Emerging Specification Listing
The following listing represents specifications for emerging security automation capabilities:
Languages
- Asset Reporting Format (ARF)
- Open Checklist Interactive Language (OCIL)
- Open Checklist Reporting Language (OCRL)
Metrics
Specification Descriptions
- Asset Reporting Format (ARF)
-
The ARF language is a general security automation results reporting language developed by the DoD in conjunction with NIST and members of the SCAP vendor community. It provides a structured language for exchanging and exporting detailed, per-device assessment data between network assessment tools. ARF is intended to be used by vulnerability scanners, eXtensible Configuration Checklist Description Format (XCCDF) scanners, and other tools that collect detailed configuration data about Internet Protocol-based networked devices. Detailed information about ARF can be found in the ARF specification and data dictionary.
Website: http://metadata.dod.mil/mdr/ns/netops/shared_data/arf_index_page/0.41
- Common Configuration Scoring System (CCSS)
-
A set of standardized measures for the characteristics and impacts of software security configuration issues. NIST IR 7502 also provides several examples of how CCSS measures and scores would be determined for a diverse set of configuration issues. Once CCSS is finalized, CCSS data can assist organizations in making sound decisions as to how configuration issues should be addressed and can provide data to be used in quantitative assessments of host security.
Web site: NIST CSRC Publications: NIST IR 7502
- Common Misuse Scoring System (CMSS)
-
A set of standardized measures for the characteristics of software feature misuse vulnerabilities. A software feature misuse vulnerability is present when the trust assumptions made when designing software features can be abused in a way that violates security. NIST IR 7517 defines the CMSS specification, and it also provides examples of how CMSS measures and scores would be determined for software feature misuse vulnerabilities. Once CMSS is finalized, CMSS data can be used along with CVSS and CCSS data to assist organizations in making sound decisions as to how their host vulnerabilities should be addressed. CMSS data can also be used in quantitative assessments of host security.
Web site: NIST CSRC Publications: NIST IR 7517
- Open Checklist Interactive Language (OCIL)
-
The Open Checklist Interactive Language defines a framework for expressing a set of questions to be presented to a user and corresponding procedures to interpret responses to these questions. Although the OCIL specification was developed for use with IT security checklists, the uses of OCIL are by no means confined to IT security. Other possible use cases include research surveys, academic course exams, and instructional walkthroughs.
- Open Checklist Reporting Language (OCRL™)
-
Open Checklist Reporting Language is a language for writing machine-readable XML definitions that gather information from systems and present it as a standardized report for human evaluation of policy compliance. Each generated report file corresponds to a single policy recommendation.
OCRL complements existing benchmark languages such as eXtensible Configuration Checklist Description Format (XCCDF) and Open Vulnerability and Assessment Language (OVAL®) β which already provide capabilities for structuring security guidance in a machine-understandable way and describing how to gather and evaluate system information to determine compliance β by addressing those instances where a human is necessary to determine compliance with a given policy recommendation, or where XCCDF and OVAL do not have the necessary capability to evaluate collected information for compliance with a recommendation. For example, a policy recommendation that states, βThe user should disable unnecessary services on the computer,β requires human judgment to determine what services are unnecessary. An OCRL Definition could be written to provide a report of all the services running on the computer, which could then be used by a person to determine whether any unwanted services are present.
OCRL was specifically designed to work with the XCCDF and OVAL benchmark authoring languages. While OCRL documents can be used alone by a software program to create one or more reports, by using OCRL in conjunction with OVAL more automation can be called out from an XCCDF document than using OVAL alone, resulting in significantly enhanced capabilities for benchmark automation.
Web site: http://ocrl.mitre.org/