In January 2005, a joint task force of security and standards professionals from NIST (National Institute of Standards and Technology) and the NSA (the National Security Agency) released a specification for the Extensible Configuration Checklist Description Format, aka XCCDF (Adobe Acrobat required.) This specification permits checking using any of a number of configuration check tools, and was based on MITRE's Open Vulnerability Assessment Language (OVAL). Document and reference metadata is based on the Dublin Core Metadata element set.
This standard is of particular interest to industry and government security experts, analysts, auditors, and those who develop security management products. The sponsoring organizations—namely, NIST and the NSA—encourage public feedback to improve this specification. XCCDF is built using XML markup according to a formal XML Schema, which means that documents that conform to XCCDF syntax and structure can be validated using an XML parser that can check conformance to XML Schema requirements (for example, XMLSpy).
The XCCDF specification aims to address numerous concerns in the area of information security, including the following:
Information interchange
Document generation
Automated compliance testing
Compliance scoring
Creation of a data model and formats for storing benchmark compliance testing
In a nutshell, XCCDF aims to create a common foundation for defining security checklists and benchmarks, along with configuration guidance, so as to enable more consistent and widespread use of best security practices and procedures.
As such, XCCDF documents seek to define a well-organized collection of security configuration rules for a specific set of target systems. That said, XCCDF is designed to be both portable and platform-neutral to facilitate easy sharing and use of its checklists, benchmarks, and security guidance information. The driving notion behind a security configuration checklist is a set of rules or instructions for configuring some IT product or system to conform to a security baselines or some specific security benchmark level. By creating a formal notation that works with configuration checkers, it becomes much easier to check products and systems for compliance, while maintaining platform neutrality so that checklists need not target only specific systems or platforms to check, or specific configuration checkers within which to work.
Ed Tittel is a full-time writer and trainer whose interests include XML and development topics, along with IT Certification and information security topics. E-mail Ed at etittel@techtarget.com with comments, questions, or suggested topics or tools for review.
