A Collection of Information Security Community Standardization Activities and Initiatives
   

By Organization Name

The efforts and activities in this collection include a range of items from mature, to those continuing to build momentum, to initial concepts.

Note:

CVE, OVAL, CWE, CWSS, CWRAF, CAPEC, MAEC, CybOX, STIX, and TAXII are sponsored by the office of Cybersecurity and Communications, at the U.S. Department of Homeland Security.

MITRE Corporation

Languages/Formats

Open Vulnerability and Assessment Language (OVAL®) — OVAL is an international, information security community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. OVAL includes a language used to encode system details, and an assortment of content repositories held throughout the community. The language standardizes the three main steps of the assessment process: representing configuration information of systems for testing; analyzing the system for the presence of the specified machine state (vulnerability, configuration, patch state, etc.); and reporting the results of this assessment. The repositories are collections of publicly available and open content that utilize the language.

Malware Attribute Enumeration and Characterization (MAEC™) — MAEC is a standardized language for encoding and communicating high-fidelity information about malware based upon attributes such as behaviors, artifacts, and attack patterns. By eliminating the ambiguity and inaccuracy that currently exists in malware descriptions and by reducing reliance on signatures, MAEC aims to improve human-to-human, human-to-tool, tool-to-tool, and tool-to-human communication about malware; reduce potential duplication of malware analysis efforts by researchers; and allow for the faster development of countermeasures by enabling the ability to leverage responses to previously observed malware instances.

Cyber Observable Expression (CybOX™) — CybOX is a standardized schema for the specification, capture, characterization, and communication of events or stateful properties that are observable in the operational domain. A wide variety of high-level cyber security use cases rely on such information including: event management/logging, malware characterization, intrusion detection, incident response/management, attack pattern characterization, etc. CybOX provides a common mechanism (structure and content) for addressing cyber observables across and among this full range of use cases improving consistency, efficiency, interoperability and overall situational awareness.

Structured Threat Information Expression (STIX™) — STIX is a collaborative community-driven effort to define and develop a standardized language to represent structured cyber threat information. The STIX Language intends to convey the full range of potential cyber threat information and strives to be fully expressive, flexible, extensible, automatable, and as human-readable as possible. All interested parties are welcome to participate in evolving STIX as part of its open, collaborative community. Trusted Automated eXchange of Indicator Information (TAXII™) is the main transport mechanism for cyber threat information represented as STIX. Through the use of TAXII services, organizations can share cyber threat information in a secure and automated manner.

Trusted Automated Exchange of Indicator Information (TAXII™) — TAXII defines a set of services and message exchanges that, when implemented, enable sharing of actionable cyber threat information across organization and product/service boundaries. TAXII, through its member specifications, defines concepts, protocols, and message exchanges to exchange cyber threat information for the detection, prevention, and mitigation of cyber threats. TAXII is not a specific information sharing initiative nor an attempt to define trust agreements, governance, or other non-technical aspects of cyber threat information sharing. Instead, TAXII empowers organizations to achieve improved situational awareness about emerging threats, enabling organizations to share the information they choose with the partners they choose. TAXII is the main transport mechanism for cyber threat information represented as Structured Threat Information Expression (STIX™). Through the use of TAXII services, organizations can share cyber threat information in a secure and automated manner.

Common Weakness Scoring System (CWSS™) — CWSS is a collaborative, community-based effort for scoring software coding errors found in software applications in a consistent, flexible, open manner while accommodating context for the various stakeholders and business domains across government, academia, and industry. CWSS can be used for assessing and prioritizing possible software architecture, design, code, and implementation weaknesses that "might be introduced into an application, which in some cases can contribute to a vulnerability within that software …" In addition to helping developers score the severity of weaknesses, CWSS also provides a way for software consumers to "know what they should worry about the most, and what to ask for to get a more secure product from their vendors and suppliers."

Common Weakness Risk Analysis Framework (CWRAF™) — CWRAF provides a way for organizations to apply the Common Weakness Scoring System (CWSS) using specialized scenarios ("vignettes") that identify the business value context of deployed applications in order to prioritize those software weaknesses in CWE that are most relevant to their own businesses, missions, and deployed technologies. In conjunction with other activities, CWRAF ultimately helps software developers and consumers to introduce more secure software into their operational environments.

Policy Language for Assessment Results Reporting (PLARR) — PLARR is an open specification that provides a structured language for requesting IT asset assessment results from an assessment tool, asset database, or other tool that can produce security assessment results. It is intended to be used by tools that request detailed configuration data about IT assets, especially products that leverage specifications contained in the National Institute for Standards and Technology's (NIST) Security Content Automation Protocol (SCAP).

Registries

Common Vulnerabilities and Exposures (CVE®) — International in scope and free for public use, CVE is a dictionary of publicly known information security vulnerabilities and exposures. CVE's common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services.

OVAL Repository - MITRE's OVAL Repository is the central meeting place for the OVAL Community to discuss, analyze, store, and disseminate OVAL Definitions. OVAL Definitions are standardized, machine-readable XML tests written in the OVAL Language that check computer systems for the presence of software vulnerabilities, configuration issues, programs, and patches. Other repositories in the community also host Open Vulnerability and Assessment Language (OVAL®) content.

Common Weakness Enumeration (CWE™) - Targeted to developers and security practitioners, CWE is a formal or dictionary of common software weaknesses created to serve as a common language for describing software security weaknesses in architecture, design, or code; serve as a standard measuring stick for software security tools targeting these weaknesses, and to provide a common baseline standard for weakness identification, mitigation, and prevention efforts.

Common Attack Pattern Enumeration and Classification (CAPEC™) — CAPEC is a catalog of attack patterns along with a comprehensive schema and classification taxonomy focused on enhancing security throughout the software development lifecycle, and to support the needs of developers, testers and educators. By providing a standard mechanism for identifying, collecting, refining, and sharing attack patterns among the software community, CAPEC provides for a more complete and thorough review of the strength of our systems from the point-of-view of attackers.

CWE/SANS Top 25 Most Dangerous Software Errors + Mitigations — The Top 25 is a consensus list of the most significant software errors that can lead to serious software vulnerabilities. The errors are dangerous because they frequently will allow attackers to completely take over the software, steal data, or prevent the software from working at all. The Top 25 is the result of collaboration between the SANS Institute, MITRE, and many top software security experts in the U.S. and Europe and leverages experiences in the development of the SANS Top 20 attack vectors and MITRE's CWE.

Compatible Usage

Requirements and Recommendations for CVE CompatibilityOutlines the requirements and recommendations that need to be satisfied in order for a product, service, Web site, database, or advisory/alert to properly implement support for the Common Vulnerabilities and Exposures (CVE®) effort.

List of CVE-Compatible Products/ServicesA growing list of the Vulnerability Databases, Security Advisories and Archives, Vulnerability Notification Services, Vulnerability Assessment and Remediation tools and Services, Vulnerability Assessment Services, Hybrid Assessment and Intrusion Detections Systems, Intrusion Detection and Management Tools and Services, Intrusion Monitoring and Response Services, Incident Management Tools and Services, Data/Event Correlation Tools and Services, Educational Materials, Firewall, Patch Management Tools and Services, Security Information Management Tools and Services, and Policy Compliance Tools and Services from around the world that have been recognized as "Officially CVE-Compatible".

Requirements and Recommendations for OVAL Adoption and Use — Outlines the requirements and recommendations that need to be satisfied in order for a product, service, Web site, database, or advisory/alert to properly implement support for the Open Vulnerability and Assessment Language (OVAL®) initiative. At the same time, these requirements describe the supported and recommended ways of making use of OVAL Content and other capabilities that leverage OVAL.

List of OVAL Adopter Products/Services — A growing list of the Vulnerability Assessment, Configuration Management, Patch Management, and Policy Compliance Tools and Services from around the world that have been recognized as an "Official OVAL Adopter" of the Open Vulnerability and Assessment Language (OVAL®) effort.

Requirements and Recommendations for CWE Compatibility and CWE Effectiveness — Outlines the requirements and recommendations that need to be satisfied in order for a product, service, Web site, educational offering, or software development practice to properly implement support for the Common Weakness Enumeration (CWE™) effort.

