Vendor Provided Validation Details - Securefusion 4
The following text was provided by the vendor during testing to describe how the product implements the specific capabilities.

Statement of FDCC Compliance:
Gideon Technologies asserts that the SecureFusion product does not alter the FDCC settings on Microsoft Windows XP and Vista systems.

Two options for configuration assessment methods are provided at this time (agent-based, and agent-less.

Our agent based solution (named the Remote Compliance Connector) may be deployed as a persistent agent that is configured to communicate with the SecureFusion server while requiring NO modification of FDCC or Firewall settings for XP or Vista.

The configuration assessments may be also be achieved via agent-less methods. When performing assessments via agent-less methods the following requirement applies:

• Local Firewall Rule: Target platforms which are running a local firewall must include a firewall rule to allow the SecureFusion scanner to remotely access the machine. This is necessary if SecureFusion is deployed as an agent-less platform. The firewall exception can be strictly limited to a single IP address corresponding to the SecureFusion scanner, while blocking all other traffic. This rule can be deployed enterprise-wide through a simple group policy setting or through the local policy on stand-alone machines.

When performing configuration assessments on a Vista machine via agent-less methods AND the computer is NOT a member of an Active Directory Domain (i.e., it is considered "standalone" Vista machine), the following requirement applies:

A new registry key named "LocalAccountTokenFilterPolicy" must be created, the value type of the registry key need to be set to REG_DWORD, and its value must be set to "1". Setting this registry value allows standalone Vista computers to be remotely.

Statement of SCAP Implementation:
SecureFusion is a highly-scalable, integrated framework of compliance technologies, which enables organizations to quickly, and easily measure security and compliance across the enterprise network. Built upon a SOA architecture, SecureFusion installs in less than one day and easily scales to any enterprise class network, including networks exceeding 100,000's of network assets. SecureFusion is compatible and built upon all SCAP components; CVE, CCE, CPE, CVSS, XCCDF and OVAL. SecureFusion will quickly discover and classify every asset connected to the network, scan the appropriate assets for compliance with Federal standards (i.e. FDCC), and provide a centralized portal for continuous, repeatable measurement and reporting.

The full implementation of SCAP 1.0 was added to SecureFusion in version 3.5 and will be supported in future versions of SecureFusion. Certain components of SCAP had been previously supported in previous versions of SecureFusion, however, the continued development of the SCAP standards have been included comprehensively in SecureFusion 3.5.

Leveraging the SCAP standards, SecureFusion automates enterprise-wide asset discovery, vulnerability detection, configuration reporting, and policy compliance measurement in a single, easy to deploy, easy to manage solution. The SecureFusion Portal offers powerful asset classification, scheduling and reporting features to provide users with complete command and control over enterprise scans and report generation. Large government and commercial entities rely on SecureFusion to continuously measure IT security and compliance with government policies and standards, including: HIPAA, PCI, FISMA, FDCC, C&A criteria, and NIST 800 Series standards.

Statement of CVE Implementation:
SecureFusion is a highly-scalable, integrated framework of compliance technologies, which enables organizations to quickly, and easily measure security and compliance across the enterprise network. Built upon a SOA architecture, SecureFusion installs in less than one day and easily scales to any enterprise class network, including networks exceeding 100,000's of network assets. SecureFusion is compatible and built upon all SCAP components; CVE, CCE, CPE, CVSS, XCCDF and OVAL. SecureFusion will quickly discover and classify every asset connected to the network, scan the appropriate assets for compliance with Federal standards (i.e. FDCC), and provide a centralized portal for continuous, repeatable measurement and reporting.

Common Vulnerability Enumeration (CVE) is used within SecureFusion to associate any vulnerabilities reported in the SecureFusion Portal to a corresponding CVE ID. CVE IDs are displayed on "Vulnerability Distribution" reports and "Vulnerability Detail" reports, which can be accessed by clicking on any vulnerability name in the SecureFusion Portal. Once viewing this page, users can click the CVE ID number to access the NVD records for the CVE.

