Vulnerabilities Checklists Product Dictionary Impact Metrics Data Feeds Statistics
Home ISAP/SCAP SCAP Validated Tools SCAP Events About Contact Vendor Comments
white space white space

Managing Security Risk by Using Common Security Configurations

Frequently Asked Questions About Managing Security Risk By Using Common Security Configurations
  1. There are many security configuration documents on the Web. Which one should I use for my federal agency?
  2. Does NIST plan to issue an SP addressing Windows Vista?
  3. How will the NIST SP on Windows Vista differ from the Microsoft Windows Vista Security Guide?
  4. NIST SP 800-68 on Windows XP and the Microsoft Windows Vista Security Guide both delineate baseline configuration settings for environments including the 'Enterprise' and 'Specialized Security-Limited Functionality (SSLF)' environments. Which should I use?
  5. Has NIST produced an SP for securing Windows XP?
  6. How do the NIST recommendations for securing Windows XP in NIST SP 800-68 differ from those in checklists produced by NSA, DISA, and third-party providers?
  7. What is "SCAP", as mentioned in the OMB memo?
  8. How can I use SCAP to meet the intention of the OMB memo?
  9. How can we demonstrate FISMA compliance through the SCAP?
  10. Are there automated tools that can process the SCAP content to assess and securely configure Windows XP and Windows Vista? If so, what does NIST recommend?
    11.

1. There are many security configuration documents on the Web. Which one should I use for my federal agency?


In general, NIST suggests that federal agencies use the NIST Special Publication (SP) guide if one exists for a specific platform or application. If NIST has not produced a guide for a specific product, federal agencies should browse the NIST Checklists repository to select a government-developed guide (such as Defense Information Systems Agency or National Security Agency) or a vendor's guide that they could use as a baseline. When such security configuration guides do not exist, federal agencies may carefully select third-party produced guides. Regardless which guide is selected, it is recommended that federal agencies document how their deployed information technology products are secured or deviate from the recommended checklists.


2. Does NIST plan to issue an SP addressing Windows Vista?

NIST will issue an SP for Windows Vista; however, since NIST previously collaborated with DISA, NSA, and Microsoft to produce Microsoft's Windows Vista Security Guide, the baseline recommendations already published in Microsoft's guide represent the NIST recommended settings.


3. How will the NIST SP on Windows Vista differ from the Microsoft Windows Vista Security Guide?


The upcoming NIST SP on Vista will address issues that are unique to the federal government (e.g., requiring FIPS compliant algorithms, specifying logon banners), map the settings to the NIST SP 800-53 technical security controls, and provide additional explanatory narrative not contained in the Microsoft-produced guide.


4. NIST SP 800-68 on Windows XP and the Microsoft Windows Vista Security Guide both delineate baseline configuration settings for environments including the 'Enterprise' and 'Specialized Security-Limited Functionality (SSLF)' environments. Which should I use?

Federal civilian agencies and other organizations should start with the Enterprise version for most of their managed desktop machines. The Enterprise baseline, as described in NIST SP 800-70, reflects the typical federal civilian operational environment, while the SSLF baseline tracks closely with the DoD operational environment. NIST recommends that federal civilian agencies start with the Enterprise baseline, customize it to reflect their local operational requirements and security policy (e.g., appropriate logon banner, access control mechanisms) and test it with their enterprise applications before pushing these settings out to their managed systems. They should document all changes that were made to the baseline as part of their configuration change control process. SSLF settings may be necessary when the system operates in a high impact environment, or when the agency determines this level is necessary to adequately secure government information.


5. Has NIST produced an SP for securing Windows XP?


Yes, NIST SP 800-68 is available at http://csrc.nist.gov/itsec/download_WinXP.html.


6. How do the NIST recommendations for securing Windows XP in NIST SP 800-68 differ from those in checklists produced by NSA, DISA, Microsoft, and third-party providers?


