NIST lists SCAP-validated tools
Connecting state and local government leaders
New web site lists validated products to scan security configurations of federal desktop PCs.
A new Web page hosted by the National Institute of Standards and Technology lists products that have been validated to scan the security configurations of Windows operating systems on federal desktop PCs.
The scanners use the Security Content Automation Protocol to check for compliance with the Federal Desktop Core Configuration (FDCC) standards. So far, three products have been validated by independent laboratories under NIST's National Voluntary Laboratory Accreditation Program.
The Office of Management and Budget required agencies that use Windows XP and Vista to comply with the FDCC by Feb. 1. OMB also required agencies to use SCAP scanning tools to ensure that configurations were not being altered.
'Your agency can now acquire information technology products that are self-asserted by information technology providers as compliant with the Windows XP & Vista FDCC, and use NIST's Security Content Automation Protocol to help evaluate providers' self-assertions,' OMB wrote in a July 31 memo to federal chief information officers. However, 'information technology providers must use SCAP-validated tools, as they become available, to certify their products do not alter these configurations, and agencies must use these tools when monitoring use of these configurations.'
NIST developed SCAP in cooperation with the Defense and Homeland Security departments and Mitre Corp. to provide technical specifications for identifying, enumerating, assigning and sharing security-related data. Vendors have developed tools using the protocol to help automate IT security operations, but as with any protocol, proper implementation must be validated.
NIST established a SCAP validation program last summer, accrediting three laboratories, and the first FDCC scanners have recently been evaluated. The new page is hosted in NIST's National Vulnerability Database Web site. Currently validated products all scan only Windows XP Professional SP 2. They are:
- SecureFusion v3.501 from Gideon Technologies Inc. of Duluth, Ga.
- C5 Compliance Platform v. 3.3.1 from Secure Elements Inc. of Herndon, Va.
- Secutor Prime v2.0.4 from ThreatGuard Inc. of San Antonio.
NEXT STORY: IBM draws road map for Lotus collaboration