First conceived by NIST and the National Security Agency (NSA) as a common format for exchanging IT security data, SCAP specifically comprises a suite of specifications used for organizing and expressing security-related information in standardized manner.
Derived from input solicited from across the government sector, SCAP integrates a number of open standards used to enumerate software vulnerabilities and configuration issues to enable automated vulnerability management, measurement, and policy compliance evaluation – specifically related to mandates including the Federal Information Security Management Act (FISMA).
IMPACT Pro users can now export information in an XML format using SCAP standards to help with continuous monitoring, vulnerability data management and security assessment, thereby meeting their expanded interoperability needs and streamlining their overarching vulnerability management efforts.
“SCAP was created to help government organizations bridge their security assessment and vulnerability management efforts across multiple processes, technologies and solutions, and as Core IMPACT helps people lend greater speed and consistency to their work in identifying and addressing real-world risks, we’re very proud to gain this validation from NIST,” said Fred Pinkett, vice president of Product Management at Core. “We’ll continue to embrace the standards and recommendations coming out of NIST and other influential government organizations to ensure that our customers feel confident that we’re helping them stay ahead of their security testing requirements.”
In support of SCAP, IMPACT Pro v10.5 incorporates the following data into its reports and is also able to export the data in XML format for use in centralized security databases:
Common Vulnerabilities and Exposures (CVE) Numbers
Common Vulnerability Scoring System (CVSS) Ratings
Common Platform Enumeration (CPE)
NIST officials have also said repeatedly that their security automation agenda is far broader than the vulnerability management application of modern day SCAP, encompassing many different security activities and disciplines that can benefit from standardized expression and reporting of vulnerability data – including compliance, remediation, and network monitoring.
Industry leaders spanning both the public and private sectors have endorsed broader adoption of SCAP as an important opportunity for government organizations to markedly improve their ability to identify, test and remediate their critical points of IT risk.
“SCAP represents a significant step forward in strengthening the public/private partnership needed to improve our nation's cyber security,” said Marcus Sachs, the executive director for National Security and Cyber Policy at Verizon who works closely with government and business stakeholders in Washington as part of the National Security/Emergency Preparedness (NS/EP) community.
“Neither the government, academia, nor the private sector can secure cyberspace by themselves, it really is a team effort,” said Sachs, who is also secretary of the U.S. Communications Sector Coordinating Council and director of the SANS Internet Storm Center. “Initiatives like SCAP streamline the process of exchanging technical information between the organizations and companies working together to mutually protect all of us online.”
About Core Security Technologies Core Security Technologies enables organizations to both get ahead of threats and bridge the gap between security data and critical business risks. Using our test and measurement solutions, security professionals proactively validate their security controls while revealing actual risk paths that traverse IT layers to expose critical assets. As a result, our customers gain unprecedented visibility into threats to the business, while measuring risk on a continual basis. Core’s security testing and measurement solutions are backed by trusted vulnerability research and leading-edge threat expertise from the company’s Security Consulting Services, CoreLabs and Engineering groups. Based in Boston, Mass. and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at: http://www.coresecurity.com.