Leveraging the SCAP standards, SecureFusion automates enterprise-wide asset discovery, vulnerability detection, configuration reporting, and policy compliance measurement in a single, easy to deploy, easy to manage solution. The SecureFusion Portal offers powerful asset classification, scheduling and reporting features to provide users with complete command and control over enterprise scans and report generation. Large government and commercial entities rely on SecureFusion to continuously measure IT security and compliance with government policies and standards, including: HIPAA, PCI, FISMA, FDCC, C&A criteria, and NIST 800 Series standards.

Statement of CCE Implementation:
SecureFusion is a highly-scalable, integrated framework of compliance technologies, which enables organizations to quickly, and easily measure security and compliance across the enterprise network. Built upon a SOA architecture, SecureFusion installs in less than one day and easily scales to any enterprise class network, including networks exceeding 100,000's of network assets. SecureFusion is compatible and built upon all SCAP components; CVE, CCE, CPE, CVSS, XCCDF and OVAL. SecureFusion will quickly discover and classify every asset connected to the network, scan the appropriate assets for compliance with Federal standards (i.e. FDCC), and provide a centralized portal for continuous, repeatable measurement and reporting.

Common Configuration Enumeration (CCE) is used within SecureFusion to associate configuration values reported in the SecureFusion Portal to a corresponding CCE ID. CCE IDs are displayed on the "Control Detail Report", which can be accessed by clicking on any Control name in the SecureFusion Portal. Once viewing this page, users will find the CCE ID located in the Control Description field. The CCE ID can be clicked on to access the NVD record for the CCE.

Leveraging the SCAP standards, SecureFusion automates enterprise-wide asset discovery, vulnerability detection, configuration reporting, and policy compliance measurement in a single, easy to deploy, easy to manage solution. The SecureFusion Portal offers powerful asset classification, scheduling and reporting features to provide users with complete command and control over enterprise scans and report generation. Large government and commercial entities rely on SecureFusion to continuously measure IT security and compliance with government policies and standards, including: HIPAA, PCI, FISMA, FDCC, C&A criteria, and NIST 800 Series standards.

Statement of CPE Implementation:
SecureFusion is a highly-scalable, integrated framework of compliance technologies, which enables organizations to quickly, and easily measure security and compliance across the enterprise network. Built upon a SOA architecture, SecureFusion installs in less than one day and easily scales to any enterprise class network, including networks exceeding 100,000's of network assets. SecureFusion is compatible with all SCAP components; CVE, CCE, CPE, CVSS, XCCDF and OVAL. SecureFusion will quickly discover and classify every asset connected to the network, scan the appropriate assets for compliance with Federal standards (i.e. FDCC), and provide a centralized portal for continuous, repeatable measurement and reporting.

Common Platform Enumeration (CPE) is used by SecureFusion to align SCAP data streams and assessment results with the intended platforms. CPE values are imported from XCCDF data streams and are used in conjunction with OVAL definitions and the SecureFusion Configuration Management scanner.

Leveraging the SCAP standards, SecureFusion automates enterprise-wide asset discovery, vulnerability detection, configuration reporting, and policy compliance measurement in a single, easy to deploy, easy to manage solution. The SecureFusion Portal offers powerful asset classification, scheduling and reporting features to provide users with complete command and control over enterprise scans and report generation. Large government and commercial entities rely on SecureFusion to continuously measure IT security and compliance with government policies and standards, including: HIPAA, PCI, FISMA, FDCC, C&A criteria, and NIST 800 Series standards.

Statement of CVSS Implementation:
SecureFusion is a highly-scalable, integrated framework of compliance technologies, which enables organizations to quickly, and easily measure security and compliance across the enterprise network. Built upon a SOA architecture, SecureFusion installs in less than one day and easily scales to any enterprise class network, including networks exceeding 100,000's of network assets. SecureFusion is compatible and built upon all SCAP components; CVE, CCE, CPE, CVSS, XCCDF and OVAL. SecureFusion will quickly discover and classify every asset connected to the network, scan the appropriate assets for compliance with Federal standards (i.e. FDCC), and provide a centralized portal for continuous, repeatable measurement and reporting.

