Vendor Provided Validation Details - Securefusion 3.501
The following text was provided by the vendor during testing to describe how the product implements the specific capabilities.

Statement of FDCC Compliance:
SecureFusion requirements that conflict with FDCC and supporting rationale:

1. Local Firewall Rule: Target platforms which are running a local firewall, must add a firewall rule that allows the SecureFusion scanner to remotely access the machine. This is necessary since SecureFusion is an entirely agent-less platform and performs all SCAP functions from a remote scanner. The firewall exception can be strictly limited to a single IP address corresponding to the SecureFusion scanner, while blocking all other traffic. This rule can be deployed enterprise-wide through a simple group policy setting or through the local policy on stand-alone machines.

2. Remote Access for Stand-Alone Vista Machines: For Windows Vista systems configured in workgroups or as stand-alone machines, User Account Control (UAC) must be disabled. This change allows remote access to the machine by valid user accounts, which would be otherwise blocked. Remote access is necessary since SecureFusion is an entirely agent-less platform and performs all SCAP functions from a remote scanner. This requirement does not apply to Windows XP systems, and does not apply to Windows Vista systems participating in a domain.

Statement of SCAP Implementation:
SecureFusion is a highly-scalable, integrated framework of compliance technologies, which enables organizations to quickly, and easily measure security and compliance across the enterprise network. Built as an SOA architecture, SecureFusion is entirely agent-less, installs in less than one day and easily scales to any enterprise class network, including networks exceeding 100,000's of network assets. SecureFusion is compatible with all SCAP components; CVE, CCE, CPE, CVSS, XCCDF and OVAL. SecureFusion will quickly discover and classify every asset connected to the network, scan the appropriate assets for compliance with Federal standards (i.e. FDCC), and provide a centralized portal for continuous, repeatable measurement and reporting.

The full implementation of SCAP 1.0 was added to SecureFusion in version 3.5 and will be supported in future versions of SecureFusion. Certain components of SCAP had been previously supported in previous versions of SecureFusion, however, the continued development of the SCAP standards have been included comprehensively in SecureFusion 3.5.

Leveraging the SCAP standards, SecureFusion automates enterprise-wide asset discovery, vulnerability detection, configuration reporting, and policy compliance measurement in a single, easy to deploy, easy to manage solution. The SecureFusion Portal offers powerful asset classification, scheduling and reporting features to provide users with complete command and control over enterprise scans and report generation. Large government and commercial entities rely on SecureFusion to continuously measure IT security and compliance with government policies and standards, including: FISMA, FDCC, C&A criteria, and NIST 800 Series standards.

Statement of CVE Implementation:
SecureFusion is a highly-scalable, integrated framework of compliance technologies, which enables organizations to quickly, and easily measure security and compliance across the enterprise network. Built as an SOA architecture, SecureFusion is entirely agent-less, installs in less than one day and easily scales to any enterprise class network, including networks exceeding 100,000's of network assets. SecureFusion is compatible with all SCAP components; CVE, CCE, CPE, CVSS, XCCDF and OVAL. SecureFusion will quickly discover and classify every asset connected to the network, scan the appropriate assets for compliance with Federal standards (i.e. FDCC), and provide a centralized portal for continuous, repeatable measurement and reporting.

Common Vulnerability Enumeration (CVE) is used within SecureFusion to associate any vulnerabilities reported in the SecureFusion Portal to a corresponding CVE ID. CVE IDs are displayed on "Vulnerability Distribution" reports and "Vulnerability Detail" reports, which can be accessed by clicking on any vulnerability name in the SecureFusion Portal. Once viewing this page, users can click the CVE ID number to access the NVD records for the CVE.

Leveraging the SCAP standards, SecureFusion automates enterprise-wide asset discovery, vulnerability detection, configuration reporting, and policy compliance measurement in a single, easy to deploy, easy to manage solution. The SecureFusion Portal offers powerful asset classification, scheduling and reporting features to provide users with complete command and control over enterprise scans and report generation. Large government and commercial entities rely on SecureFusion to continuously measure IT security and compliance with government policies and standards, including: FISMA, FDCC, C&A criteria, and NIST 800 Series standards.