List of CWE-Compatible Products/Services — A growing list of the Assessment and Remediation Tools, Assessment Services, Database/Knowledge Repositories, Education Offerings, and Software Development Practices from around the world that have been recognized as "Officially CWE-Compatible".

Requirements and Recommendations for CAPEC Compatibility — Outlines the requirements and recommendations that need to be satisfied in order for a product, service, or Web site to properly implement support for the Common Attack Pattern Enumeration and Classification (CAPEC™) effort.

Requirements and Recommendations for MAEC Compatibility — Outlines the requirements and recommendations that need to be satisfied in order for a product, service, Web site, or repository to properly implement support for the Malware Attribute Enumeration and Characterization (MAEC™) effort.

OVAL Interpreter — The Open Vulnerability and Assessment Language (OVAL®) Interpreter is a freely available reference implementation for the OVAL Language created to show how information can be collected from a computer for testing, to evaluate and carry out the OVAL Definitions for that platform, and to report the results of the tests. It is not a fully functional scanning tool and has a simplistic user interface but running the Interpreter will provide a list of OVAL-IDs and their references (e.g., CVE Identifiers) determined by OVAL to be present on the system.


Altx-Soft

Altx-Soft OVAL Repository — Created in February 2012, the Altx-Soft repository of OVAL content consists of OVAL Definitions imported from several sources.

Australian Defence Signals Directorate (DSD)

Top 35 Mitigation Strategies — The Australian Defence Signals Directorate (DSD) "has developed a list of strategies to mitigate targeted cyber intrusions. The list is informed by DSD's experience in operational cyber security, including responding to serious cyber incidents and performing vulnerability assessments and penetration testing for Australian government agencies." "The Top 35 Mitigation Strategies are ranked in order of overall effectiveness [and] are based on DSD's analysis of reported security incidents and vulnerabilities detected by DSD in testing the security of Australian Government networks."

Center for Internet Security (CIS)

Center for Internet Security (CIS) Benchmarks — The CIS Benchmarks are "consensus best practice standards for security configuration and are widely accepted by U.S. government agencies for FISMA compliance, and by auditors for compliance with the ISO standard as well as GLB, SOx, HIPAA, FIRPA and other the regulatory requirements for information security. For the first time ever, a large group of user organizations, information security professionals, auditors and software vendors have defined consensus technical control specifications that represent a prudent level of due care and best-practice security configurations for computers connected to the Internet."

Center for Internet Security (CIS) Consensus Security Metric Definitions — "Organizations struggle to make cost-effective security investment decisions; information security professionals lack widely accepted and unambiguous metrics for decision support. CIS established a consensus team of one hundred (100) industry experts to address this need. The result is a set of standard metrics and data definitions that can be used across organizations to collect and analyze data on security process performance and outcomes." CIS Security Metrics v1.0.0 document contains 20 metric definitions for six important business functions: Incident Management, Vulnerability Management, Patch Management, Application Security, Configuration Management and Financial Metrics.

Center for Strategic and International Studies (CSIS)

Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance — This Center for Strategic and International Studies (CSIS) document by is hosted by SANS Institute. "Cyber attack and defense experts from the federal agencies most involved in cybersecurity pooled their knowledge of the attack techniques being used against the government and the defense industrial base to determine the twenty key actions (called security "controls") that organizations must take if they hope to block or mitigate known attacks and attacks that can be reasonably expected in the near term. They tested their proposal for protecting federal systems to determine whether they would also stop or mitigate attacks known to be used against financial institutions and found the top 20 controls are essentially identical across government, the defense industrial base, financial institutions and retailers. For each of the 20 controls, the experts identified specific (actual) attacks that the control stops or mitigates, illuminated best practices in automating the control (for 15 controls that can be automated) and defined tests that can determine whether each control is effectively implemented. The resulting document is called the Consensus Audit Guidelines and, once fully vetted, is expected to become the standard baseline for measuring computer security in organizations that are likely to be under attack."

Central Sponsor for Information Assurance (CSIA), UK

Security Description and Exchange Format (SecDEF) — The UK's SecDEF is "a federated effort to encourage the crystallisation of various XML based Description and Exchange Formats (DEF) to support Information Exchange Requirements (IER) related to Security Information where there is a need to cross Management Domains. Of these initiatives, the one that has been running the longest, is the Vulnerability and Exploit DEF (VEDEF - http://www.terena.org/activities/tf-csirt/vedef.html)..."

CERIAS/Purdue University

CERIAS/Perdue University's Cassandra — CERIAS/Purdue University's free Cassandra tool monitors changes and updates to the U.S National Vulnerabilities Database (formerly ICAT) and the Secunia vulnerability databases. Cassandra saves lists of products, vendors, and keywords from these sources into "profiles" and emails any updates to subscribers. Users can create as many profiles as they want for networks, typical installs, important hosts, or any other areas of interest. CVE Change Logs, another free CERIAS tool, monitors changes to the CVE List.

CERT.org

CERT Secure Coding Standards — This web site exists to support the development of secure coding standards for commonly used programming languages such as C and C++. These standards are being developed through a broad-based community effort including the CERT Secure Coding Initiative and members of the software development and software security communities.

Cisco Systems, Inc.

Cisco Security Intelligence Operations Repository — Created in September 2012, the Cisco Security Intelligence Operations repository consists of Cisco security advisories in the standardized Common Vulnerability Reporting Format (CVRF) and includes OVAL Vulnerability Definitions for the Cisco IOS security advisories.

Debian

Debian Project Repository of OVAL Content — in August 2010, the Debian repository of OVAL content consists of OVAL Definitions that corresponds to Debian security advisories.

Defense Information Systems Agency (DISA), U.S.

Defense Information Systems Agency Field Security Operations (DISA FSO) DoD SCAP Content Repository — Created in May 2012, the DISA FSO's DoD SCAP Content Repository hosts Security Technical Implementation Guides (STIGs) in support of Security Content Automation Protocol (SCAP) content and tools.

DISA Security Technical Implementation Guides (STIGS) — The U.S. Department of Defense's (DoD) Defense Information Systems Agency's (DISA) Security Technical Implementation Guides (STIGS) are configuration standards for DoD information assurance and information assurance-enabled devices and systems.

Control Correlation Identifier (CCI) — CCI provides a standard identifier and description for each of the singular, actionable statements that comprise an information assurance (IA) control or IA best practice. CCI allows a security requirement that is expressed in a high-level policy framework to be decomposed and explicitly associated with the low-level security setting(s) that must be assessed to determine compliance with the objectives of that specific security control. This ability to trace security requirements from their origin (e.g., regulations, IA frameworks) to their low-level implementation allows organizations to readily demonstrate compliance to multiple IA compliance frameworks. CCI also provides a means to objectively rollup and compare related compliance assessment results across disparate technologies.

Distributed Management Task Force, Inc.

DMTF's Common Information Model (CIM) — DMTF's Common Information Model (CIM) "is a common data model of an implementation-neutral schema for describing overall management information in a network/enterprise environment."

DMTF's Web-Based Enterprise Management (WBEM) — DMTF's Web-Based Enterprise Management (WBEM) "is a set of management and Internet standard technologies developed to unify the management of enterprise computing environments."

DMTF's Web Services for Management (WS-Management) — DMTF's Web Services for Management (WS-Management) specification "promotes interoperability between management applications and managed resources by identifying a core set of Web service specifications and usage requirements to expose a common set of operations that are central to all systems management."

DMTF's Systems Management Architecture for Server Hardware (SMASH) — "DMTF's Systems Management Architecture for Server Hardware (SMASH) initiative is a suite of specifications that deliver architectural semantics, industry standard protocols and profiles to unify the management of the data center."

Forum of Incident Response and Security Teams (FIRST)

Common Vulnerability Scoring System (CVSS) — Commissioned by the U.S. National Infrastructure Advisory Council (NIAC) in support of the global Vulnerability Disclosure Framework and currently maintained by the Forum of Incident Response and Security Teams (FIRST), CVSS is a "vendor agnostic, industry open standard designed to convey vulnerability severity and help determine urgency and priority of response. It solves the problem of multiple, incompatible scoring systems and is usable and understandable by anyone."

