Security Automation - IAC - Defense Technical Information Center

DoD Activities Underway to
Mature SCAP Standards
by Kevin Bingham and Scott Messick
In support of the Network Operations
mission to defend and operate the
Department of Defense (DoD) Global
Information Grid (GIG), current
Computer Network Defense (CND)
strategies are focused on protecting DoD
information systems and limiting an
adversary’s ability to impact the network
on which those information systems
reside. Figure 1 from the National
Information Assurance Engagement
Center (NIAEC) shows the basic
objectives an adversary must achieve to
gain the ability to impact a network and
its resources. The CND mission is to limit
an adversary’s ability to get in, stay in,
and act, therefore reducing impact to
DoD networks. In order to penetrate a
network, an adversary targets assets (any
network-connected device) that possess
hardware or software configurations
with known vulnerabilities that can be
exploited to enable them to get in and act
within the network. To negate these
malicious activities, timely configuration
management processes, like applying
patches, are necessary to address
vulnerabilities to create a hardened
network that prevents an intruder’s
ability to get in and stay in. Adversaries
that are able to stay in and act within the
network are detected and identified by
analyzing the events that are generated
by intrusion detection and network
monitoring systems. Although these
processes and tools exist to protect DoD
networks, today’s capabilities rely on
human-centric processes that result in
incomplete configuration management,
questionable policy compliance, and
lengthy manual processes for detecting
and responding to malicious activity.
Each CC/S/A has dissimilar
processes and supporting technologies
for tracking and maintaining
information about assets on the
network, events occurring on the
network, and assessing the impact and
potential risk of known vulnerabilities.
In many organizations, CND data is
currently stored in disparate,
disconnected systems that do not easily
share information. Net-centric
processes enabled by machine-tomachine
communications can
accelerate protective measures to
reduce the window of exposure and
ensure timely protection of networks.
Machine-to-machine
communication is enabled by
standardizing how information is
represented and exchanged. The National
Institute of Standards and Technology
(NIST) is developing the Security Content
Automation Protocol (SCAP) that
combines a number of open standards
that are used to enumerate software flaws
and configuration issues related to
security. With mature and effective SCAP
standards comes the ability to measure,
report, analyze, and take response actions
through machine-to-machine
automation—supporting all pillars of
CND defensive measures (protect, detect,
Get in
Stay in
Impact
Act
Figure 1 Adversary’s ability to impact computer
networks.
respond, and sustain). The result:
significant improvements to GIG
situational awareness, response speed,
and interoperability in tools and vendor
products. As we look forward to the future
of CND, the SCAP standards become a
critical foundation for measurement and
automation across the GIG.
The CND Data Strategy Pilot,
sponsored by the Office of Assistant
Secretary of Defense for Networks and
Information Integration (OASD NII) and
the National Security Agency (NSA)
Information Assurance Directorate, is
focused on applying the net-centric data
strategy to the CND mission to make
CND data quickly visible, accessible, and
understandable to people and systems
across the DoD. The CND pilot works to
achieve these goals by: 1) Building upon
24 IAnewsletter Vol 13 No 1 Winter 2010 • http://iac.dtic.mil/iatac