How to identify IT assets so you can secure them
Connecting state and local government leaders
NIST has released a scheme based on existing industry standards for identifying assets as part of the FISMA-mandated automated approach to security.
Before you can manage an IT asset or secure it, you have to know it’s there, and that isn’t always as easy as it might sound. So the National Institute of Standards and Technology has released an asset identification scheme, based on existing industry standards, to help agencies automating their security to know what they have.
Until now, NIST says in its most recent Interagency Report, “existing security automation specifications either do not consider asset identification or represent identification information differently than other specifications with which they interoperate.”
NIST IR 7693 Specification for Asset Identification 1.1 remedies this lack of a standardized scheme and should allow the reporting, sharing and correlating of information across multiple platforms and organizations.
Related stories:
NIST aids the cause of real-time security
Continuous monitoring has some growing up to do
The new specification uses a number of existing mechanisms for representing asset information, including the Common Platform Enumeration (CPE), a structured naming scheme that is being updated by NIST and Mitre Corp. as part of an effort to automate government IT security processes. The public comment period for two draft Interagency Reports proposing revised CPE specifications has been extended through June 24.
Agencies must have accurate inventories of IT infrastructures to comply with the Federal Information System Management Act, which also requires that assets be monitored and managed to ensure adequate security and manage risks to systems and information.
But systems are notoriously heterogeneous and usually contain a variety of legacy and current products. Standardizing data from various sources in a common format is expensive and unreliable. NIST IR 7693 provides constructs needed to uniquely identify assets based on known identifiers and known information about the assets.
The Asset Identification specification includes a standardized data model using Extensible Markup Language elements, methods for identifying assets, and guidelines on how to use asset identification.
NIST expects that other standards, data formats, tools, processes, and organizations will reference this specification to ensure compatibility in describing how to represent asset identification information.
This specification uses several industry-standard mechanisms for representing information consistently. It leverages the extensible Address Language (xAL) created by the Organization for the Advancement of Structured Information Standards (OASIS), an XML standard format for representing international address information. The extensible Name Language (xNL) by OASIS is an XML standard format for representing the names of people and organizations.
CPE is a naming scheme for IT systems, platforms and packages. It is a component of the Security Content Automation Protocol (SCAP), which helps enable the automated assessment of the security status of IT systems. Based upon the generic syntax for Uniform Resource Identifiers, CPE includes a formal name format. CPE Version 2.3, Well-Formed Names (WFN), are used as software-identifying information by this specification.
The second draft of IR-7695, CPE Naming Specification Version 2.3 was released by NIST in May and defines the logical structure of names for IT product classes and the procedures for binding and unbinding them to and from machine-readable encodings.
Released at the same time, the second draft of IR-7696, CPE Name Matching Specification Version 2.3 provides a method for conducting a one-to-one comparison of a source CPE name to a target CPE name. CPE Name Matching methods can determine if common set relations hold between different platforms.
“For example, CPE Name Matching can determine if the source and target names are equal, if one of the names is a subset of the other, or if the names are disjointed,” the report states.
Both proposed specifications also include requirements for IT products for conformance with the proposed revisions of CPE.
The draft reports describe significant changes in naming specifications from the current CPE Version 2.2 to 2.3. The proposed version would create opportunities for growth and innovation in future versions for the ways that machines exchange product descriptions and also helps to make the new version backward compatible with earlier specifications.
The comment period on the two drafts, which originally ended on May 20, has been extended through June 24. Comments on the reports 7695 and 7696 should be sent to cpe-comments@nist.gov.