IBM Internet Security Systems (ISS)

IBM Internet Security Systems X-Force IDs — "Internet Security Systems' X-Force organization delivers the latest information on Internet threats and vulnerabilities through notifications, such as X-Force Protection Advisories and Alerts. Along with information about the threat, these notifications provide customers with information about how IBM ISS products and services can protect against the threat."

Industry Consortium for Advancement of Security on the Internet (ICASI)

Common Vulnerability Reporting Format (CVRF) — CVRF provides a common XML framework for reporting and sharing vulnerability information among multiple organizations. With CVRF, discoverers, vendors, users, and coordinators of security response efforts worldwide are able to share critical vulnerability-related information in a standard, non-vendor specific format, thereby speeding information dissemination, exchange, and incident resolution. Producers of vulnerability reports will benefit from faster reporting, and end users will gain the ability to find relevant information more quickly and easily.

Internet Engineering Task Force (IETF)

Incident Object Description Exchange Format (IODEF) Specification [RFC 5070] — "The Incident Object Description Exchange Format (IODEF) defines a data representation that provides a framework for sharing information commonly exchanged by Computer Security Incident Response Teams (CSIRTs) about computer security incidents. This document describes the information model for the IODEF and provides an associated data model specified with XML Schema."

IODEF — Extensions to the IODEF-Document Class for Reporting Phishing [RFC 5901] — "This document extends the Incident Object Description Exchange Format (IODEF) defined in RFC5070 to support the reporting of phishing events, which is a particular type of fraud. These extensions are flexible enough to support information gleaned from activities throughout the entire electronic fraud cycle — from receipt of the phishing lure to the disablement of the collection site. Both simple reporting and complete forensic reporting are possible, as is consolidating multiple incidents."

IODEF-Extension to Support Structured Cybersecurity Information [Active Internet-Drafts] — "This document extends the Incident Object Description Exchange Format (IODEF) defined in RFC 5070 [RFC5070] to facilitate enriched cybersecurity information exchange among cybersecurity entities. It provides the capability of embedding structured information, such as identifier- and XML-based information."

IODEF — Guidelines for Extensions to IODEF for Managed Incident Lightweight Exchange [Active Internet-Drafts] — "This document provides extensions to Managed Incident Lightweight Exchange (MILE). MILE describes a subset of Incident Object Description Exchange Format (IODEF) defined in RFC 5070. The Data Markers extension is aimed at exchanging data tags or markers that label categories of information that have significance in the exchange of incident information. These data marker extension is aimed at exchanging data tags or markers that label information exchanged during incident handling. Data markers include sensitivity and data handling requirements that can prevent possible criminal errors in mismarking data. Both network and information security incidents typically result in the loss of service, data, and resources both human and system."

IODEF - Guidelines for Extensions to IODEF for Managed Incident Lightweight Exchange Template [Active Internet-Drafts] — "This document provides guidelines for extensions to the Incident Object Description Exchange Format (IODEF) [RFC5070] for exchange of incident management data, and contains a template for Internet-Drafts describing those extensions, in order to ease the work and improve the quality of extension descriptions."

Intrusion Detection Message Exchange Format (IDMEF) — IDMEF is a specification being developed by the Intrusion Detection Working Group, chartered by the Internet Engineering Task Force (IETF), which defines data formats and exchange procedures for sharing information of interest to intrusion detection and response systems, and to the management systems which may need to interact with them. Data exchanges are done using XML. The data formats are specified using an XML DTD.

Managed Incident Lightweight Exchange (MILE) — The Internet Engineering Task Force's (IETF) MILE Working Group will "develop standards and extensions for the purpose of improving incident information sharing and handling capabilities based on the work developed in the IETF Extended INCident Handling (INCH) working group. The Incident Object Description Exchange Format (IODEF) in RFC5070 and Real-time Inter-network Defense (RID) in RFC6045 were developed in the INCH working group by international Computer Security Incident Response Teams (CSIRTs) and industry to meet the needs of a global community interested in sharing, handling, and exchanging incident information. The extensions and guidance created by the MILE working group assists with the daily operations of CSIRTs at an organization, service provider, law enforcement, and at the country level. The application of IODEF and RID to interdomain incident information cooperative exchange and sharing has recently expanded and the need for extensions has become more important. Efforts continue to deploy IODEF and RID, as well as to extend them to support specific use cases covering reporting and mitigation of current threats such as anti-phishing extensions."

Real-time Inter-network Defense (RID) (IETF/RFC) — RID "outlines a proactive inter-network communication method to facilitate sharing incident handling data while integrating existing detection, tracing, source identification, and mitigation mechanisms for a complete incident handling solution.  Combining these capabilities in a communication system provides a way to achieve higher security levels on networks."

Real-time Inter-network Defense (RID-T) Messages Transport (IETF/RFC) — "The Incident Object Description Exchange Format (IODEF) defines a common XML format for document exchange, and Real-time Inter-network Defense (RID) defines extensions to IODEF intended for the cooperative handling of security incidents within consortia of network operators and enterprises. This document specifies a transport protocol for RID based upon the passing of RID messages over HTTP/TLS (Transport Layer Security)."

International Organization for Standardization (IS0)/International Electrotechnical Commission (IEC)

ISO/IEC 24772, Guidance for Avoiding Vulnerabilities through Language Selection and Use — All programming languages have constructs that are undefined, imperfectly defined, implementation-dependent, or difficult to use correctly. As a result, software programs can execute differently than intended by the writer. In some cases, these vulnerabilities can be exploited by an attacker to compromise the safety, security, and privacy of a system. The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) issued a joint technical report (TR) on September 29, 2010 entitled "ISO/IEC TR 24772:2010, Information technology — Programming languages — Guidance to avoiding vulnerabilities in programming languages through language selection and use" that describes classes of programming language vulnerabilities — features of languages that encourage or permit the writing of code that contains application vulnerabilities. The report describes 51 vulnerabilities in languages themselves, as well as 20 additional vulnerabilities that could be avoided by offering a richer set of library routines. The report is also available for purchase from http://www.iso.org and http://www.ansi.org.

Assurance Case (ISO 15026-2) — "ISO/IEC 15026-2:2011 specifies minimum requirements for the structure and contents of an assurance case to improve the consistency and comparability of assurance cases and to facilitate stakeholder communications, engineering decisions, and other uses of assurance cases. An assurance case includes a top-level claim for a property of a system or product (or set of claims), systematic argumentation regarding this claim, and the evidence and explicit assumptions that underlie this argumentation. Arguing through multiple levels of subordinate claims, this structured argumentation connects the top-level claim to the evidence and assumptions."

Common Criteria (ISO 18045 & ISO 15408)"ISO/IEC 18045:2008 is a companion document to ISO/IEC 15408, Information technology — Security techniques — Evaluation criteria for IT security. ISO/IEC 18045:2008 defines the minimum actions to be performed by an evaluator in order to conduct an ISO/IEC 15408 evaluation, using the criteria and evaluation evidence defined in ISO/IEC 15408. ISO/IEC 18045:2008 does not define evaluator actions for certain high assurance ISO/IEC 15408 components, where there is as yet no generally agreed guidance."

Software Identification (SWID) Specification (ISO 19770-2) — This specification "establishes specifications for tagging software to optimize its identification and management". It applies to: platform providers, software providers, tag providers, tag tool providers, and software consumers.

Vulnerability Assessment (ISO TR 20004) — "ISO/IEC TR 20004:2012 refines the AVA_VAN assurance family activities defined in ISO/IEC 18045:2008 and provides more specific guidance on the identification, selection and assessment of relevant potential vulnerabilities in order to conduct an ISO/IEC 15408 evaluation of a software target of evaluation. [The document] leverages the Common Weakness Enumeration (CWE) and the Common Attack Pattern Enumeration and Classification (CAPEC) to support the method of scoping and implementing ISO/IEC 18045:2008(E) vulnerability analysis activities."

IT Security Database

IT Security Database OVAL Repository — Created in November 2010, the IT Security Database Web site collects OVAL Definitions from sources such as the OVAL Repository, Red Hat, Suse, NVD, Apache, etc., and provides a unified, easy-to-use Web interface to all IT security related items about them including patches, vulnerabilities, and compliance checklists.