The Common Vulnerability Scoring System (CVSS) is used within SecureFusion to prioritize and display risk scores for any vulnerability reported in the SecureFusion Portal. CVSS scores can be viewed for each vulnerability on the "Vulnerability Distribution" reports, "Vulnerability Detail" reports, and "View Host" reports. Vulnerabilities can be sorted and prioritized by CVSS scores. Scoring metrics and modifiers can be entered and updated to achieve scoring and prioritization that reflects the users unique and realistic threat environment.

Leveraging the SCAP standards, SecureFusion automates enterprise-wide asset discovery, vulnerability detection, configuration reporting, and policy compliance measurement in a single, easy to deploy, easy to manage solution. The SecureFusion Portal offers powerful asset classification, scheduling and reporting features to provide users with complete command and control over enterprise scans and report generation. Large government and commercial entities rely on SecureFusion to continuously measure IT security and compliance with government policies and standards, including: HIPAA, PCI, FISMA, FDCC, C&A criteria, and NIST 800 Series standards.

Statement of XCCDF Implementation:
SecureFusion is a highly-scalable, integrated framework of compliance technologies, which enables organizations to quickly and easily measure security and compliance across the enterprise network. Built upon a SOA architecture, SecureFusion installs in less than one day and easily scales to any enterprise class network, including networks exceeding 100,000's of network assets. SecureFusion is compatible and built upon all SCAP components; CVE, CCE, CPE, CVSS, XCCDF and OVAL. SecureFusion will quickly discover and classify every asset connected to the network, scan the appropriate assets for compliance with Federal standards (i.e. FDCC), and provide a centralized portal for continuous, repeatable measurement and reporting.

The Extensible Configuration Checklist Document Format (XCCDF) is used by SecureFusion to automate the importation of XCCDF enabled checklists, benchmarks, and related documents. During importation, users can choose from any available profiles and benchmarks within the XCCDF file to build the desired checklist. XCCDF content is translated into policies and standards within SecureFusion that can be easily measured and reported. Following importation, XCCDF content can be viewed and measured in "Policies and Controls" reporting.

Leveraging the SCAP standards, SecureFusion automates enterprise-wide asset discovery, vulnerability detection, configuration reporting, and policy compliance measurement in a single, easy to deploy, easy to manage solution. The SecureFusion Portal offers powerful asset classification, scheduling and reporting features to provide users with complete command and control over enterprise scans and report generation. Large government and commercial entities rely on SecureFusion to continuously measure IT security and compliance with government policies and standards, including: HIPAA, PCI, FISMA, FDCC, C&A criteria, and NIST 800 Series standards.

Statement of OVAL Implementation:
SecureFusion is a highly-scalable, integrated framework of compliance technologies, which enables organizations to quickly, and easily measure security and compliance across the enterprise network. Built upon a SOA architecture, SecureFusion installs in less than one day and easily scales to any enterprise class network, including networks exceeding 100,000's of network assets. SecureFusion is compatible and built upon all SCAP components; CVE, CCE, CPE, CVSS, XCCDF and OVAL. SecureFusion will quickly discover and classify every asset connected to the network, scan the appropriate assets for compliance with Federal standards (i.e. FDCC), and provide a centralized portal for continuous, repeatable measurement and reporting.

The Open Vulnerability Assessment Language is used by SecureFusion to define and test system vulnerabilities, patches and configuration values. OVAL content, consisting of configuration and patch definitions, can be imported into SecureFusion and included in the SecureFusion scanning processes. SecureFusion interprets OVAL definitions, executes scans remotely against target machines and returns the OVAL test results to the SecureFusion portal for measurement against XCCDF checklists and benchmarks. OVAL references including the definition can be viewed in the SecureFusion "Control Detail Report" and "Edit Control" dialogue for any imported OVAL definitions.

Leveraging the SCAP standards, SecureFusion automates enterprise-wide asset discovery, vulnerability detection, configuration reporting, and policy compliance measurement in a single, easy to deploy, easy to manage solution. The SecureFusion Portal offers powerful asset classification, scheduling and reporting features to provide users with complete command and control over enterprise scans and report generation. Large government and commercial entities rely on SecureFusion to continuously measure IT security and compliance with government policies and standards, including: HIPAA, PCI, FISMA, FDCC, C&A criteria, and NIST 800 Series standards.