Vendor Provided Validation Details - ASG IA² SCAP Module version 2.3.8
The following text was provided by the vendor during testing to describe how the product implements the specific capabilities.

Statement of FDCC Compliance:
IA² SCAP provides a variety of options to perform FDCC computer security assessments. IA² SCAP operates agentlessly, agent-based, or with any combination of the two. In most cases, some modifications of the FDCC configuration are required to perform these assessments. For agentless operation, these modifications may differ depending on whether the computer is a member of an Active Directory Domain or is standalone.

Agent-Based Assessments
IA² SCAP offers a listening agent that can be installed on computers. This server communicates with the agent over a FIPS-199 compliant TLS tunnel. The agent requires a single inbound port be available to accept communication from the IA² SCAP server. By default that port is TCP 2650, but it is configurable. The host-based firewall on each computer must be properly configured to allow this inbound communication to occur.

Agentless Assessments
The FDCC configurations are slightly different between Windows XP and Windows Vista, therefore the IA² SCAP deviation requirements slightly differ between the two. For Windows XP computers that are members of an Active Directory Domain, no modifications to the FDCC are required. Standalone XP computers require an exception to the host-based firewall rules to permit file and print sharing on TCP port 445. Opening this port enables IA² SCAP to utilize Microsoft's built-in remote administration facilities to perform remote security assessment. Like Windows XP, Microsoft Vista also requires inbound TCP port 445 be permitted through the host-based firewall. That is true for both Active Directory Domain members and standalone systems. Each of these configurations also requires the Remote Registry service be started. Unlike Windows XP, the Vista FDCC configuration has this service disabled and stopped by default. The Remote Registry service is used by IA² SCAP to enumerate registry values that help determine the security posture of computers. Finally, standalone Vista systems require the registry value LocalAccountTokenFilterPolicy be added and set to "1". By default, the User Access Control system in Windows Vista does not permit local Security Account Manager accounts to be used for remote administration. Setting this registry value allows standalone Vista computers to be remotely administered and assessed.

Statement of SCAP Implementation:
IA² SCAP is built around support for the Security Content Automation Protocol (SCAP). SCAP is a collection of six open standards developed jointly by the government and private sector. Security content written to the SCAP standard can by used by any product that supports the standard. This allows regulatory authorities and configuration managers a means to construct much more definitive guidance than was possible in the past. The guidance is written in the standard format and passed to security products for automated processing and reporting; common input and common output. IA² SCAP includes support for all six protocols. It uses the XCCDF and OVAL assessment protocols to determine what items to check and how to check them. It uses the CPE, CCE, CVSS, and CVE reference protocols to ensure all rules are accurately and appropriately reflected in the system. The SCAP standard references are visible in the interface, reports, and export files.

Statement of CVE Implementation:
IA² SCAP includes support for Common Vulnerabilities and Exposures (CVE) names. CVE's common identifiers makes it easier to share data across separate network security databases and tools, and provide a baseline for evaluating the coverage of an organization's security tools. If a report from one of your security tools incorporates CVE Identifiers, you may then quickly and accurately access fix information in one or more separate CVE-compatible databases to remediate the problem. CVE provides standardized references to known vulnerabilities. This unique identifier provides a common way to refer to vulnerabilities. CVE is the oldest of the six protocols and is directed at vulnerabilities rather than compliance items. Patch content can optionally refer to CVE names, allowing the end user to track attack vectors associated with missing patches. The XCCDF and OVAL compliance checks currently do not reference CVE names. IA² SCAP raises the CVE references from the SCAP patch content to populate the user interface and reports. IA² SCAP can also perform vulnerability assessments using the included OVAL content. The user interface includes the CVE name and a link to the NVD site for each CVE name.