Microsoft Corporation

Microsoft's Dynamic Systems Initiative (DSI) — "The Dynamic Systems Initiative (DSI) is a commitment from Microsoft and its partners to deliver "self-managing dynamic systems" to help IT teams capture and use knowledge to design more manageable systems and automate ongoing operations, resulting in reduced costs and more time to proactively focus on what is most important to the organization."

Microsoft Security Bulletin IDs — Security bulletins and advisories issued by Microsoft Corporation.

Microsoft’s System Definition Model (SDM) — System Definition Model (SDM) is a unifying thread enabling integrated innovation from Microsoft and its partners across application development tools, operating systems, applications, hardware, and management tools. SDM is a model that is used to create definitions of distributed systems. The SDM "blueprint can be created and manipulated with various software tools and is used to define system elements and capture data pertinent to development, deployment, and operations so that the data becomes relevant across the entire IT life cycle."

U.S. Department of Homeland Security (DHS) Office of Cybersecurity and Communications Security (DHS)

Build-Security-In — Build Security In (BSI) is a project of the Software Assurance (SwA) Strategic Initiatives (SI) of the office of Cybersecurity and Communications at the U.S. Department of Homeland Security (DHS). "BSI content is based on the principle that software security is fundamentally a software engineering problem and must be addressed in a systematic way throughout the software development life cycle. BSI contains and links to a broad range of information about best practices, tools, guidelines, rules, principles, and other knowledge to help organizations build secure and reliable software."

National Institute of Standards and Technology (NIST)

Languages/Formats

Assessment Results Format (ARF) — Part of the National Institute for Standards and Technology's (NIST) Security Content Automation Protocol (SCAP), ARF is "a data model to express the transport format of information about assets, and the relationships between assets and reports. The standardized data model facilitates the reporting, correlating, and fusing of asset information throughout and between organizations. ARF is vendor and technology neutral, flexible, and suited for a wide variety of reporting applications."

Assessment Summary Results (ASR) — Part of the National Institute for Standards and Technology's (NIST) Security Content Automation Protocol (SCAP), ASR is "a data model to express the transport format of summary information about one or more sets of assets. The standardized data model facilitates the interchange of aggregate asset information throughout and between organizations. ASR is vendor and technology neutral, flexible, and suited for a wide variety of reporting applications."

Common Configuration Scoring System CCSS Specification (NIST IR 7502) — "The Common Configuration Scoring System (CCSS) is a set of measures of the severity of software security configuration issues. CCSS is derived from CVSS, which was developed to measure the severity of vulnerabilities due to software flaws. CCSS can assist organizations in making sound decisions as to how security configuration issues should be addressed and can provide data to be used in quantitative assessments of the overall security posture of a system. This report defines proposed measures for CCSS and equations to be used to combine the measures into severity scores for each configuration issue. The report also provides several examples of how CCSS measures and scores would be determined for a diverse set of security configuration issues."

Common Platform Enumeration (CPE) — CPE is a structured naming scheme for information technology systems, platforms, and packages. Based upon the generic syntax for Uniform Resource Identifiers (URI), CPE includes a structured name format, a method for checking names against a system, and a description format for binding text and tests to a name.

Extensible Configuration Checklist Description Format (XCCDF) — XCCDF was created by the U.S. National Security Agency (NSA) and National Institute of Standards and Technology (NIST) to be a specification language for providing a "uniform foundation for expression of security checklists, benchmarks, and other configuration guidance [to] foster more widespread application of good security practices." The default configuration checking technology for XCCDF is OVAL.

Open Checklist Interactive Language (OCIL) — A U.S. National Institute of Standards and Technology (NIST) Interagency Report (IR), OCIL "defines a framework for expressing a set of questions to be presented to a user and corresponding procedures to interpret responses to these questions." OCIL "can be used in conjunction with [other] SCAP specifications such as XCCDF to help handle cases where lower-level checking languages such as OVAL are unable to automate a particular check. In short, OCIL provides a standardized approach to express and evaluate non-automated (i.e., manual) security checks."

Security Content Automation Protocol (SCAP): SCAP Version 1.2 Technical Specification (NIST SP 800-126) — "This document provides the definitive technical specification for version 1.2 of the Security Content Automation Protocol (SCAP). SCAP (pronounced ess-cap) consists of a suite of specifications for standardizing the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. This document defines requirements for creating and processing SCAP source content. These requirements build on the requirements defined within the individual SCAP component specifications. Each new requirement pertains either to using multiple component specifications together or to further constraining one of the individual component specifications. The requirements within the individual component specifications are not repeated in this document; see those specifications to view their requirements."

Registries

Common Configuration Enumeration (CCE) — CCE provides unique identifiers to system configurations in order to facilitate fast and accurate correlation of configuration data across multiple information sources and tools.

Common Platform Enumeration (CPE) — CPE is a structured naming scheme for information technology systems, platforms, and packages. Based upon the generic syntax for Uniform Resource Identifiers (URI), CPE includes a structured name format, a method for checking names against a system, and a description format for binding text and tests to a name.

Common Remediation Enumeration (CRE) Version 1.0 (NIST IR-7831) — "This document defines the Common Remediation Enumeration (CRE) 1.0 specification. CRE is part of a suite of enterprise remediation specifications that enable automation and enhanced correlation of enterprise remediation activities. Each CRE entry represents a unique remediation activity and is assigned a globally unique CRE identifier (CRE-ID). This specification describes the core concepts of CRE, the technical components of a CRE entry, outlines how CRE entries are created, the technical requirements for constructing a CRE-ID, and how CRE-IDs may be assigned. CRE-IDs are intended to be boundary objects that are broadly useable in enterprise security management products and information domains that participate in remediation activities or make assertions about remediation actions."

National Vulnerability Database (NVD) — The U.S. National Institute of Standards and Technology's (NIST) National Vulnerability Database (NVD) "is a comprehensive cyber security vulnerability database that integrates all publicly available U.S. Government vulnerability resources and provides references to industry resources. It is based on and synchronized with the CVE vulnerability naming standard." NVD also includes OVAL-IDs as references and is searchable by CVE-ID and OVAL-ID.

NIST Information Security Automation Program (ISAP) and Security Content Automation Protocol (SCAP) — ISAP is a U.S. government multi-agency initiative led by the U.S. National Institute of Standards and Technology (NIST) to enable automation and standardization of technical security operations. SCAP is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance). NVD is the U.S. government content repository for ISAP and SCAP.

NIST National Checklist Program Repository — The U.S. National Institute of Standards and Technology's (NIST) National Checklist Program Repository is "the U.S. government repository of publicly available security checklists (or benchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and applications. NCP is migrating its repository of checklists to conform to the Security Content Automation Protocol (SCAP)."

NIST SCAP RepositoryCreated in January 2007, the U.S. National Institute of Standards and Technology's (NIST) Security Content Automation Program (SCAP) is a public free repository of security content—including OVAL content—to be used for automating technical control compliance activities, vulnerability checking (both application misconfigurations and software flaws), and security measurement.

U.S. Federal Desktop Core Configuration (FDCC) — FDCC is an OMB-mandated security configuration for Microsoft Windows Vista and XP operating system software. The Windows Vista FDCC is based on DoD customization of the Microsoft Security Guides for both Windows Vista and Internet Explorer 7.0. Microsoft's Vista Security Guide was produced through a collaborative effort with DISA, NSA, and NIST. The guide reflects the consensus recommended settings from DISA, NSA, and NIST for the Windows Vista platform. The Windows XP FDCC is based on Air Force customization of the Specialized Security-Limited Functionality (SSLF) recommendations in NIST SP 800-68 and DoD customization of the recommendations in Microsoft's Security Guide for Internet Explorer 7.0.

United States Government Configuration Baseline (USGCB) — USGCB provides "security configuration baselines for Information Technology products widely deployed across the federal agencies. The USGCB baseline evolved from the Federal Desktop Core Configuration mandate. The USGCB is a Federal government-wide initiative that provides guidance to agencies on what should be done to improve and maintain an effective configuration settings focusing primarily on security."

Compatible Usage

Guide to Adopting and Using the Security Content Automation Protocol (SCAP) (NIST SP 800-117) — Describes "common uses of SCAP and makes recommendations for [Security Content Automation Protocol (SCAP)] users. The document also provides insights to IT product and service vendors about adopting SCAP in their offerings. SCAP does not replace existing security software; rather, support for it can be embedded into existing software. To take advantage of SCAP's capabilities, organizations should follow these recommendations".

