Vendor Provided Validation Details - C5 3.3.1
The following text was provided by the vendor during testing to describe how the product implements the specific capabilities.

Statement of FDCC Compliance:
Secure Elements asserts that their C5 Compliance Platform version 3.3.1 product does not alter the FDCC settings on Microsoft Windows XP and Vista systems.

Statement of SCAP Implementation:
The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance). Secure Elements is a founding contributor in the development of the SCAP standard providing critical guidance and expertise. The C5 Compliance Platform from Secure Elements leverages SCAP enabling organizations to identify and close IT compliance gaps, and implement continuous monitoring in order to audit, evaluate, and comply with internal, industry, and regulatory policies for IT controls and security.

The C5 Compliance Platform utilizes SCAP checklists (a.k.a benchmarks) and technologies (CVE, CCE, CPE, CVSS, XCCDF, and OVAL) to facilitate compliance validation against published standards. The Secure Elements Team worked closely with NIST to help develop these checklists; providing guidance and validation of the content, tools, and FDCC images.

The C5 Compliance Platform provides a comprehensive set of features including FDCC Scanner capabilities, Authenticated Configuration Scanner, Patch Remediation, Mis-Configuration Remediation, Asset Management, Asset Database, Vulnerability Database, and Mis-Configuration Database to name a few.

The C5 Compliance Platform provides the ability to detect and assess a single asset or thousands of assets within an enterprise from a single appliance. System Administrators can monitor as well as optionally remediate assets from a central location (no need to manually visit potentially thousands of assets in person) that may or may not be geographically collocated with the assets. The C5 Compliance Platform also provides the ability to roll-up (summarize) SCAP scanning as well as export detailed reports in XCCDF format per asset. Correlated results including CVE, CCE, CPE, CVSS and OVAL references (where appropriate) are also available via ODBC.

Statement of CVE Implementation:
The C5 Compliance Platform provides integrated support for the Common Vulnerabilities and Exposures (CVE®) enumeration. CVE is a named list of information security weaknesses providing standardized identifiers to facilitate a universal naming convention.

The C5 Compliance Platform provides a powerful vulnerability management and remediation toolbox providing the ability to import vulnerability data from leading vulnerability scanners as well as Open Vulnerability and Assessment Language (OVAL) content. The C5 Compliance Platform presents CVE IDs and descriptions when and where available for known vulnerabilities and exposures.

The C5 Compliance Platform allows users to perform vulnerability scans on Microsoft Windows, Sun Solaris, and Redhat Linux operating systems. The Vulnerability definitions are updated periodically as and when new definitions are available. Vulnerability data is downloaded automatically to the C5 Element Manager's vulnerability database. Each vulnerability definition has an associated CVE identifier. The C5 Command Center Vulnerability Management subsystem allows the user to view vulnerability scans, create vulnerability scans, perform vulnerability scans and view scan results. The results of the vulnerability scans are also available as ODBC views for third party integration.

The C5 Command Center links each CVE reference directly back to the National Vulnerability Database (NVD) for detailed information on that particular vulnerability or exposure.

Statement of CCE Implementation:
The C5 Compliance Platform provides integrated support for the Common Configuration Enumeration (CCE®) which assigns an identifier, description, parameters, and implementation details to known configuration issues.

The C5 Compliance Platform allows users to perform compliance scans against Microsoft Windows operating systems. A compliance benchmark consists of different Profiles; each Profile having defined rules with values. All the rules in a benchmark have an associated unique CCE identifier which allows correlating configuration data between different applications.

The C5 Compliance Platform presents detailed information about each scan including the CCE when and where available for rules defined within a compliance scan. Hovering the mouse pointer over a CCE will present a detailed description of the CCE.

The C5 Compliance Platform provides the ability to create and dispatch remediation templates to an entire enterprise to address selected CCE issues identified by a compliance scan. Re-running the same scan a second time will confirm the enterprise meets or exceeds compliance.

Statement of CPE Implementation:
The C5 Compliance Platform provides integrated support for the Common Platform Enumeration (CPE®). CPE is a structured naming scheme for information technology systems, platforms, and packages. Based upon the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a language for describing complex platforms, a method for checking names against a system, and a description format for binding text and tests to a name.

The C5 Compliance Platform provides support for a variety of assets that may or may not be defined by the official CPE dictionary hosted by the National Institute for Standards and Technology (NIST) as part of the National Vulnerability Database (NVD).

