New Standards and Guidelines
There's a movement across government to standardize everything. This includes implementation of security controls where possible. The National Institute of Standards and Technology (NIST) has taken the lead in this effort through the Information Security Automation Program (ISAP), in cooperation with the Defense Information Systems Agency (DISA), the National Security Agency (NSA), and the Office of Secretary of Defense (OSD). The overall project is funded by the Department of Homeland Security (DHS).
One of the components of ISAP is the Security Content Automation Protocol (SCAP). The goal of SCAP is to develop standards for the automation of vulnerability management, measurement, and policy compliance checking. The operational infrastructure on which all of this relies is the National Vulnerability Database (NVD).
The NVD contains several resources that can be leveraged by government agencies to ease the implementation of standards and tracking of compliance:
- Vulnerability search engine, monitoring CVE (Common Vulnerabilities and Exposures) software flaws and CCE (Common Configuration Enumeration) misconfigurations
- National Checklist Program, offering automatable security configuration guidance in XCCDF (eXtensible Configuration Checklist Description Format) and OVAL (Open Vulnerability and Assessment Language)
- ISAP/SCAP (NVD-supported program and protocol)
- SCAP-compatible tools
- SCAP data feeds
- CPE Product Dictionary
- Impact metrics (CVSS)
- Common Weakness Enumeration (CWE)
I believe that this ISAP effort could lead to some changes in the security products industry. This could promote changes in how products are sold and structured.