Vendor Provided Validation Details:

Xacta IA Manager¡¯s HostInfo version 4.8 from Telos Corporation
The following text was provided by the vendor during testing to describe how the product implements the specific capabilities.

Statement of FDCC Compliance:

Xacta IA Manager's HostInfo for Windows operates on Federal Desktop Core Configuration (FDCC) hardened Windows XP and Vista platforms without modification. The Security Content Automation Protocol (SCAP) features of HostInfo are available in the utility mode of operation. HostInfo does not require installation -- it can be copied to a local drive or run from a flash drive. Note that some checks require adminis¡©trative privileges. Therefore, it is recommended that HostInfo be run using an account that has administrative privileges (i.e., a member of the Administrators group on Windows).

Xacta HostInfo claims to be an FDCC scanner and supports compliance checking by executing rules provided in SCAP-based checklists and saving results in XCCDF format.

 

Statement of SCAP Implementation:

Xacta IA Manager combines the industry-leading security compliance and risk assessment functionality with powerful business process automation to establish a centralized governance, risk and compliance (GRC) management platform that facilitates compliance assessment, continuous risk and sustained compliance management, and security process automation. Xacta IA Manager provides risk and compliance management for organizations following industry standards and processes to support IT governance across defense, intelligence, and commercial sectors. Xacta IA Manager was the first to market with a certification and accreditation (C&A) automation solution and bridges the gap from vulnerability management to risk management. Xacta IA Manager provides a robust management framework enabling continuous assessment for assets, applications, enclaves, networks, systems, and sites.

Xacta IA Manager supports the use of SCAP content to determine configuration compliance to XCCDF checklists, such as the FDCC standards. SCAP (http://scap.nist.gov/) is a government multi-agency initiative to enable automation and standardization of technical security operations, such as policy compliance checking. SCAP is based on several evolving open standards: CVE, CCE, CPE, XCCDF, CVSS and OVAL.

Xacta IA Manager's HostInfo supports compliance checking by executing rules provided in SCAP-based check¡©lists and saving results in an XCCDF formatted output file. The SCAP features of HostInfo are available in the utility mode of operation.


Statement of CVE Implementation:
Common Vulnerabilities and Exposures (CVE) (http://cve.mitre.org/) is a dictionary of publicly known information security vulnerabilities and exposures.  It facilitates the exchange of vulnera¡©bility information by serving as a common reference between different products.  SCAP checklists include references to CVE IDs for all the OVAL vulnerability definitions.

Xacta IA Manager's HostInfo supports vulnerability checking by executing Open Vulnerability Assessment Language (OVAL) definitions. It produces vulnerability scan results in PDF, HostInfo native XML results and html format, where the users can find the details about the vulnerabilities identified on the system and references to CVE IDs. Hyperlinks are provided for the identified CVE IDs and are linked to the National Vulnerability Database (NVD) site. Information provided on the NVD allows the user to further investigate the vulnerability and identify appropriate remediation strategy. Xacta IA Manager users can then use this information as part of a system-based risk management effort, as well as create Plans of Actions and Milestones (POA&Ms) for the associated remediation.


Statement of CCE Implementation:
Common Configuration Enumeration (CCE) (http://cce.mitre.org) provides unique identifiers to system configuration issues in order to provide a common reference for potential mis-configuration issues for different operating systems and applications. SCAP checklists may include references to CCE IDs. Rules in the XCCDF file may include "ident" elements that specify the related CCE ID.

Xacta IA Manager's HostInfo supports compliance checking by executing rules provided in SCAP-based check¡©lists and saving results in an XCCDF formatted output file. CCE IDs from "ident" elements of rules in the input benchmark XCCDF file are included in the corresponding rule results of the output XCCDF file produced by HostInfo. Xacta IA Manager users can observe the CCE IDs in the output file and then go to the Mitre website noted above to further investigate the mis-configuration and identify appropriate remediation strategy. Xacta IA Manager users can then use this information as part of a system-based risk management effort, as well as create Plans of Actions and Milestones (POA&Ms) for the associated remediation.

 

Statement of CPE Implementation:
Common Platform Enumeration (CPE) is a structured naming scheme for software and hardware, such as operating system versions and software applications. CPE naming convention includes details like vendor name, product name, version, update level, edition and language. CPE identifiers are used in SCAP checklists to define the applicability of a checklist or a profile to the specified platform or application. SCAP checklists includes CPE dictionary. The CPE dictionary included in the benchmark package is used to assess the system for applicability.