Security Content Automation Protocol (SCAP) Validation Program Derived Test Requirements Document (NIST IR-7511) — Defines the "requirements and associated test procedures necessary for products to achieve one or more Security Content Automation Protocol (SCAP) validations. Validation is awarded based on a defined set of SCAP capabilities and/or individual SCAP components by independent laboratories that have been accredited for SCAP testing by the [U.S. National Institute of Standards and Technology (NIST)] National Voluntary Laboratory Accreditation Program."

List of NIST SCAP-Validated Tools — A list of products that have been validated by U.S. National Institute of Standards and Technology (NIST) as conforming to the Security Content Automation Protocol (SCAP) and its component standards.

Guide to Using Vulnerability Naming Schemes (CVE/CCE) (NIST SP 800-51) — Provides "recommendations for using vulnerability naming schemes. The document covers two schemes: CVE and CCE. The document gives an introduction to both schemes and makes recommendations for end-user organizations on using the names produced by these schemes. The document also presents recommendations for software and service vendors on how they should use vulnerability names and naming schemes in their product and service offerings."

XCCDF Interpreter — A free open-source Java-based tool that facilitates use of XCCDF.

OCIL Interpreter — A free Java-based tool for evaluating OCIL documents.

Standardized Processes

NIST Security Content Automation Protocol (SCAP) — SCAP is a "suite of specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. SCAP is a multi-purpose framework of specifications that support automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement. Goals for the development of SCAP include standardizing system security management, promoting interoperability of security products, and fostering the use of standard expressions of security content." SCAP incorporates the following standards efforts: Open Vulnerability and Assessment Language (OVAL®), Extensible Configuration Checklist Description Format (XCCDF), Open Checklist Interactive Language (OCIL™), Common Platform Enumeration (CPE™), Common Configuration Enumeration (CCE™), Common Vulnerabilities and Exposures (CVE®), Asset Reporting Format (ARF), Common Vulnerability Scoring System (CVSS), and Common Configuration Scoring System (CCSS).

Security Content Automation Protocol (SCAP) Validation (NIST IR-7511) — This document "describes the requirements that must be met by products to achieve SCAP Validation. Validation is awarded based on a defined set of SCAP capabilities and/or individual SCAP components by independent laboratories that have been accredited for SCAP testing by the NIST National Voluntary Laboratory Accreditation Program."

Information Security Continuous Monitoring for Federal Information Systems and Organizations (SP 800-137) — "Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. 2 This publication specifically addresses assessment and analysis of security control effectiveness and of organizational security status in accordance with organizational risk tolerance. Security control effectiveness is measured by correctness of implementation and by how adequately the implemented controls meet organizational needs in accordance with current risk tolerance (i.e., is the control implemented in accordance with the security plan to address threats and is the security plan adequate). Organizational security status is determined using metrics established by the organization to best convey the security posture of an organization's information and information systems, along with organizational resilience given known threat information."

Guide to Selecting Information Technology Security Products (NIST SP 800-36) — "This guide seeks to help organizations make informed decisions when selecting IT security products. The categories of products listed here include operational controls such as intrusion detection and technical controls such as firewalls. This guide should be used with other NIST publications to develop a comprehensive approach to the management of an organization's IT security and requirements. The guide first defines broad security product categories and then specifies product types within those categories. This guide explains and provides a list of characteristics and pertinent questions an organization should ask during the selection process."

Creating a Patch and Vulnerability Management Program (NIST SP 800-40 Version 2) — "This document provides guidance on creating a security patch and vulnerability management program and testing the effectiveness of that program. The primary audience is security managers who are responsible for designing and implementing the program. However, this document also contains information useful to system administrators and operations personnel who are responsible for applying patches and deploying solutions (i.e., information related to testing patches and enterprise patching software)."

Technical Guide to Information Security Testing and Assessment (NIST SP 800-115) — "This document is a guide to the basic technical aspects of conducting information security assessments. It presents technical testing and examination methods and techniques that an organization might use as part of an assessment, and offers insights to assessors on their execution and the potential impact they may have on systems and networks. For an assessment to be successful and have a positive impact on the security posture of a system (and ultimately the entire organization), elements beyond the execution of testing and examination must support the technical process. Suggestions for these activities—including a robust planning process, root cause analysis, and tailored reporting—are also presented in this guide."

Guidelines on Securing Public Web Servers (NIST SP 800-44 Version 2) — The purpose of this document is to "recommend security practices for designing, implementing, and operating publicly accessible Web servers, including related network infrastructure issues. Some Federal organizations might need to go beyond these recommendations or adapt them in other ways to meet their unique requirements. While intended as recommendations for Federal departments and agencies, it may be used in the private sector on a voluntary basis. This document may be used by organizations interested in enhancing security on existing and future Web server systems to reduce the number and frequency of Web-related security incidents. This document presents generic principles that apply to all systems."

Guide to Using Vulnerability Naming Schemes (CVE/CCE) (NIST SP 800-51) — "The purpose of this document is to provide recommendations for using vulnerability naming schemes. The document covers two schemes: CVE and CCE. The document gives an introduction to both schemes and makes recommendations for end-user organizations on using the names produced by these schemes. The document also presents recommendations for software and service vendors on how they should use vulnerability names and naming schemes in their product and service offerings."

Guide for Assessing the Security Controls in Federal Information Systems (NIST SP 800-53a) — "The purpose of this publication is to provide guidelines for building effective security assessment plans and a comprehensive set of procedures for assessing the effectiveness of security controls employed in information systems supporting the executive agencies of the federal government. The guidelines apply to the security controls defined in Special Publication 800-53 (as amended), Recommended Security Controls for Federal Information Systems and Organizations." "This publication satisfies the requirements of the Federal Information Security Management Act (FISMA) and meets or exceeds the information security requirements established for executive agencies by the Office of Management and Budget (OMB) in Circular A-130, Appendix III, Security of Federal Automated Information Resources."

Computer Security Incident Handling Guide (NIST SP 800-61 Revision 1) — This publication seeks to assist organizations in mitigating the risks from computer security incidents by providing practical guidelines on responding to incidents effectively and efficiently. It includes guidelines on establishing an effective incident response program, but the primary focus of the document is detecting, analyzing, prioritizing, and handling incidents. Organizations are encouraged to tailor the recommended guidelines and solutions to meet their specific security and mission requirements.

U.S. National Checklist Program for IT Products: Guidelines for Checklist Users and Developers (NIST SP 800-70 Revision 2) — "This document describes security configuration checklists and their benefits, and explains how to use the NIST National Checklist Program (NCP) to find and retrieve checklists. The document also describes the policies, procedures, and general requirements for participation in the NCP."

Guide to Industrial Control Systems (ICS) Security (NIST SP 800-82) — "The purpose of this document is to provide guidance for securing industrial control systems (ICS), including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other systems performing control functions. The document provides an overview of ICS and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks. Because there are many different types of ICS with varying levels of potential risk and impact, the document provides a list of many different methods and techniques for securing ICS. The document should not be used purely as a checklist to secure a specific system. Readers are encouraged to perform a risk-based assessment on their systems and to tailor the recommended guidelines and solutions to meet their specific security, business and operational requirements."

Guide to Integrating Forensic Techniques into Incident Response (NIST SP 800-86) — "This publication is intended to help organizations in investigating computer security incidents and troubleshooting some information technology (IT) operational problems by providing practical guidance on performing computer and network forensics. The guide presents forensics from an IT view, not a law enforcement view. Specifically, the publication describes the processes for performing effective forensics activities and provides advice regarding different data sources, including files, operating systems (OS), network traffic, and applications."

Guide to Intrusion Detection and Prevention Systems (IDPS) (NIST SP 800-94) — "This publication seeks to assist organizations in understanding intrusion detection system (IDS) and intrusion prevention system (IPS) technologies and in designing, implementing, configuring, securing, monitoring, and maintaining intrusion detection and prevention systems (IDPS). It provides practical, real-world guidance for each of four classes of IDPS products: network-based, wireless, network behavior analysis, and host-based."

