National Institute of Standards and Technology (NIST) - Information technology Laboratory (ITL)

Emerging Specifications

Specifications have both intrinsic and synergistic value. They have intrinsic value in that the specification demonstrates value on its own merits. For example, XCCDF is a standard way of expressing checklist content. XCCDF also has a synergistic value when combined with other specifications such as CPE, CCE, and OVAL to create an SCAP-expressed checklist that can be processed by SCAP-validated products. Likewise, CVE has use cases in simply being a consistent way to enumerate vulnerabilities for tracking purposes; however, when combined with CPE and OVAL, CVE is elevated to formulate a greater use case, namely that of automated checks for vulnerabilities that can be processed by SCAP-validated products. It is important to recognize that specifications can and should demonstrate value in their own right without being SCAP specifications.

Of great interest to the community is whether a new specification will become part of the NIST validation program. As a result, NIST developed the following informational resources:

  1. A FAQ that will assist organizations in creating specifications.

  2. The timeline for potential adoption of a specification into SCAP validation testing.

  3. Guidelines to help balance the need for new specifications with the demonstrated value of the specifications.