The CPE official dictionary is built into the C5 Compliance Platform and identifies assets based upon the structured name. A compliance benchmark and\or a vulnerability scan can be dispatched to those assets that match the CPE inside of the Benchmark and\or Vulnerability scan. For example, an FDCC Windows XP Compliance Benchmark can only be dispatched to Microsoft Windows XP Assets.

The C5 Compliance Platform presents the official CPE identifier with each scan result.

Statement of CVSS Implementation:
The C5 Compliance Platform provides integrated support for the Common Vulnerability Scoring System (CVSS). CVSS is an open framework for communicating the characteristics and impacts of IT vulnerabilities. Its quantitative model ensures repeatable accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the scores.

The National Vulnerability Database (NVD) provides CVSS scores for almost all known vulnerabilities.

The C5 Compliance Platform periodically imports CVSS data from the National Vulnerability Database (NVD) into the C5 Element Manager database. The C5 Command Center then provides the CVSS based Score and CVSS Vector for each CVE detected where available. Both CVE and CVSS Vectors are linked directly to the NVD. Clicking on a CVSS Vector will present the corresponding detailed scoring information for that vulnerability.

The C5 Compliance Platform provides the ability to create and dispatch remediation templates to an entire enterprise to address selected CVE issues identified by a compliance scan. Re-running the same scan a second time will confirm the enterprise meets or exceeds compliance.

Statement of XCCDF Implementation:
The C5 Compliance Platform provides integrated supported for XCCDF. The eXtensible Configuration Checklist Description Format (XCCDF) is an XML specification language for writing security checklists, benchmarks, and related kinds of documents. An XCCDF document represents a structured collection of security configuration rules for a set of target systems. XCCDF can also be used to format results.

The C5 Compliance Platform allows the user to import benchmarks written in XCCDF. XCCDF Benchmarks can be examined, adapted into a new benchmark, applied to a compliance scan, and/or evaluated by the C5 Command Center. XCCDF describes the system characteristics to be checked or validated.

The C5 Command Center displays the benchmark title, version, and import time. Selecting a benchmark yields additional detail such the rules defined therein, Rule ID, and OVAL ID. Benchmarks can also be adapted to a new benchmark; allowing the user to select which profiles and rules should be incorporated into the new version. Benchmarks can then be applied to a compliance audit whereas the user can select the profiles and assets to be included in the scan.

The C5 Command Center provides XCCDF Benchmark scan results identifying the benchmark version, who performed the audit, the time the audit began, completion status, and current score. Detailed results including the individual rules, the pass /fail result, and score can be exported to an external XML file.

Statement of OVAL Implementation:
OVAL is an international, information security community baseline standard for how to check for the presence of vulnerabilities and configuration issues on computer systems.

OVAL standardizes the three main steps of the process with an OVAL System Characteristics Schema for collecting configuration data from systems for testing; OVAL Definitions to test for the presence of specific vulnerabilities, configuration issues, and/or patches; and an OVAL Results Schema for reporting the results from the evaluated systems.

The tests are standardized, machine-readable XML Vulnerability Definitions, Compliance Definitions, and Patch Definitions. OVAL's schemas and definitions are all free to download, use, reference, and implement.

The C5 Compliance Platform creates a library of platform specific (Microsoft Windows, Sun Solaris, Linux...) primitive source code corresponding to each system characteristic test within an OVAL definition file at the time the OVAL is imported into the C5 Element Manager. Each test is designed to return a true, false, or error within the context of the expected result. The C5 Element Manager compiles and dispatches selected tests matching the requirements of the benchmark and the asset(s) participating in the compliance or vulnerability scan.The C5 Compliance Platform provides integrated support for the Open Vulnerability and Assessment Language (OVAL). OVAL is an international, information security community baseline standard describing how to check for the presence of vulnerabilities and \ or configuration issues on computer systems.

The C5 Compliance Platform creates a library of platform specific (Microsoft Windows, Sun Solaris, Linux...) primitives corresponding to each system characteristic test within an OVAL definition file at the time the OVAL is imported into the C5 Element Manager. Each test is designed to return a true, false, or error within the context of the expected result. The C5 Element Manager compiles and dispatches selected tests matching the requirements of the benchmark and the asset(s) participating (CPE) in the compliance or vulnerability scan.

The C5 Compliance Platform presents the OVAL ID corresponding to rules defined in an SCAP Benchmark. Clicking on an OVAL ID provides exceedingly detailed data for each rule, its origin, namespace, family, affected platforms, references, pseudo code representation, raw XML, and evaluated results… for each asset participating in an SCAP compliance scan.