Technical Guide to Information Security Testing and Assessment (NIST SP 800-115) — "The purpose of this document is to provide guidelines for organizations on planning and conducting technical information security testing and assessments, analyzing findings, and developing mitigation strategies. It provides practical recommendations for designing, implementing, and maintaining technical information relating to security testing and assessment processes and procedures, which can be used for several purposes—such as finding vulnerabilities in a system or network and verifying compliance with a policy or other requirements. This guide is not intended to present a comprehensive information security testing or assessment program, but rather an overview of the key elements of technical security testing and assessment with emphasis on specific techniques, their benefits and limitations, and recommendations for their use."

Guide to Adopting and Using the Security Content Automation Protocol (SCAP) (NIST SP 800-117) — "The purpose of this document is to provide an overview of the Security Content Automation Protocol (SCAP) Version 1.0. This document discusses SCAP at a conceptual level, focusing on how organizations can use SCAP-enabled tools to enhance their security posture. It also explains to IT product and service vendors how they can adopt SCAP Version 1.0 capabilities within their offerings.  As new versions of SCAP are released, this document will be updated as needed to reflect any resulting differences in SCAP use and adoption."

Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2 (NIST SP 800-126) — "This document provides the definitive technical specification for version 1.2 of the Security Content Automation Protocol (SCAP). SCAP (pronounced ess-cap) consists of a suite of specifications for standardizing the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. This document defines requirements for creating and processing SCAP source content. These requirements build on the requirements defined within the individual SCAP component specifications. Each new requirement pertains either to using multiple component specifications together or to further constraining one of the individual component specifications. The requirements within the individual component specifications are not repeated in this document; see those specifications to view their requirements."

Information Security Continuous Monitoring for Federal Information Systems and Organizations (NIST SP 800-137) — "The purpose of this guideline is to assist organizations in the development of an [Information Security Continuous Monitoring (ISCM)] strategy and the implementation of an ISCM program that provides awareness of threats and vulnerabilities, visibility into organizational assets, and the effectiveness of deployed security controls."

Overview of Issues in Testing Intrusion Detection Systems (NIST IR-7007) — "While intrusion detection systems are becoming ubiquitous defenses in today's networks, currently we have no comprehensive and scientifically rigorous methodology to test the effectiveness of these systems. This paper explores the types of performance measurements that are desired and that have been used in the past. [The paper reviews] many past evaluations that have been designed to assess these metrics. [The paper] also discuss the hurdles that have blocked successful measurements in this area and present suggestions for research directed toward improving our measurement capabilities."

Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.2 (NIST IR-7275 Revision 4) — "This report defines the specification for the Extensible Configuration Checklist Description Format (XCCDF) version 1.2. The report also defines and explains the requirements that XCCDF 1.2 documents and products (i.e., software) must meet to claim conformance with the specification."

Common Vulnerability Scoring System (CVSS) and Its Applicability to Federal Agency Systems (NIST IR-7435) — CVSS "provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. The National Vulnerability Database (NVD) provides specific CVSS scores for publicly known vulnerabilities. Federal agencies can use the Federal Information Processing Standards (FIPS) 199 security categories with the NVD CVSS scores to obtain impact scores that are tailored to each agency's environment." "CVSS enables IT managers, vulnerability bulletin providers, security vendors, application vendors and researchers to all benefit by adopting this common language of scoring IT vulnerabilities."

Security Content Automation Protocol (SCAP) Version 1.0 Validation Program Test Requirements (NIST IR-7511 Revision 3) — Describes the "requirements that must be met by products to achieve SCAP Validation. Validation is awarded based on a defined set of SCAP capabilities and/or individual SCAP components by independent laboratories that have been accredited for SCAP testing by the NIST National Voluntary Laboratory Accreditation Program."

Common Misuse Scoring System (CMSS): Metrics for Software Feature Misuse Vulnerabilities (NIST IR-7517) — CMSS" consists of a set of measures of the severity of software feature misuse vulnerabilities. A software feature misuse vulnerability is present when the trust assumptions made when designing software features can be abused in a way that violates security. Misuse vulnerabilities allow attackers to use for malicious purposes the functionality that was intended to be beneficial. CMSS is derived from the Common Vulnerability Scoring System (CVSS), which was developed to score the severity of vulnerabilities due to software flaws." "CMSS enables organizations to make security decisions based on a standardized quantitative assessment of their vulnerability to software feature misuse."

System and Network Security Acronyms and Abbreviations (NIST IR-7581) — "This report contains a list of selected acronyms and abbreviations for system and network security terms with their generally accepted or preferred definitions. It is intended as a resource for federal agencies and other users of system and network security publications."

Guidelines for Smart Grid Cyber Security (NIST IR-7628); NIST IR-7628_vol1.pdf; NIST IR-7628_vol2.pdf; and NIST IR-7628_vol3.pdf — "The three-volume report, NISTIR 7628, Guidelines for Smart Grid Cyber Security, presents an analytical framework that organizations can use to develop effective cyber security strategies tailored to their particular combinations of Smart Grid-related characteristics, risks, and vulnerabilities. Organizations in the diverse community of Smart Grid stakeholders—from utilities to providers of energy management services to manufacturers of electric vehicles and charging stations—can use the methods and supporting information presented in the report as guidance for assessing risk, and then identifying and applying appropriate security requirements to mitigate that risk."

Open Vulnerability Assessment Language (OVAL) Validation Program Derived Test Requirements (NIST IR-7669) — Describes the "requirements that must be met by products to achieve OVAL Validation. Validation is awarded based on a defined set of OVAL capabilities by independent laboratories that have been accredited for OVAL testing by the NIST National Voluntary Laboratory Accreditation Program."

Proposed Open Specifications for an Enterprise Remediation Automation Framework (NIST IR-7670) — "This report examines technical use cases for enterprise remediation, identifies high-level requirements for these use cases, and proposes a set of emerging specifications that satisfy those requirements."

Specification for the Open Checklist Interactive Language (OCIL) Version 2.0 (NIST IR-7692) — "This report defines version 2.0 of the Open Checklist Interactive Language (OCIL). The intent of OCIL is to provide a standardized basis for expressing questionnaires and related information, such as answers to questions and final questionnaire results, so that the questionnaires can use a standardized, machine-readable approach to interacting with humans and using information stored during previous data collection efforts. OCIL documents are Extensible Markup Language (XML) based. This report defines and explains the requirements that IT products and OCIL documents asserting conformance with the OCIL 2.0 specification must meet."

Specification for the Asset Reporting Format 1.1 (NIST IR-7694) — "This specification describes the Asset Reporting Format (ARF), a data model for expressing the transport format of information about assets and the relationships between assets and reports. The standardized data model facilitates the reporting, correlating, and fusing of asset information throughout and between organizations. ARF is vendor and technology neutral, flexible, and suited for a wide variety of reporting applications. The intent of ARF is to provide a uniform foundation for the expression of reporting results, fostering more widespread application of sound IT management practices. ARF can be used for any type of asset, not just IT assets."

Common Platform Enumeration: Dictionary Specification Version 2.3 (NIST IR-7697) — "This report defines the Common Platform Enumeration (CPE) Dictionary version 2.3 specification. The CPE Dictionary Specification is a part of a stack of CPE specifications that support a variety of use cases relating to information technology (IT) product description and naming. An individual CPE dictionary is a repository of IT product names, with each name in the repository identifying a unique class of IT product in the world. This specification defines the semantics of the CPE Dictionary data model and the rules associated with CPE dictionary creation and management. This report also defines and explains the requirements that IT products and services, including CPE dictionaries, must meet for conformance with the CPE Dictionary version 2.3 specification."

Common Platform Enumeration: Applicability Language Specification Version 2.3 (NIST IR-7698) — "This report defines the Common Platform Enumeration (CPE) Applicability Language version 2.3 specification. The CPE Applicability Language specification is part of a stack of CPE specifications that support a variety of use cases relating to IT product description and naming. The CPE Applicability Language data model builds on top of other CPE specifications to provide the functionality required to allow CPE users to construct complex groupings of CPE names to describe IT platforms. These groupings are referred to as applicability statements because they are used to designate which platforms particular guidance, policies, etc. apply to. This report defines the semantics of the CPE Applicability Language data model and the requirements that IT products and CPE Applicability Language documents must meet for conformance with the CPE Applicability Language version 2.3 specification."

