|
Security Content Automation Protocol
The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization, including e.g., FISMA (Federal Information Security Management Act, 2002) compliance. The National Vulnerability Database (NVD) is the U.S. government content repository for SCAP. An example of an implementation of SCAP is OpenSCAP. Purpose To guard against security threats, organizations need to continuously monitor the computer systems and applications they have deployed, incorporate security upgrades to software and deploy updates to configurations. The Security Content Automation Protocol (SCAP), pronounced "ess-cap", but most commonly as "skap" comprises a number of open standards that are widely used to enumerate software flaws and configuration issues related to security. Applications which conduct security monitoring use the standards when measuring systems ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
FISMA
The Federal Information Security Management Act of 2002 (FISMA, , ''et seq.'') is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002 (, ). The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. FISMA has brought attention within the federal government to cybersecurity and explicitly emphasized a "risk-based policy for cost-effective security." FISMA requires agency program officials, chief information officers, and inspectors general (IGs) to conduct annual reviews of the agency's information security program and report the results to Office of Management and Budge ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
National Vulnerability Database
The National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics. NVD supports the Information Security Automation Program (ISAP). On Friday March 8, 2013, the database was taken offline after it was discovered that the system used to run multiple government sites had been compromised by a software vulnerability of Adobe ColdFusion. In June 2017, threat intel firm Recorded Future revealed that the median lag between a CVE being revealed to ultimately being published to the NVD is 7 days and that 75% of vulnerabilities are published unofficially before making it to the NVD, giving attackers time to exploit the vulnerability. In addit ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Common Vulnerabilities And Exposures
The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. The United States' National Cybersecurity FFRDC, operated by The MITRE Corporation, maintains the system, with funding from the US National Cyber Security Division of the US Department of Homeland Security. The system was officially launched for the public in September 1999. The Security Content Automation Protocol uses CVE, and CVE IDs are listed on Mitre's system as well as in the US National Vulnerability Database.cve.mitre.org CVE International in scope and free for public use, CVE is a dictionary of publicly known information security vulnerabilities and exposures. Background A |
Extensible Configuration Checklist Description Format
The Extensible Configuration Checklist Description Format (XCCDF) is an XML format specifying security checklists, benchmarks and configuration documentation. XCCDF development is being pursued by NIST, the NSA, The MITRE Corporation, and the US Department of Homeland Security. XCCDF is intended to serve as a replacement for the security hardening and analysis documentation written in prose. XCCDF is used by the Security Content Automation Protocol The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization, including e.g., FISMA (Fed .... References {{Reflist External links XCCDF HomepageXCCDF 1.1.2 specification XCCDF 1.1.3 specification XCCDF 1.1.4 specification XCCDF 1.2 specification(current as of October 2011) Checklists XML-based standards Computer security software ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Open Vulnerability And Assessment Language
{{Short description, International information security community standard Open Vulnerability and Assessment Language (OVAL) is an international, information security, community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. OVAL includes a language used to encode system details, and an assortment of content repositories held throughout the community. The language standardizes the three main steps of the assessment process: # representing configuration information of systems for testing; # analyzing the system for the presence of the specified machine state (vulnerability, configuration, patch state, etc.); and # reporting the results of this assessment. The repositories are collections of publicly available and open content that utilize the language. The OVAL community has developed three schemas written in Extensible Markup Language (XML) to serve as t ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
National Institute Of Standards And Technology
The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical science laboratory programs that include nanoscale science and technology, engineering, information technology, neutron research, material measurement, and physical measurement. From 1901 to 1988, the agency was named the National Bureau of Standards. History Background The Articles of Confederation, ratified by the colonies in 1781, provided: The United States in Congress assembled shall also have the sole and exclusive right and power of regulating the alloy and value of coin struck by their own authority, or by that of the respective states—fixing the standards of weights and measures throughout the United States. Article 1, section 8, of the Constitution of the United States, ratified in 1789, granted these powers to the new Congr ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
NIST Special Publication 800-53
NIST Special Publication 800-53 provides a catalog of security and privacy controls for all U.S. federal information systems except those related to national security. It is published by the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Modernization Act of 2014 (FISMA) and to help with managing cost effective programs to protect their information and information systems.Ross, et al., p. 4 Two related documents are 800-53A and 800-53B which provide guidance, and baselines based on 800-53. Purpose NIST Special Publication 800-53 is part of the Special Publication 800-series that reports on the Information Technology Laboratory'sITL research, guidelines, and outreach efforts in information system security, and on ITL's activity with industry, government, an ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
National Voluntary Laboratory Accreditation Program
{{unreferenced, date=October 2012 National Voluntary Laboratory Accreditation Program (NVLAP) is a National Institute of Standards and Technology (NIST) program in the USA which provides an unbiased third-party test and evaluation program to accredit laboratories in their respective fields to the ISO 17025 standard. NVLAP is in compliance with ISO 17011. Accredited laboratories Calibration *Dimensional *Electromagnetics - DC low frequency *Electromagnetics - RF/microwave *Ionizing radiation *Mechanical *Optical radiation *Thermodynamic *Time and frequency Chemical calibration *Chemical calibration: providers of proficiency testing *Chemical calibration: certifiers of spectrophotometric NTRMs Dosimetry *Ionizing radiation dosimetry Reverse osmosis with applied heat during deionization. Electromagnetic compatibility and telecommunications Environmental *Asbestos fiber analysis (PLM test method) *Asbestos fiber analysis (TEM test method) Fasteners and metals *Fasteners and metals ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Federal Information Security Management Act Of 2002
The Federal Information Security Management Act of 2002 (FISMA, , ''et seq.'') is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002 (, ). The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. FISMA has brought attention within the federal government to cybersecurity and explicitly emphasized a "risk-based policy for cost-effective security." FISMA requires agency program officials, chief information officers, and inspectors general (IGs) to conduct annual reviews of the agency's information security program and report the results to Office of Management and Budge ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Security Compliance
Security is protection from, or resilience against, potential harm (or other unwanted Coercion, coercive change) caused by others, by restraining the freedom of others to act. Beneficiaries (technically referents) of security may be of persons and social groups, objects and institutions, ecosystems or any other entity or phenomenon vulnerable to unwanted change. Security mostly refers to protection from hostile forces, but it has a wide range of other senses: for example, as the absence of harm (e.g. freedom from want); as the presence of an essential good (e.g. food security); as Resilience (organizational), resilience against potential damage or harm (e.g. secure foundations); as secrecy (e.g. a Telephone tapping, secure telephone line); as containment (e.g. a secure room or Prison cell, cell); and as a state of mind (e.g. emotional security). The term is also used to refer to acts and systems whose purpose may be to provide security (security companies, security forces, secur ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