Statement of CCE Implementation:
IA² SCAP includes support for Common Configuration Enumeration (CCE) references. The CCE List provides unique identifiers to security-related system configuration issues in order to improve workflow by facilitating fast and accurate correlation of configuration data across multiple information sources and tools. CVE's common identifiers makes it easier to share data across separate network security databases and tools, and provide a baseline for evaluating the coverage of an organization's security tools. If a report from one of your security tools incorporates CVE Identifiers, you may then quickly and accurately access fix information in one or more separate CVE-compatible databases to remediate the problem. The SCAP DataStream contains CCE tags in the XCCDF documents. ASG raises the CCE references from the SCAP content to populate user interfaces, reports, and exports. By including CCE references in the SCAP content and consuming them into IA² SCAP, it is now possible to easily compare very specific configuration settings across systems.

Statement of CPE Implementation:
IA² SCAP includes automated support for the Common Platform Enumeration (CPE) standard. CPE is a structured naming scheme for information technology systems, platforms, and packages. Based upon the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a language for describing complex platforms, a method for checking names against a system, and a description format for binding text and tests to a name. CPE provides a standard notation and reference to operating systems and applications. An operating system can be referred to in many different ways such as "Windows XP" vs. "Microsoft Windows XP". CPE introduces a standard notation, such as "cpe cpe:/o:microsoft:windows_xp" and "cpe:/a:microsoft:ie:7", enabling products to share SCAP results without pre-coordinating operating system and application references. The SCAP DataStream also uses CPE to specify the OS to which a benchmark applies. IA² SCAP processes this CPE content to automatically select benchmarks that are applicable to each target system. The IA² SCAP report and export files also include the applicable operating system or application CPE reference.

Statement of CVSS Implementation:
The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. CVSS consists of 3 groups: Base, Temporal and Environmental. Each group produces a numeric score ranging from 0 to 10, and a Vector, a compressed textual representation that reflects the values used to derive the score. IA² SCAP provides support for the CVSS. CVSS provides a standardized approach to measuring the impacts of IT vulnerabilities. Each CVE includes an associated CVSS vector for use in calculating the relative severity of vulnerabilities. The SCAP DataStream currently uses a flat scoring methodology, giving all compliance checks the same "weight" (level of importance). These weights are compatible with CVSS scoring. NIST, through their National Vulnerability Database (NVD), plans to include CVSS vectors and scores for each CCE compliance item. That will enable IA² SCAP to calculate severity scores for both vulnerability and compliance items. The reference tabs throughout IA² SCAP include links to the NVD to view the CVSS vectors and to calculate the score of each vector.

Statement of XCCDF Implementation:
IA² SCAP includes seamless support for the eXtensible Configuration Checklist Description Format (XCCDF). XCCDF specifies system settings for automated tools to assess. XCCDF specifies what to check. It is the primary protocol required to process the SCAP datastream. Compliance checklist content, like those developed by NIST for the Federal Desktop Core Configuration (FDCC), is written in the standard XCCDF format. These files are included with IA² SCAP and are used by the product to generate the groups and lists of rules to be checked. The product then uses information from the XCCDF file to perform the assessment as specified in the accompanying Open Vulnerability and Assessment Language (OVAL) file. IA² SCAP generates and displays assessment results in the graphical interface, reports, and export files based on the structure and content of the XCCDF content.

Statement of OVAL Implementation:
IA² SCAP includes fully integrated support for the Open Vulnerability and Assessment Language (OVAL) standard. OVAL specifies a standardized approach for assessing each system setting. While XCCDF describes what to check, OVAL specifies how to perform the check. ASG develops and distributes the world's most mature commercial OVAL interpreter. From 2004 to present day, ASG has been the first to fulfill OVAL definition consumer compatibility requirements with each major evolution of the language. The ASG OVAL interpreter was engineered from the beginning to assess local computers and remote targets using agentless 'over the wire' technology. This OVAL interpreter currently supports Microsoft Windows, as well as Solaris, HP-UX, Linux, and Cisco IOS. Support for additional operating systems and applications, such as mainframes and databases, will be added as new OVAL content is developed. IA² SCAP automatically processes the OVAL definition content as referenced in the XCCDF file to perform assessment activities. For OVAL-based vulnerability content, IA² SCAP can automatically load the OVAL content and perform vulnerability assessments against a variety of operating systems.