Vendor Provided Validation Details - IntelliSIGHT Threat Intelligence Suite v2.1.5
The following text was provided by the vendor during testing to describe how the product implements the specific capabilities.

Statement of FDCC Compliance:
Not Applicable

Statement of SCAP Implementation:
The iSIGHT Partners IntelliSIGHT Threat Intelligence Suite is a vulnerability database that provides customers with real‐time information and updates regarding software flaws affecting a wide range of vendors and products. Reports are independent of customer‐specific environments and scanning results. Customers can search the vulnerability database, which contains detailed information about specific vulnerabilities; references / links to patches, third‐party advisories, vendor‐supplied mitigation strategies and / or fixes as well as CVSS Base and Temporal Scores; CVE ID and BugTraq ID, as applicable. The iSIGHT Partner's repository (vulnerability database only) is SCAP compliant. The best practices iSIGHT Partners implements are based on the SCAP open set of standards, a combination of 3 common vulnerability identification standards: CVE, CPE and CVSS. Customers can access iSIGHT Partners' SCAP vulnerability database and the information pertaining to CVE, CPE and CVSS and their use as part of the iSIGHT Partners IntelliSIGHT Threat Intelligence Suite by browsing or searching the iSIGHT Partners Customer Portal or in the IntelliSIGHT Daily Delivery e‐mail. Customers can also find additional details in the iSIGHT Partners' Portal User Manual. Users can find the CVE‐ID and the CVSS base scores and vector strings in the "References" section of the vulnerability report. The CVE‐ID is linked to the NVD website for the official description of the vulnerability or software flaw. The CVSS Base score metrics are also linked to the official CVSS V2.2 calculator on the NVD website. Users can find the CPE information, including CPE name and CPE meta data, in the "Technologies" section of the vulnerability report. Specifically, the date that a CVE‐ID was added to the iSIGHT Partners vulnerability database is generally the publish date of the version 1 report for a specific vulnerability. In the event that iSIGHT Partners publishes a report before the official CVE‐ID has been assigned, the CVE‐ID update date can be found in the "Version Notes" section of subsequent reports.

Statement of CVE Implementation:
Common Vulnerabilities and Exposures (CVE) is a list or dictionary that provides common identifiers for publicly known information security vulnerabilities. Using a common identifier such as CVE greatly simplifies data sharing across separate databases and tools. iSIGHT Partners implements CVE by clearly displaying CVE IDs for security patches and / or software vulnerabilities in the "References" section of each of our vulnerability‐related IntelliSIGHT reports. Customers can view the official description for a vulnerability located in the National Vulnerability Database (NVD) by clicking the link located next to the CVE ID labeled NVD Description. iSIGHT Partners provides the CVE Original Release Date next to the CVE ID in the "References" section of each of our vulnerability‐related IntelliSIGHT reports. Please note that, at times, iSIGHT Partners publishes reports that do not have an assigned CVE ID. However, once a CVE ID is assigned to a vulnerability, the associated iSIGHT Partners vulnerability report is updated with the official CVE ID and CVE Original Release Date. The date on which this occurs can be found in the Version Notes column in the "Previous Versions" section in a vulnerability report. Customers can also view specific CVE ID information by using the iSIGHT Partners Customer Portal search function. Using the CVE ID Detail View within the Portal Search page directs customers to the NVD website and displays detailed information that will help them identify additional products and / or vendors that could be susceptible to a specific vulnerability. Customers can access information pertaining to CVE and its use as part of the iSIGHT Partners IntelliSIGHT Threat Intelligence Suite by browsing or searching the iSIGHT Partners Customer Portal or in the IntelliSIGHT Daily Delivery e‐mail. If customers would like to view a complete list of all reports that contain CVE IDs, please click this link All CVE IDS. If customers would like to view a complete list of all reports that DO NOT contain CVE IDs, please click this link NO CVE IDS. Customers can use the DocID to find reports by going to the Search page within the customer portal and entering the following string "DocID: 08‐123" (replacing 08‐123 with the appropriate DocID and using the quotation marks). Customers can also find additional information in the iSIGHT Partners' Portal User Manual.

Statement of CPE Implementation:
The Common Platform Enumeration (CPE) is a structured naming scheme for information technology systems, software and packages. CPE is simply a standards‐based dictionary of software product names. iSIGHT Partners is compliant with version 2.2 of the CPE Dictionary (Publication date March 23, 2009, 11:42 p.m.) and does not use CPE names that are not in the official CPE dictionary. CPE names found in the iSIGHT Partners vulnerability database were last updated on April 17, 2009. iSIGHT Partners implements CPE by providing a list of CPE names for all software packages and vendors with which a CPE name is associated in each of our vulnerability‐related IntelliSIGHT reports. CPE information is located in the CPE columns in the "Technologies" section of each vulnerability report. Customers can click the CPE column heading to view a list of all CPE names using the standard CPE dictionary XML schema that are included in the vulnerable product. As of May 14, 2009, CPE meta data is available in the CPE Meta column in the "Technologies" section of each vulnerability report. The CPE meta data displayed is taken directly from the official CPE dictionary. Customers can access information pertaining to CPE and its use as part of the iSIGHT Partners IntelliSIGHT Threat Intelligence Suite by browsing or searching the iSIGHT Partners Customer Portal or in the IntelliSIGHT Daily Delivery e‐mail. Customers can also find additional information in the iSIGHT Partners' Portal User Manual.

Statement of CVSS Implementation:
The Common Vulnerability Scoring System (CVSS) is an open‐standard for assigning scores to a vulnerability that indicates its severity relative to other vulnerabilities. The CVSS standard offers visibility into how iSIGHT Partners calculates each score by revealing the underlying vulnerability characteristics used as inputs to calculate the score. iSIGHT Partners is the source of CVSS scores displayed on its reports and, as a result, the scores may differ from those on displayed on the NVD website. iSIGHT Partners implements CVSS by displaying the CVSS Base and Temporal scores for security patches and / or software vulnerabilities in each of our vulnerability‐related IntelliSIGHT reports. CVSS scores are located in the "References" section of each vulnerability report. To learn more about the base metrics iSIGHT Partners uses to determine the CVSS Base Score, customers can click CVSS Base Score in the "References" section of a report. To further customize CVSS base scores and produce CVSS environmental scores, customers can click the vector string located next to the CVSS Base Score. After clicking the vector string, users are directed to the Common Vulnerability Scoring System Version 2 Calculator located on the NVD at http://nvd.nist.gov/cvss.cfm?calculator&version=2. To learn more about the temporal metrics iSIGHT Partners uses to determine the CVSS Temporal Score, customers can click CVSS Temporal Score in the "References" section of a report. Customers can also search our vulnerability database by CVSS score via our Customer Portal to display detailed results and identify additional systems that may be susceptible to vulnerabilities with a specific CVSS score. In the event customers want to edit or adjust their CVSS Environmental and / or Temporal scores according to their specific operating environment, they can access the CVSS v2 Calculator via a direct link located on the iSIGHT Partners Customer Portal Search page. Customers can access information pertaining to CVSS and its use as part of the iSIGHT Partners IntelliSIGHT Threat Intelligence Suite by browsing or searching the iSIGHT Partners Customer Portal or in the IntelliSIGHT Daily Delivery e‐mail. Customers can also find additional information in the iSIGHT Partners' Portal User Manual.

Statement of XCCDF Implementation:
Not Applicable

Statement of OVAL Implementation:
Not Applicable