logo

  •   Submit to to del.icio.us   Submit to to digg   submit to to reddit   submit to to StumbleUpon   submit to to Google   Submit to to Yahoo!

Category: news | Posted by Avatar Staff 335 days ago
Via: http://lists.jammed.com | Tags: isn nist lists scapvalidated tools comments Discuss  


http://www.gcn.com/online/vol1_no1/45794-1.html



By William Jackson

GCN.com

02/06/08



A new Web page [1] hosted by the National Institute of Standards and

Technology lists products that have been validated to scan the security

configurations of Windows operating systems on federal desktop PCs.



The scanners use the Security Content Automation Protocol to check for

compliance with the Federal Desktop Core Configuration (FDCC) standards.

So far, three products have been validated by independent laboratories

under NISTs National Voluntary Laboratory Accreditation Program.



The Office of Management and Budget required agencies that use Windows

XP and Vista to comply with the FDCC by Feb. 1. OMB also required

agencies to use SCAP scanning tools to ensure that configurations were

not being altered.



Your agency can now acquire information technology products that are

self-asserted by information technology providers as compliant with the

Windows XP & Vista FDCC, and use NISTs Security Content Automation

Protocol to help evaluate providers self-assertions, OMB wrote in a July

31 memo to federal chief information officers. However, information

technology providers must use SCAP-validated tools, as they become

available, to certify their products do not alter these configurations,

and agencies must use these tools when monitoring use of these

configurations.



NIST developed SCAP in cooperation with the Defense and Homeland

Security departments and Mitre Corp. to provide technical specifications

for identifying, enumerating, assigning and sharing security-related

data. Vendors have developed tools using the protocol to help automate

IT security operations, but as with any protocol, proper implementation

must be validated.



NIST established a SCAP validation program last summer, accrediting

three laboratories, and the first FDCC scanners have recently been

evaluated. The new page is hosted in NISTs National Vulnerability

Database Web site. Currently validated products all scan only Windows XP

Professional SP 2. They are:



* SecureFusion v3.501 from Gideon Technologies Inc. of Duluth, Ga.



* C5 Compliance Platform v. 3.3.1 from Secure Elements Inc. of

Herndon, Va.



* Secutor Prime v2.0.4 from ThreatGuard Inc. of San Antonio.



Meanwhile, a number of other products are in the process of being

evaluated.



Currently accredited laboratories are EWA-Canada, of Ottawa; SAIC

Accredited Testing and Evaluation Laboratories, of Columbia, Md.; and

ICSA Labs of Mechanicsburg, Pa.



[1] http://nvd.nist.gov/scapproducts.cfm





___________________________________________________

Subscribe to InfoSec News

http://www.infosecnews.org/mailman/listinfo/isn





addto Add this link to... report Bury 


Comments Who Voted Related Links
Copyright 2005-2008 Best of Security