Security Content Automation Protocol – Coming To A Theater Near You?
Wednesday, December 16, 2009 at 8:47PM
I don’t want to bore you with yet another summary of what Security Content Automation Protocol (SCAP) is, how SCAP works, or how the mix of six XML based standards work together. You can find that information all over the place.
I do want to talk about “the what” and “the why” of SCAP because those technologies could be affecting you sooner than you think.
If you work for or with a United States government agency and you work with computer security then you have heard of the Federal Desktop Core Configuration initiative. The Office of Management and Budget (OMB) some time ago mandated standardization of computer configurations – the settings that govern how the system operates, which users can take what actions, etc. The goal of the FDCC initiative is to improve the security posture of all government desktop computer systems by defining what secure means.
It is possible to meet FDCC requirement without tools that perform configuration, and without tools that measure and report the configuration. However, doing so costs a lot and does not scale. On the other hand, the SCAP collection of technologies is being heavily promoted by theDepartment of Homeland Security, through National Institute of Standards and Technologies and the MITRE corporation, as the preferred mechanism for measuring compliance with FDCC. In response, vendors are creating tools to accommodate those technologies.
“I’m not part of nor do I work with a US government agency”, you say, “So that does not affect me.” I wouldn’t be too certain of that, or I’d at least add “yet” to the end of the sentence. Let’s review some things we know.
- A large number of computer security vendors are supporting SCAP and that number is growing . Industry tends to listen when the government puts a requirement in front of their money.
- You may have noticed that Microsoft now supports FDCC import into their System Center Configuration Manager. When Microsoft begins to accommodate an external technology it is usually an indicator that the technology has some momentum.
- The US government has mandated computer security requirements for your health related information as part of the Health Insurance Portability and Accountability Act (HIPAA).
- The US government has mandated computer security requirements for your non-public personal information through the Gramm-Leach-Bliley Act (GLBA).
- The US government has mandated computer security requirements for internal controls over financial reporting in the Sarbanes-Oxley Act (SOX).
You can see that the US government is not shy about mandating computer security controls.
You may also be aware that there is rising concern over “Cyber Warfare” and that one method of cyber warfare is the use of Botnets. One can make a convincing case that best way to fight Botnets is to make them hard to create. One might also argue that Botnets are primarily composed of compromised consumer and small business computer systems. What might happen if (when?) the FDCC initiative shows a measurable increase in the cost to “pwn” a computer? I can already imagine various paths through which SCAP mandates might affect a wider audience.
So, be prepared – SCAP may be coming to a theater near you. 