NetIQ Achieves SCAP Validation So That U.S. Federal Agencies Can Best Meet FDCC Mandate.
Secure Configuration Manager Automates Configuration and Security Assessment to Meet Stringent Standards and Reduce Ongoing Cost of Compliance
HOUSTON -- NetIQ Corporation, an Attachmate business, today announced the Security Content Automation Protocol The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance). The National Vulnerability Database (NVD) is the U.S. (SCAP SCAP Security Content Automation Protocol
SCAP SREBP Cleavage Activating Protein
SCAP Supreme Commander of the Allied Powers (allied organization occupying Japan after WII)
SCAP Slow Children At Play (band) ) validation of NetIQ[R] Secure Configuration Manager[TM] (SCM (1) (Software Configuration Management, Source Code Management) See configuration management.
(2) See supply chain management. ). One of the very few SCAP-validated solutions on the market, SCM provides U.S. Federal agencies with a comprehensive configuration management solution that automates compliance with the Federal Desktop Core Configuration (FDCC FDCC Federal Desktop Core Configuration
FDCC Facility Design Construction Center
FDCC Canossian Daughters of Charity (Italy) (religious order)
FDCC Fading Dispersive Communication Channel ) baseline, preventing organizations from manually satisfying this mandated configuration requirement.
The U.S. Office of Management and Budget The Office of Management and Budget (OMB), formerly the Bureau of the Budget, is an agency of the federal government that evaluates, formulates, and coordinates management procedures and program objectives within and among departments and agencies of the Executive Branch. (OMB OMB
Office of Management and Budget
Noun 1. OMB - the executive agency that advises the President on the federal budget
Office of Management and Budget ) decreed in March 2007 that Federal organizations must meet a core configuration standard for desktop computers. Known today as the FDCC baseline, this mandate has the objective of increasing overall system security and reducing the cost of system and application maintenance for every Federal entity. In parallel, the National Institute of Standards and Technology National Institute of Standards and Technology, governmental agency within the U.S. Dept. of Commerce with the mission of "working with industry to develop and apply technology, measurements, and standards" in the national interest. (NIST (National Institute of Standards & Technology, Washington, DC, www.nist.gov) The standards-defining agency of the U.S. government, formerly the National Bureau of Standards. It is one of three agencies that fall under the Technology Administration (www.technology. ) devised the SCAP validation program so that security technologies can exchange systems and vulnerability information in a common format. This ensures that security content can be correctly processed within any SCAP-validated tool, providing agencies with the freedom to choose configuration management solutions that best fit the needs and cost requirements of their environment.
"Interoperability and standardized methods for communication between security and compliance tools are essential in order for agencies to optimize their security dollar and increase their return on investment," said Andrew Buttner, lead INFOSEC Engineer at The MITRE Corporation. "The SCAP validation program for security products is a huge next step in accomplishing that goal."
As a result of SCAP-validation, Federal agencies can rely upon the automated configuration assessment capabilities of SCM to meet the FDCC baseline and NIST common security content format requirements. Moreover, agencies that utilize SCM can routinely monitor their systems and certify that the FDCC settings have not been changed as a result of patching, installation of new software or human interaction. By automating desktop configuration assessment against FDCC content, SCM can report on any discrepancies so that corrective action can be taken to bring systems into compliance.
To achieve recognition as a SCAP-validated FDCC Scanner, NetIQ partnered with ThreatGuard. Through this technology partnership, SCM has been validated to audit and assess a target system in order to determine its state of compliance. Combined, NetIQ and ThreatGuard standardize upon the six components of SCAP validation:
* Common Vulnerabilities and Exposures (CVE (Common Vulnerabilities and Exposures) A list of information security exposures and vulnerabilities sponsored by US-CERT and maintained by the MITRE Corporation. ) - a dictionary of publicly known information security vulnerabilities and exposures.
* Common Configuration Enumeration 1. (mathematics) enumeration - A bijection with the natural numbers; a counted set.
2. (programming) enumeration - enumerated type. (CCE CCE Cornell Cooperative Extension
CCE Corporate and Continuing Education
CCE Coca-Cola Enterprises Inc.
CCE Commission de Coopération Environnementale
CCE Centre for Continuing Education
CCE College of Continuing Education
CCE Certified Computer Examiner ) - provides unique identifiers to system configuration issues to facilitate fast and accurate correlation of configuration data across multiple information sources and tools.
* Common Platform Enumeration (CPE (Customer Premises Equipment) Communications equipment that resides on the customer's premises.
CPE - Customer Premises Equipment ) - a structured naming scheme for information technology systems, platforms, and packages.
* Common Vulnerability Scoring System (CVSS CVSS Common Vulnerability Scoring System
CVSS Currumbin Valley State School (Gold Coast, Australia) ) - provides an open framework for communicating the characteristics and impacts of IT vulnerabilities.
* eXtensible Configuration Checklist Description Format (XCCDF) - a structured collection of specification language for writing configuration, security checklists and benchmarks.
* Open Vulnerability and Assessment Language Open Vulnerability and Assessment Language (OVAL) is an international, information security, community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and (OVAL) - an international, information security standard to promote open and publicly available security content.
"Standards-based security content is becoming more common across the Federal industry in an effort to maintain the highest level of vulnerability and compliance management without adding additional cost to this process," said Geoff Webb, senior manager, Product Marketing at NetIQ. "SCAP validation is likely just the tip of the iceberg tip of the iceberg
n. pl. tips of the iceberg
A small evident part or aspect of something largely hidden: afraid that these few reported cases of the disease might only be the tip of the iceberg. . With SCAP-validation, customers can confidently maintain and continue their investments in SCM. Additionally, they can trust that its automated assessment capabilities will continue to improve the allocation of Federal agencies' security resources to protect potentially vulnerable systems on a consistent basis per the FDCC mandate."
More information about SCAP-validated products can be found at http://nvd.nist.gov/scapproducts.cfm.
About NetIQ Secure Configuration Manager
With compliance at the forefront of IT managers' minds, establishing a defensible posture for internal and external auditors means providing accurate and comprehensive documentation wherein IT controls are in place and enforced. SCM is specifically designed to help evaluate system configurations against predefined security and privacy policies, provide reports detailing compliance levels and identified issues and assist in remediation. With SCM, organizations can simplify system audits and manage IT risks while ensuring accordance with corporate policies and regulations.
NetIQ, an Attachmate business, is a leading provider of comprehensive systems and security management solutions that help enterprises maximize IT service delivery and efficiency. With more than 12,000 customers worldwide, NetIQ solutions yield measurable business value and results that dynamic organizations demand. NetIQ's best-of-breed solutions help IT organizations deliver critical business services, mitigate operational risk, and document policy compliance. The company's portfolio of award-winning management solutions includes IT Process Automation, Systems Management, Security Management, Configuration Control and Enterprise Administration. For more information, please visit www.netiq.com.
Copyright (c) 2008 NetIQ Corporation. All Rights Reserved. NetIQ, the NetIQ logo and Secure Configuration Manager are trademarks or registered trademarks of NetIQ Corporation in the USA and other countries. All other trademarks, trade names, or company names referenced herein are used for identification only and are the property of their respective owners.