National standards, security bodies release security checklists spec

In January 2005, a joint task force of security and standards professionals from NIST (National Institute of Standards and Technology) and the NSA (the National Security Agency) released a specification for the Extensible Configuration Checklist

    Requires Free Membership to View

Description Format, aka XCCDF (Adobe Acrobat required.) This specification permits checking using any of a number of configuration check tools, and was based on MITRE's Open Vulnerability Assessment Language (OVAL). Document and reference metadata is based on the Dublin Core Metadata element set.

This standard is of particular interest to industry and government security experts, analysts, auditors, and those who develop security management products. The sponsoring organizations—namely, NIST and the NSA—encourage public feedback to improve this specification. XCCDF is built using XML markup according to a formal XML Schema, which means that documents that conform to XCCDF syntax and structure can be validated using an XML parser that can check conformance to XML Schema requirements (for example, XMLSpy).

The XCCDF specification aims to address numerous concerns in the area of information security, including the following:

  • Information interchange
  • Document generation
  • Automated compliance testing
  • Compliance scoring
  • Creation of a data model and formats for storing benchmark compliance testing

  • In a nutshell, XCCDF aims to create a common foundation for defining security checklists and benchmarks, along with configuration guidance, so as to enable more consistent and widespread use of best security practices and procedures.

    As such, XCCDF documents seek to define a well-organized collection of security configuration rules for a specific set of target systems. That said, XCCDF is designed to be both portable and platform-neutral to facilitate easy sharing and use of its checklists, benchmarks, and security guidance information. The driving notion behind a security configuration checklist is a set of rules or instructions for configuring some IT product or system to conform to a security baselines or some specific security benchmark level. By creating a formal notation that works with configuration checkers, it becomes much easier to check products and systems for compliance, while maintaining platform neutrality so that checklists need not target only specific systems or platforms to check, or specific configuration checkers within which to work.

    Ed Tittel is a full-time writer and trainer whose interests include XML and development topics, along with IT Certification and information security topics. E-mail Ed at etittel@techtarget.com with comments, questions, or suggested topics or tools for review.

    This was first published in February 2005

    There are Comments. Add yours.

    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.