CAESARS Framework Extension: An Enterprise Continuous Monitoring Technical Reference Architecture (NIST IR-7756) — "This publication presents an enterprise continuous monitoring technical reference architecture that extends the framework provided by the Department of Homeland Security's CAESARS architecture. The goal is to facilitate enterprise continuous monitoring by presenting a reference architecture that enables organizations to aggregate collected data from across a diverse set of security tools, analyze that data, perform scoring, enable user queries, and provide overall situational awareness. The model design is focused on enabling organizations to realize this capability by leveraging their existing security tools and thus avoiding complicated and resource intensive custom tool integration efforts."

Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs (NIST IR-7788) — "To more accurately assess the security of enterprise systems, one must understand how vulnerabilities can be combined and exploited to stage an attack. Composition of vulnerabilities can be modeled using probabilistic attack graphs, which show all paths of attacks that allow incremental network penetration. Attack likelihoods are propagated through the attack graph, yielding a novel way to measure the security risk of enterprise systems. This metric for risk mitigation analysis is used to maximize the security of enterprise systems. This methodology based on probabilistic attack graphs can be used to evaluate and strengthen the overall security of enterprise networks."

Event Management Automation Protocol (EMAP) — EMAP is a "suite of interoperable specifications designed to standardize the communication of event management data. EMAP is an emerging protocol within the NIST Security Automation Program, and is a peer to similar automation protocols such as the Security Content Automation Protocol (SCAP). Where SCAP standardizes the data models of configuration and vulnerability management domains, EMAP will focus on standardizing the data models relating to event and audit management. At a high-level, the goal of EMAP is to enable standardized content, representation, exchange, correlation, searching, storing, prioritization, and auditing of event records within an organizational IT environment."

Novell, Inc.

Novell, Inc. Repository of OVAL Content — Created in July 2010, the SUSE Linux Enterprise OVAL Information database is an index of fixed security incidents indexed by product, RPM package name and version for use in security compliance checking.

Object Management Group (OMG)

Knowledge Discovery Metamodel (KDM) (OMG/ISO 19506) — Object Management Group's (OMG) KDM is a "common intermediate representation for existing software systems and their operating environments, that defines common metadata required for deep semantic integration of Application Lifecycle Management tools. KDM is designed as the OMG's foundation for software modernization, IT portfolio management and software assurance. KDM is a metamodel for knowledge discovery in software. It defines a common vocabulary of knowledge related to software engineering artifacts, regardless of the implementation programming language and runtime platform — a checklist of items that a software mining tool should discover and a software analysis tool can use. KDM is designed to enable knowledge-based integration between tools."

OMG Semantics of Business Vocabulary and Business Rules (SBVR) — Object Management Group's (OMG) SBVR specification "defines the vocabulary and rules for documenting the semantics of business vocabulary, business facts, and business rules; as well as an XMI schema for the interchange of business vocabularies and business rules among organizations and between software tools."

Structured Assurance Case Metamodel (SACM) Specification (OMG) — Object Management Group's (OMG) "SACM is comprised of two specifications: Argumentation Metamodel (ARM) and Software Assurance Evidence Metamodel (SAEM). ARM facilitates projects by allowing them to effectively and succinctly communicate in a structured way how their systems and services are meeting their assurance requirements. ARM allows the interchange of structured arguments between diverse tools by different vendors. Each ARM instance represents the argument that is being asserted by the stakeholder that is offering the argument for consideration. SAEM establishes the necessary fine grained models of evidence elements required for detailed compliance and risk analysis. The structure of the SAEM provides the basis for logical design of easily-constructed tools for storing, cross-referencing, evaluating, and reporting the elements of evidence for systems during the Software Assurance."

Open Web Application Security Project (OWASP)

OWASP Top Ten — The Open Web Application Security Project (OWASP) Top Ten is an international consensus list of the ten most critical Web application security flaws. According to the OWASP Web site: "Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code." The list uses Common Weakness Enumeration (CWE™) Identifiers to uniquely identify the issues it describes.

Positive Technologies CJSC

Positive Technologies OVAL Repository — Created in May 2012, the Positive Technologies CJSC repository of OVAL content consists of OVAL Definitions collected from various sources.

Red Hat, Inc.

Red Hat Errata IDs - Security advisories issued by Red Hat, Inc.

Red Hat, Inc. Repository of OVAL Content — Created in May 2006, the Red Hat repository of OVAL content consists of OVAL Patch Definitions that correspond to Red Hat Errata security advisories.

RUS-CERT

Common Announcement Interchange Format (CAIF) — CAIF is an XML-based format created by RUS-CERT at the University of Stuttgart, Germany, to store and exchange security announcements in a normalized way. It provides a basic but comprehensive set of elements designed to describe the main aspects of an issue related to security. The set of elements can easily be extended to reflect temporary, exotic, or new requirements in a per-document manner. CAIF documents are able to incorporate OVAL Definitions.

SANS Institute

SANS Top Twenty — The SANS Top Cyber Security Risks is a consensus list of the Most Critical Internet Security Threats and Vulnerabilities that helps organizations determine "which new threats and vulnerabilities pose the greatest risk and how resources should be allocated to ensure that the most probable and damaging attacks are dealt with first."

Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance — This Center for Strategic and International Studies (CSIS)document is hosted by SANS. "Cyber attack and defense experts from the federal agencies most involved in cybersecurity pooled their knowledge of the attack techniques being used against the government and the defense industrial base to determine the twenty key actions (called security "controls") that organizations must take if they hope to block or mitigate known attacks and attacks that can be reasonably expected in the near term. They tested their proposal for protecting federal systems to determine whether they would also stop or mitigate attacks known to be used against financial institutions and found the top 20 controls are essentially identical across government, the defense industrial base, financial institutions and retailers. For each of the 20 controls, the experts identified specific (actual) attacks that the control stops or mitigates, illuminated best practices in automating the control (for 15 controls that can be automated) and defined tests that can determine whether each control is effectively implemented. The resulting document is called the Consensus Audit Guidelines and, once fully vetted, is expected to become the standard baseline for measuring computer security in organizations that are likely to be under attack."

SecPod Technologies

SecPod Technologies OVAL Feed and Repository — Created in December 2010, the SecPod OVAL Definitions Professional Feed, also hosted as a repository, is a service providing Vulnerability, Inventory, Compliance, and Patch definitions covering majority of the CVE's for various operating systems, enterprise servers, and applications.

Secunia

Secunia Advisory IDs — Software vulnerabilities discovered or coordinated by Secunia ApS.

SECURITY-DATABASE

SECURITY-DATABASE OVAL Repository — Created in February 2012, the Security-Database Web site provides a mirror of the OVAL Repository and links its Alerts to OVAL Definitions when possible

SecurityFocus

Security Focus Bugtraq IDs — Identifiers assigned to newly emerging software vulnerabilities. The Security Focus Web site is also searchable by Common Vulnerabilities and Exposures (CVE®) Identifier (CVE-ID).

Symantec Corporation

Symantec DeepSight IDs — Virus definitions and security updates from Symantec Corporation.

TagVault.org

Software Identification (SWID) Tags — TagVault.org's standardized SWID tags "record unique information about an installed software application, including its name, edition, version, whether it's part of a bundle and more. SWID tags support software inventory and asset management initiatives and can be leveraged for assurance activities as well. The structure of SWID tags is specified in international standard ISO/IEC 19770-2:2009." SWID tags, which can be assigned by software publishers as well software purchasing organizations, make it "possible to automate the processes of gathering software inventory data for use in reporting and in other initiatives such as managing software entitlement compliance or understanding what assurance activities a software item has been through."

ToolsWatch.org

Default Password Enumeration (DPE) — DPE is an effort to provide "structured enumeration of default logons and passwords of network devices, applications and operating systems. The main goal is to increase the "password auditing scanners" interoperability potential. Any kind of tool integrating the XML DPE scheme will be able to identify and report default access configurations on specific devices, softwares or operating systems. Taking into account the benefits of SecurityMetrics standards principles, DPE integrates the [Common Platform Enumeration (CPE)] naming scheme … to describe information technology systems, platforms and packages."

