzz8275bhz2dh2a8h668h839h946h)
X-Forefront-Antispam-Report: CIP:; KIP:(null); UIP:(null); IPV:NLI; H:PDXHB01.tripwire.com; RD:174-47-84-216.static.twtelecom.net; EFVD:NLI
Received: from mail103-ch1 (localhost.localdomain []) by mail103-ch1 (MessageSwitch) id 1329253778227237_24289; Tue, 14 Feb 2012 21:09:38 +0000 (UTC)
Received: from CH1EHSMHS015.bigfish.com (snatpool2.int.messaging.microsoft.com []) by mail103-ch1.bigfish.com (Postfix) with ESMTP id 2F0BC140049 for <scap_interest@ietf.org>; Tue, 14 Feb 2012 21:09:38 +0000 (UTC)
Received: from PDXHB01.tripwire.com ( by CH1EHSMHS015.bigfish.com ( with Microsoft SMTP Server (TLS) id; Tue, 14 Feb 2012 21:09:32 +0000
Received: from PDXHB01.tripwire.com ( by PDXED01.tripwire.com ( with Microsoft SMTP Server (TLS) id 14.1.355.2; Tue, 14 Feb 2012 13:18:22 -0800
Received: from PDXMB02.tripwire.com ([fe80::f997:7b65:8e64:438e]) by PDXHB01.tripwire.com ([fe80::d495:98d2:7df4:2154%11]) with mapi id 14.01.0355.002; Tue, 14 Feb 2012 13:09:35 -0800
From: Adam Montville <amontville@tripwire.com>
To: "scap_interest@ietf.org" <scap_interest@ietf.org>
Thread-Topic: Just throwing this out there: Compliance Frameworks
Thread-Index: AQHM61zzLrfS/zdxiEO6WzDF7i2DSQ==
Date: Tue, 14 Feb 2012 21:09:34 +0000
Message-ID: <CB600D8F.9218%amontville@tripwire.com>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
x-originating-ip: []
x-exclaimer-md-config: 79afcaa7-fdf4-4fa6-abe0-afeaa4640a4f
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <FB666DE5018801479E7A3EFF8B7F01F7@tripwire.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: tripwire.com
Subject: [scap_interest] Just throwing this out there: Compliance Frameworks
X-BeenThere: scap_interest@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion List for IETFers interested in the Security Content Automation Protocol \(SCAP\)." <scap_interest.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scap_interest>, <mailto:scap_interest-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/scap_interest>
List-Post: <mailto:scap_interest@ietf.org>
List-Help: <mailto:scap_interest-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scap_interest>, <mailto:scap_interest-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Feb 2012 21:09:41 -0000


I had a brief discussion with several members of this list with respect to compliance frameworks, which met some resistance.  Still, I think presenting the idea to a larger audience to solicit feedback is a good idea.

>From an automation perspective, it seems that some method of being able to map benchmark-level tests to some higher level policy representation may be warranted.  At the end of the day, we perform assessments to ensure that we are in a secure state – to be compliant with a particular set of policies.

Is there any interest in being able to represent a compliance framework with either a new specification or potentially revitalizing and extending an existing specification (CCI: http://iase.disa.mil/stigs/cci.html), or to simply rely upon any existing commercial efforts, such as UCF (https://www.unifiedcompliance.com)?

Or, is this type of representation simply not needed – there's enough there, the present demand doesn't justify the work, or something else?



Adam W. Montville | Security and Compliance Architect

Direct: 503 276-7661
Mobile: 360 471-7815