Statement of CCE Implementation:
SecureFusion is a highly-scalable, integrated framework of compliance technologies, which enables organizations to quickly, and easily measure security and compliance across the enterprise network. Built as an SOA architecture, SecureFusion is entirely agent-less, installs in less than one day and easily scales to any enterprise class network, including networks exceeding 100,000's of network assets. SecureFusion is compatible with all SCAP components; CVE, CCE, CPE, CVSS, XCCDF and OVAL. SecureFusion will quickly discover and classify every asset connected to the network, scan the appropriate assets for compliance with Federal standards (i.e. FDCC), and provide a centralized portal for continuous, repeatable measurement and reporting.

Common Configuration Enumeration (CCE) is used within SecureFusion to associate configuration values reported in the SecureFusion Portal to a corresponding CCE ID. CCE IDs are displayed on the "Control Detail Report", which can be accessed by clicking on any Control name in the SecureFusion Portal. Once viewing this page, users will find the CCE ID located in the Control Description field. The CCE ID can be clicked on to access the NVD record for the CCE.

Leveraging the SCAP standards, SecureFusion automates enterprise-wide asset discovery, vulnerability detection, configuration reporting, and policy compliance measurement in a single, easy to deploy, easy to manage solution. The SecureFusion Portal offers powerful asset classification, scheduling and reporting features to provide users with complete command and control over enterprise scans and report generation. Large government and commercial entities rely on SecureFusion to continuously measure IT security and compliance with government policies and standards, including: FISMA, FDCC, C&A criteria, and NIST 800 Series standards.

Statement of CPE Implementation:
SecureFusion is a highly-scalable, integrated framework of compliance technologies, which enables organizations to quickly, and easily measure security and compliance across the enterprise network. Built as an SOA architecture, SecureFusion is entirely agent-less, installs in less than one day and easily scales to any enterprise class network, including networks exceeding 100,000's of network assets. SecureFusion is compatible with all SCAP components; CVE, CCE, CPE, CVSS, XCCDF and OVAL. SecureFusion will quickly discover and classify every asset connected to the network, scan the appropriate assets for compliance with Federal standards (i.e. FDCC), and provide a centralized portal for continuous, repeatable measurement and reporting.

Common Platform Enumeration (CPE) is used by SecureFusion to align SCAP data streams and assessment results with the intended platforms. CPE values are imported from XCCDF data streams and are used in conjunction with OVAL definitions and the SecureFusion Configuration Management scanner.

Leveraging the SCAP standards, SecureFusion automates enterprise-wide asset discovery, vulnerability detection, configuration reporting, and policy compliance measurement in a single, easy to deploy, easy to manage solution. The SecureFusion Portal offers powerful asset classification, scheduling and reporting features to provide users with complete command and control over enterprise scans and report generation. Large government and commercial entities rely on SecureFusion to continuously measure IT security and compliance with government policies and standards, including: FISMA, FDCC, C&A criteria, and NIST 800 Series standards.

Statement of CVSS Implementation:
SecureFusion is a highly-scalable, integrated framework of compliance technologies, which enables organizations to quickly, and easily measure security and compliance across the enterprise network. Built as an SOA architecture, SecureFusion is entirely agent-less, installs in less than one day and easily scales to any enterprise class network, including networks exceeding 100,000's of network assets. SecureFusion is compatible with all SCAP components; CVE, CCE, CPE, CVSS, XCCDF and OVAL. SecureFusion will quickly discover and classify every asset connected to the network, scan the appropriate assets for compliance with Federal standards (i.e. FDCC), and provide a centralized portal for continuous, repeatable measurement and reporting.

The Common Vulnerability Scoring System (CVSS) is used within SecureFusion to prioritize and display risk scores for any vulnerabilities reported in the SecureFusion Portal. CVSS scores can be viewed for each vulnerability on the "Vulnerability Distribution" reports, "Vulnerability Detail" reports, and "View Host" reports. Vulnerabilities can be sorted and prioritized by CVSS scores. Scoring metrics and modifiers can be entered and updated to achieve scoring and prioritization that reflects the user’s unique and realistic threat environment.