US-CERT

US-CERT Vulnerability Notes, Technical Alerts, and Security Bulletins — US-CERT publishes information on a wide variety of vulnerabilities, descriptions of which are available from the US-CERT Web site in a searchable database format, and are published as "US-CERT Vulnerability Notes" at http://www.kb.cert.org/vuls/. US-CERT also publishes "Technical Cyber Security Alerts" at http://www.us-cert.gov/cas/techalerts/ that provide timely information about current security issues, vulnerabilities, and exploits, and "Cyber Security Bulletins" at http://www.us-cert.gov/cas/bulletins/ that provide weekly summaries of new vulnerabilities along with patch information when available.

Web Application Security Consortium (WASC)

WASC Web Security Threat Classification — Web Application Security Consortium's (WASC) Threat Classification is "a cooperative effort to clarify and organize the threats to the security of a Web site." The members of the WASC have created this project to "develop and promote industry standard terminology for describing these issues. Application developers, security professionals, software vendors, and compliance auditors will have the ability to access a consistent language for Web security related issues."

Organizations Supporting Standardization

Anti-Spyware Coalition — ASC is "dedicated to building a consensus about definitions and best practices in the debate surrounding spyware and other potentially unwanted technologies. Composed of anti-spyware software companies, academics, and consumer groups, ASC seeks to bring together a diverse array of perspective on the problem of controlling spyware and other potentially unwanted technologies."

NIST FISMA Standards Efforts — The Federal Information Security Management Act (FISMA) Implementation Project was established in January 2003 to produce several key security standards and guidelines required by Congressional legislation. These publications include FIPS 199, FIPS 200, and NIST Special Publications 800-53, 800-59, and 800-60. Additional security guidance documents are being developed in support of the project while not called out directly in the FISMA legislation. These publications include NIST Special Publications 800-37, 800-53, and 800-53A. The U.S. National Institute of Standards and Technology (NIST) Computer Security Division continues to produce other security standards and guidelines in support of FISMA available at http://csrc.nist.gov/publications/nistpubs/.

NIST Software Assurance Metrics and Tool Evaluation (SAMATE) Project — The U.S. National Institute of Standards and Technology's (NIST) SAMATE project supports the Department of Homeland Security's Software Assurance Tools and R&D Requirements Identification Program. The objective is the identification, enhancement, and development of software assurance tools that ensure that software processes and products conform to requirements, standards, and procedures. "NIST is leading in (A) testing software evaluation tools, (B) measuring the effectiveness of tools, and (C) identifying gaps in tools and methods."

Open Web Application Security Project (OWASP) — OWASP is an open community effort dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. OWASP "advocates approaching application security as a people, process, and technology problem because the most effective approaches to application security includes improvements in all of these areas." Similar to other open-source software projects, OWASP produces many types of materials in a collaborative, open way and all of its tools, documents, forums, and chapters are free and open to anyone interested in improving application security.

TagVault.org — TagVault.org is a "not-for-profit certification authority for software tagging, primarily focused on software identification tags (as specified by ISO/IEC 19770-2) and software entitlement tags (as specified by ISO/IEC 19770-3)." "It is the registration authority for software identification tags (SWID tags). TagVault is a member-driven organization that provides a forum for sharing information and resources about software tags among software publishers, tool providers and SAM practitioners. TagVault provides a shared library of technical knowledge and software tools including consistent cross-vendor, cross-platform APIs."

TERENA Computer Security Incident Response Teams Task Force (TF-CSIRT) — The Trans-European Research and Education Networking Association (TERENA) is an association of organisations involved with "the provision and use of computer network infrastructure and services for research and education in Europe. TERENA's principal members are the National Research and Education Networking organisations (NRENs) of a large number of countries in and around Europe." TERENA's TF-CSIRT Task Force "promotes the collaboration between Computer Security Incident Response Teams (CSIRTs) in Europe. The main goals of the Task Force are to provide a forum for exchanging experiences and knowledge, establish pilot services for the European CSIRTs community, promote common standards and procedures for responding to security incidents, and assist the establishment of new CSIRTs and the training of CSIRTs staff."

UK Office of Cyber Security and Information Assurance (OCSIA) — OCSIA is a unit of the UK Government's Cabinet Office that provides "strategic direction and coordinates action relating to enhancing cyber security and information assurance in the UK".

UK Centre for Protection of National Infrastructure (CPNI) — CPNI "protects national security by providing protective security advice. Protective security is ‘putting in place, or building into design, security measures or protocols such that threats may be deterred, detected, or the consequences of an attack minimised'. We provide advice on physical security, personnel security and cyber security/information assurance."

UK Communications Electronic Security Group (CESG) — CESG "protects the vital interests of the UK by providing policy and assistance on the security of communications and electronic data, working in partnership with industry and academia."

US Air Force Enterprise Agreement with Microsoft — The U.S. Air Force in January 2005 entered into two service-wide contracts with Microsoft Corporation in which all software on Air Force desktop computers are configured to one of three security setting configurations that meet Air Force requirements. Microsoft is responsible for identifying vulnerabilities and implementing fixes across the enterprise.

Standardization Bodies

Distributed Management Task Force, Inc. (DMTF) — The DMTF Task Force is an international, industry "organization dedicated to the development of management standards and the promotion of interoperability for enterprise and Internet environments." DMTF standards "provide common management infrastructure components for instrumentation, control and communication in a platform-independent and technology neutral way."

International Organization for Standardization (ISO) — ISO is the "world's largest developer and publisher of International Standards. ISO is a network of the national standards institutes of 162 countries, one member per country, with a Central Secretariat in Geneva, Switzerland, that coordinates the system. ISO is a non-governmental organization that forms a bridge between the public and private sectors." "ISO has more than 18,500 International Standards and other types of normative documents in its current portfolio. ISO's work programme ranges from standards for traditional activities, such as agriculture and construction, through mechanical engineering, manufacturing and distribution, to transport, medical devices, information and communication technologies, and to standards for good management practice and for services.

International Telecommunication Union (ITU) — ITU "is the United Nations specialized agency for information and communication technologies — ICTs". ITU allocates "global radio spectrum and satellite orbits, develop[s] the technical standards that ensure networks and technologies seamlessly interconnect, and strive[s] to improve access to ICTs to underserved communities worldwide." "ITU standards (called Recommendations) are fundamental to the operation of today's ICT networks. Without ITU standards you couldn't make a telephone call or surf the Internet. For Internet access, transport protocols, voice and video compression, home networking, and myriad other aspects of ICTs, hundreds of ITU standards allow systems to work - locally and globally." "In a typical year, ITU will produce or revise upwards of 150 standards covering everything from core network functionality to next-generation services such as IPTV. If your product or service requires any kind of international buy-in, you need to be part of the standardization discussions in ITU's Telecommunication Standardization Sector (ITU-T)."

Internet Engineering Task Force (IETF) — IETF is "a large open international community of network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet." IETF's mission is "to make the Internet work better by producing high quality, relevant technical documents that influence the way people design, use, and manage the Internet." The actual technical work of the IETF is done in its working groups, which are organized by topic into several areas, such as: routing, transport, security, operations management, real-time applications and infrastructure, etc.

Object Management Group, Inc. (OMG) — OMG is an "international, open membership, not-for-profit computer industry consortium" whose mission is to "develop, with our worldwide membership, enterprise integration standards that provide real-world value." OMG Task Forces develop enterprise integration standards for a wide range of technologies and industries. Technologies include real-time, embedded and specialized systems, analysis & design, architecture-driven modernization, and middleware. Industries include modeling and integration, C4I, finance, government, healthcare, legal compliance, life sciences research, manufacturing technology, robotics, software-based communications, and space.

The Open Group — The Open Group is a global consortium that enables the achievement of business objectives through the development of open, vendor-neutral IT standards and certifications in a variety of subject areas critical to the enterprise, including: enterprise architecture, cloud computing, enterprise management, platform, product lifecycle, real-time and embedded systems, security, semantic interoperability, and service-oriented architecture. "The Open Group standards and certification programs for Enterprise Architecture have been adopted worldwide."

Trusted Computing Group (TCG) — TCG) is a "not-for-profit organization formed to develop, define and promote open, vendor-neutral, global industry standards, supportive of a hardware-based root of trust, for interoperable trusted computing platforms."