HostInfo enables the use of HostInfo JavaScript scripts as automatic checks, in addition to OVAL. The automatic checks determine if a particular operating system version or application version is installed on the platform by matching the CPE ID to the platform. HostInfo processes the CPE IDs specified in the XCCDF benchmark document in "platform" and "platform-specification" and uses the provided CPE dictionary to match CPE IDs to the platform. If the OVAL inventory definition is not provided in the CPE dictionary for the specified CPE ID, HostInfo matches the CPE ID to a corresponding platform using an internal implementation. It makes sure that the benchmark or profile is executed only on the appropriate platform. HostInfo includes the CPE ID, which matches the target platform, in the XCCDF results output file.

 

Statement of CVSS Implementation:
The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. National Vulnerability Database (NVD) provides the CVSS score for all the vulnerabilities (CVE) listed. It also provides the CVSS vectors, basis for score calculation.

Xacta IA Manager's HostInfo has the ability to execute the OVAL vulnerability checks and produce the results in html format. The results include CVE IDs, description of the vulnerability/patch, results, etc. associated with vulnerabilities identified on the machine. It also provides hyperlinks to CVE IDs linked to the NVD website, where both CVSS score and CVSS vectors are provided. The NVD website also lists - an overview of the vulnerability, affected CPEs and references to other external sources like Vendor, US-CERT, Bugtraq and Open Source Vulnerability Database (OSVDB). NVD also provides a web based CVSS calculator, wherein a user can re-calculate the score based on the updated vectors

 

Statement of XCCDF Implementation:
Extensible Configuration Checklist Description Format (XCCDF) (http://nvd.nist.gov/xccdf.cfm) specification defines the format for exchanging security configuration information. XCCDF documents are used for describing mis-configuration and vulnerabilities, including automatic compliance checking. XCCDF documents are expressed in XML format. SCAP checklists that are described in XCCDF format are called benchmarks. XCCDF schema provides a framework for both checks (rules) and results.

Xacta IA Manager's HostInfo supports compliance checking by executing rules provided in SCAP-based checklists and saving results in an XCCDF formatted output file. When operated in utility mode, HostInfo can process an XCCDF benchmark document, apply the specified profile, and perform compliance checking in accordance with the rules in the XCCDF document. The XCCDF specification allows the use of different checking systems for automatic checks. HostInfo supports two checking systems: OVAL and Xacta HostInfo JavaScript. This enables the use of two checking systems in the same XCCDF document. HostInfo can also include the input benchmark XCCDF data within the resulting XCCDF output document. Xacta IA Manager users can then use this information as part of a system-based risk management effort, as well as create Plans of Actions and Milestones (POA&Ms) for the associated remediation. Additionally, the output XCCDF document may be used for configuration reporting to authoritative oversight organizations.


Statement of OVAL Implementation:
Open Vulnerability and Assessment Language (OVAL) is an international information security standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. OVAL standard is maintained by MITRE (http://oval.mitre.org). OVAL is XML-based language for writing automated tests or checks, called definitions, to determine the presence of a specified machine (asset) state. It defines four different classes of definitions compliance, vulnerability, patch and inventory.

As an example, FDCC SCAP checklists include OVAL definition documents. Definitions in the OVAL documents, referenced from within the XCCDF document rules, are used for automatic compliance and vulnerability checking. The CPE dictionary that is part of the SCAP checklist includes references to OVAL inventory definitions that check for the presence of a specified operating system or application, as discussed under the CPE section within this statement of SCAP implementation.

Xacta IA Manager's HostInfo supports compliance checking by executing rules provided in SCAP-based checklists and saving results in an XCCDF formatted output file. As in the FDCC example discussed above, HostInfo executes OVAL inventory definition(s) to determine the applicability of a checklist to the platform on which HostInfo is being run. It then executes the OVAL compliance (mis-configuration and vulnerability) checks and produces XCCDF results.


HostInfo has the ability to convert OVAL definitions into JavaScript for distribution by Xacta IA Manager's Asset Manager to thousands of distributed HostInfo Agents. The results of these checks and JavaScript tests can be used to determine configuration compliance management, and when the OVAL definitions are referenced to CVE IDs, users can conduct vulnerability research. Finally, Xacta IA Manager users can then use this compliance information as part of a system-based risk management effort, as well as create Plans of Actions and Milestones (POA&Ms) for the associated remediation.