are many security configuration documents on the Web. Which one
should I use for my federal agency?
NIST plan to issue an SP addressing Windows Vista?
will the NIST SP on Windows Vista differ from the Microsoft Windows
Vista Security Guide?
SP 800-68 on Windows XP and the Microsoft Windows Vista Security
Guide both delineate baseline configuration settings for environments
including the 'Enterprise' and 'Specialized Security-Limited Functionality
(SSLF)' environments. Which should I use?
NIST produced an SP for securing Windows XP?
do the NIST recommendations for securing Windows XP in NIST SP
800-68 differ from those in checklists produced by NSA, DISA,
and third-party providers?
is "SCAP", as mentioned in the OMB memo?
can I use SCAP to meet the intention of the OMB memo?
can we demonstrate FISMA compliance through the SCAP?
there automated tools that can process the SCAP content to assess
and securely configure Windows XP and Windows Vista? If so, what
does NIST recommend?
There are many security configuration documents on the Web. Which
one should I use for my federal agency?
general, NIST suggests that federal agencies use the NIST Special
Publication (SP) guide if one exists for a specific platform or
application. If NIST has not produced a guide for a specific product,
federal agencies should browse the NIST
Checklists repository to select a government-developed guide
(such as Defense Information Systems Agency or National Security
Agency) or a vendor's guide that they could use as a baseline. When
such security configuration guides do not exist, federal agencies
may carefully select third-party produced guides. Regardless which
guide is selected, it is recommended that federal agencies document
how their deployed information technology products are secured or
deviate from the recommended checklists.
Does NIST plan to issue an SP addressing Windows Vista?
NIST will issue an SP for Windows Vista; however, since NIST previously
collaborated with DISA, NSA, and Microsoft to produce
Microsoft's Windows Vista Security Guide, the baseline recommendations
already published in Microsoft's guide represent the NIST recommended
How will the NIST SP on Windows Vista differ from the Microsoft
Windows Vista Security Guide?
upcoming NIST SP on Vista will address issues that are unique to
the federal government (e.g., requiring FIPS compliant algorithms,
specifying logon banners), map the settings to the NIST
SP 800-53 technical security controls, and provide additional
explanatory narrative not contained in the Microsoft-produced guide.
800-68 on Windows XP and the Microsoft
Windows Vista Security Guide both delineate baseline configuration
settings for environments including the 'Enterprise' and 'Specialized
Security-Limited Functionality (SSLF)' environments. Which should
Federal civilian agencies and other organizations should start with
the Enterprise version for most of their managed desktop machines.
The Enterprise baseline, as described in NIST
SP 800-70, reflects the typical federal civilian operational
environment, while the SSLF baseline tracks closely with the DoD
operational environment. NIST recommends that federal civilian agencies
start with the Enterprise baseline, customize it to reflect their
local operational requirements and security policy (e.g., appropriate
logon banner, access control mechanisms) and test it with their
enterprise applications before pushing these settings out to their
managed systems. They should document all changes that were made
to the baseline as part of their configuration change control process.
SSLF settings may be necessary when the system operates in a high
impact environment, or when the agency determines this level is
necessary to adequately secure government information.
Has NIST produced an SP for securing Windows XP?
NIST SP 800-68 is available at http://csrc.nist.gov/itsec/download_WinXP.html.
How do the NIST recommendations for securing Windows XP in NIST
SP 800-68 differ from those in checklists produced by NSA, DISA,
Microsoft, and third-party providers?
has collaborated with CIS, DISA, NSA, and Microsoft to produce recommended
settings for various operational environments in which Windows XP
is deployed. Nearly all the recommended settings are represented
SP 800-68 and the other security guides. However, NIST SP 800-68
reflects changes that are applicable to federal agencies to be consistent
with the technical security controls represented in NIST SP 800-53,
FIPS 140-2, etc. NIST recommends that federal agencies start with
the NIST SP 800-68 recommendations, customize the baselines to reflect
local operational requirements and security policy, and document
the differences. NIST does not recommend that agencies make significant
changes to the baseline unless such changes make the system more
secure or there is a compelling operational requirement.
What is "SCAP",
as mentioned in the OMB memo?
Security Content Automation
Protocol (SCAP) is a suite of open standards that provide technical
specifications for expressing and exchanging security-related data.
This data can be used for several purposes, including automating
vulnerability checking, technical control compliance activities,
and security measurement. The federal government, in cooperation
with academia and private industry, uses and encourages widespread
support for the SCAP. The SCAP is comprised of the following standards:
Vulnerabilities and Exposures (CVE(r))
Common Configuration Enumeration (CCE(tm))
Common Platform Enumeration (CPE(tm))
Common Vulnerability Scoring System (CVSS)
Extensible Configuration Checklist Description Format (XCCDF)
Open Vulnerability and Assessment Language (OVAL(tm))
SCAP is one component of a larger program, the Information Security
Automation Program (ISAP). The ISAP seeks to automate the implementation
and verification of information system security controls. Objectives
of the ISAP include developing requirements for automated sharing
of information security data, customizing and managing configuration
baselines for various IT products, assessing information systems
and reporting compliance status, using standard metrics to weight
and aggregate potential vulnerability impact, and remediating identified
vulnerabilities. NIST is leading the ISAP initiative with DISA,
NSA, and DHS (sponsor).
How can I use SCAP to
meet the intention of the OMB memo?
SCAP site hosts XML files
in SCAP format for various operating systems and applications. NIST,
in conjunction with industry and agency partners, is translating
some commonly used security checklists located on the NIST
checklist Web site into SCAP-formatted XML for use by automated
tools. Specific to the OMB memo, the SCAP site provides content
for automatically determining if systems under test are configured
according to the recommend guidance for Windows XP and Windows Vista.
After ensuring the system is configured correctly, the agency can
test to ensure that additional applications function correctly and
do not change the baseline settings. This will help the agency to
identify adverse effects on system functionality before deployment.
The SCAP web site also hosts content for assessing Office 2007,
Symantec AntiVirus, and Internet Explorer 7.0. The SCAP content
is located at http://nvd.nist.gov/scap/content.cfm.
There are automated tools that can process the SCAP content for
these operating systems and applications.
How can we demonstrate FISMA compliance through the SCAP?
part of the SCAP XML content, the recommended security configuration
settings (such as those in NIST SP 800-68 and the Microsoft Windows
Vista Security Guide) are mapped to higher-level policy/control
documents to facilitate requirements traceability to the actual
configuration setting of the system. The SCAP content for each operating
system and application is mapped to NIST SP 800-53, DoD IA Controls,
DCID 6/3, ISO 17799 as well as to other popular security documents
such as the DISA STIGs, DISA Checklists, NSA Security Guides, Microsoft
Security Guides, and DISA Gold Disk.
Are there automated tools that can process the SCAP content to assess
and securely configure Windows XP and Windows Vista? If so, what
does NIST recommend?
automated tools are available. NIST continues to work with product
vendor, academia, not-for-profit, integrators, and the public sector
to produce and refine both the standards comprising SCAP and the
content provided on the SCAP website. NIST has worked with vendors
who assert that they can process various standards comprising the
SCAP. These tools are listed on the SCAP website at http://nvd.nist.gov/scap/tools.cfm.
Such listing does not imply NIST endorsement.
send comments if your questions
were not answered here.