Leveraging the SCAP standards, SecureFusion automates enterprise-wide asset discovery, vulnerability detection, configuration reporting, and policy compliance measurement in a single, easy to deploy, easy to manage solution. The SecureFusion Portal offers powerful asset classification, scheduling and reporting features to provide users with complete command and control over enterprise scans and report generation. Large government and commercial entities rely on SecureFusion to continuously measure IT security and compliance with government policies and standards, including: FISMA, FDCC, C&A criteria, and NIST 800 Series standards.

Statement of XCCDF Implementation:
SecureFusion is a highly-scalable, integrated framework of compliance technologies, which enables organizations to quickly, and easily measure security and compliance across the enterprise network. Built as an SOA architecture, SecureFusion is entirely agent-less, installs in less than one day and easily scales to any enterprise class network, including networks exceeding 100,000's of network assets. SecureFusion is compatible with all SCAP components; CVE, CCE, CPE, CVSS, XCCDF and OVAL. SecureFusion will quickly discover and classify every asset connected to the network, scan the appropriate assets for compliance with Federal standards (i.e. FDCC), and provide a centralized portal for continuous, repeatable measurement and reporting.

The Extensible Configuration Checklist Document Format (XCCDF) is used by SecureFusion to automate the importation of XCCDF enabled checklists, benchmarks, and related documents. During importation, users can choose from any available profiles and benchmarks within the XCCDF file to build the desired checklist. XCCDF content is translated into policies and standards within SecureFusion that can be easily measured and reported. Following importation, XCCDF content can be viewed and measured in "Policies and Controls" reporting.

Leveraging the SCAP standards, SecureFusion automates enterprise-wide asset discovery, vulnerability detection, configuration reporting, and policy compliance measurement in a single, easy to deploy, easy to manage solution. The SecureFusion Portal offers powerful asset classification, scheduling and reporting features to provide users with complete command and control over enterprise scans and report generation. Large government and commercial entities rely on SecureFusion to continuously measure IT security and compliance with government policies and standards, including: FISMA, FDCC, C&A criteria, and NIST 800 Series standards.

Statement of OVAL Implementation:
SecureFusion is a highly-scalable, integrated framework of compliance technologies, which enables organizations to quickly, and easily measure security and compliance across the enterprise network. Built as an SOA architecture, SecureFusion is entirely agent-less, installs in less than one day and easily scales to any enterprise class network, including networks exceeding 100,000's of network assets. SecureFusion is compatible with all SCAP components; CVE, CCE, CPE, CVSS, XCCDF and OVAL. SecureFusion will quickly discover and classify every asset connected to the network, scan the appropriate assets for compliance with Federal standards (i.e. FDCC), and provide a centralized portal for continuous, repeatable measurement and reporting.

The Open Vulnerability Assessment Language is used by SecureFusion to define and test system vulnerabilities, patches and configuration values. OVAL content, consisting of configuration and patch definitions, can be imported into SecureFusion and included in the SecureFusion scanning processes. SecureFusion interprets OVAL definitions, executes scans remotely against target machines and returns the OVAL test results to the SecureFusion portal for measurement against XCCDF checklists and benchmarks. OVAL references including the definition can be viewed in the SecureFusion "Control Detail Report" and "Edit Control" dialogue for any imported OVAL definitions.

Leveraging the SCAP standards, SecureFusion automates enterprise-wide asset discovery, vulnerability detection, configuration reporting, and policy compliance measurement in a single, easy to deploy, easy to manage solution. The SecureFusion Portal offers powerful asset classification, scheduling and reporting features to provide users with complete command and control over enterprise scans and report generation. Large government and commercial entities rely on SecureFusion to continuously measure IT security and compliance with government policies and standards, including: FISMA, FDCC, C&A criteria, and NIST 800 Series standards.