NIST has collaborated with CIS, DISA, NSA, and Microsoft to produce recommended settings for various operational environments in which Windows XP is deployed. Nearly all the recommended settings are represented in NIST SP 800-68 and the other security guides. However, NIST SP 800-68 reflects changes that are applicable to federal agencies to be consistent with the technical security controls represented in NIST SP 800-53, FIPS 140-2, etc. NIST recommends that federal agencies start with the NIST SP 800-68 recommendations, customize the baselines to reflect local operational requirements and security policy, and document the differences. NIST does not recommend that agencies make significant changes to the baseline unless such changes make the system more secure or there is a compelling operational requirement.


7. What is "SCAP", as mentioned in the OMB memo?


The Security Content Automation Protocol (SCAP) is a suite of open standards that provide technical specifications for expressing and exchanging security-related data. This data can be used for several purposes, including automating vulnerability checking, technical control compliance activities, and security measurement. The federal government, in cooperation with academia and private industry, uses and encourages widespread support for the SCAP. The SCAP is comprised of the following standards:


Common Vulnerabilities and Exposures (CVE(r))
Common Configuration Enumeration (CCE(tm))
Common Platform Enumeration (CPE(tm))
Common Vulnerability Scoring System (CVSS)
Extensible Configuration Checklist Description Format (XCCDF)
Open Vulnerability and Assessment Language (OVAL(tm))


The SCAP is one component of a larger program, the Information Security Automation Program (ISAP). The ISAP seeks to automate the implementation and verification of information system security controls. Objectives of the ISAP include developing requirements for automated sharing of information security data, customizing and managing configuration baselines for various IT products, assessing information systems and reporting compliance status, using standard metrics to weight and aggregate potential vulnerability impact, and remediating identified vulnerabilities. NIST is leading the ISAP initiative with DISA, NSA, and DHS (sponsor).


8. How can I use SCAP to meet the intention of the OMB memo?


The SCAP site hosts XML files in SCAP format for various operating systems and applications. NIST, in conjunction with industry and agency partners, is translating some commonly used security checklists located on the NIST checklist Web site into SCAP-formatted XML for use by automated tools. Specific to the OMB memo, the SCAP site provides content for automatically determining if systems under test are configured according to the recommend guidance for Windows XP and Windows Vista. After ensuring the system is configured correctly, the agency can test to ensure that additional applications function correctly and do not change the baseline settings. This will help the agency to identify adverse effects on system functionality before deployment. The SCAP web site also hosts content for assessing Office 2007, Symantec AntiVirus, and Internet Explorer 7.0. The SCAP content is located at http://nvd.nist.gov/ncp.cfm?scap. There are automated tools that can process the SCAP content for these operating systems and applications.


9. How can we demonstrate FISMA compliance through the SCAP?


As part of the SCAP XML content, the recommended security configuration settings (such as those in NIST SP 800-68 and the Microsoft Windows Vista Security Guide) are mapped to higher-level policy/control documents to facilitate requirements traceability to the actual configuration setting of the system. The SCAP content for each operating system and application is mapped to NIST SP 800-53, DoD IA Controls, DCID 6/3, ISO 17799 as well as to other popular security documents such as the DISA STIGs, DISA Checklists, NSA Security Guides, Microsoft Security Guides, and DISA Gold Disk.


10. Are there automated tools that can process the SCAP content to assess and securely configure Windows XP and Windows Vista? If so, what does NIST recommend?


Yes, automated tools are available. NIST continues to work with product vendor, academia, not-for-profit, integrators, and the public sector to produce and refine both the standards comprising SCAP and the content provided on the SCAP website. NIST has worked with vendors who assert that they can process various standards comprising the SCAP. These tools are listed on the SCAP website at http://nvd.nist.gov/scapproducts.cfm. Such listing does not imply NIST endorsement.


Please send comments if your questions were not answered here.


Top of Page
Last updated: February 25, 2008
Page created: July 11, 2003
Disclaimer Notice & Privacy Statement / Security Notice
Send comments or suggestions to checklists@nist.gov
NIST is an Agency of the U.S. Commerce Department's Technology Administration