Vendor Provided Validation Details: Xacta IA Manager’s Continuous Assessment version 4.8 from Telos Corporation
The following text was provided by the vendor during testing to describe how the product implements the specific capabilities.

Statement of FDCC Compliance:
Xacta IA Manager’s Continuous Assessment operates on Federal Core Configuration (FDCC) hardened Windows XP and Windows Vista platforms without any modification.

Xacta IA Manager’s Continuous Assessment supports compliance checking by executing rules provided in SCAP-based check­lists and saving results in XCCDF results format.

Statement of SCAP Implementation:
Xacta IA Manager combines the industry-leading security compliance and risk assessment functionality with powerful business process automation to establish a centralized governance, risk and compliance (GRC) management platform that facilitates compliance assessment, continuous risk and sustained compliance management, and security process automation.

Xacta IA Manager provides risk and compliance management for organizations following industry standards and processes to support IT governance across defense, intelligence, and commercial sectors.  Xacta IA Manager was the first to market with a certification and accreditation (C&A) automation solution and bridges the gap from vulnerability management to risk management.  Xacta IA Manager provides a robust management framework enabling continuous assessment for assets, applications, enclaves, networks, systems, and sites.

Xacta IA Manager supports the use of SCAP content to determine configuration compliance to XCCDF checklists, such as the FDCC standards.  SCAP (http://nvd.nist.gov/scap.cfm) is a government multi-agency initiative to enable automation and standardization of technical security operations, such as policy compliance checking. SCAP is based on several evolving standards:  CVE, CCE, CPE, XCCDF, CVSS and OVAL.

Xacta IA Manager’s Continuous Assessment product supports compliance checking by executing rules provided in SCAP-based check­lists on the agent machines and provides the ability to generate both XCCDF results and PDF reports.

Statement of CVE Implementation:
Common Vulnerabilities and Exposures (CVE) (http://cve.mitre.org/) is a dictionary of publicly known information security vulnerabilities and exposures.  It facilitates the exchange of vulnera­bility information by serving as a common reference between different products.  SCAP checklists include references to CVE IDs for all the OVAL vulnerability definitions.

Xacta IA Manager’s Continuous Assessment hosts the CVE dictionary for the users to research a given vulnerability. CVE dictionary data is downloaded from the official NVD database periodically and can be scheduled as necessary.

Xacta IA Manager’s Continuous Assessment supports vulnerability and /or patch checks, provided in the SCAP data stream, by executing them on the agent machines. The results of the checks have references to the CVE IDs and are hyperlinked to the data from the CVE dictionary to further investigate the vulnerability and identify appropriate remediation methods. Xacta IA Manager users can then use this information as part of a system-based risk management effort, as well as create remediation plans.

Statement of CCE Implementation:
Common Configuration Enumeration (CCE) (http://cce.mitre.org/ ) provides unique identifiers to system configuration issues in order to provide a common reference for potential mis-configuration issues for different operating systems and applications.  SCAP checklists may include references to CCE IDs.  Each rule in the XCCDF file may include “ident” elements that specify the name or identifier of a security configuration issue or vulnerability that is associated with the rule.

Xacta IA Manager’s Continuous Assessment hosts the CCE dictionary for the users to research a given mis-configuration. CCE dictionary data is downloaded from the official CCE website (http://cce.mitre.org) periodically and can be scheduled as necessary.

Xacta IA Manager’s Continuous Assessment supports compliance checks, provided in the SCAP data stream, by executing them on the agent machines. The results of the checks have references to the CCE IDs and are hyperlinked to the data from the CCE dictionary. Xacta IA Manager users can then use this information as part of a system-based risk management effort, as well as create plans of actions and milestones for the associated remediation. It also provides the ability to generate both XCCDF results and PDF reports.

 

Statement of CPE Implementation:
Common Platform Enumeration (CPE) is a structured naming scheme for software and hardware, such as operating system versions and software applications. CPE naming convention includes details like vendor name, product name, version, update level, edition and language. CPE identifiers are used in SCAP checklists to define the applicability of a checklist or a profile to the specified platform or application. SCAP checklists includes CPE dictionary. The CPE dictionary that comes with the checklist is used to map CPE IDs used in the checklist to the corresponding OVAL inventory definition.

Xacta IA Manager’s Continuous Assessment hosts the CPE dictionary for the users to research a given platform, application and hardware. CPE dictionary data is downloaded from the official NVD website (http://nvd.nist.gov/cpe.cfm) periodically and can be scheduled as necessary.

Xacta IA Manager’s Continuous Assessment has the ability to execute CPE inventory definitions on the agent machine to determine if the SCAP-based check­lists are applicable to the host. The automatic checks determine if a particular operating system version or application version is installed on the platform by matching the CPE ID to the platform. It marks the checks in the checklists as Not Applicable (N/A) if the CPE does not match the host. Continuous Assessment produces the results in both XCCDF results and PDF format and includes the CPE of the corresponding benchmark in the XCCDF results file.

 

Statement of CVSS Implementation:
The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. National Vulnerability Database (NVD) provides the CVSS score for all the vulnerabilities (CVE) listed. It also provides the CVSS vectors, basis for score calculation.

Xacta IA Manager's Continuous Assessment has the ability to execute OVAL vulnerability and/or patch checks on the agent machine and produce the results in one central location. The results include - references to CVE IDs, Description, CVSS score, severity, etc. CVE IDs are hyperlinked to the data from the CVE dictionary and provides the CVSS score and CVSS vectors. Additionally, it provides an overview of the vulnerability, affected CPEs and references to other external sources like US-CERT, Bugtraq and Open Source Vulnerability Database (OSVDB). The CVSS scores are downloaded as a part of CVE data from the official NVD database periodically and can be scheduled as necessary.

 

Statement of XCCDF Implementation:
Extensible Configuration Checklist Description Format (XCCDF) (http://nvd.nist.gov/xccdf.cfm) specification defines the format for exchanging security configuration information. XCCDF documents are used for describing mis-configuration and vulnerabilities, including automatic compliance checking. XCCDF documents are expressed in XML format. SCAP checklists that are described in XCCDF format are called benchmarks. XCCDF schema provides a framework for both checks (rules) and results.

Xacta IA Manager’s Continuous Assessment supports compliance checking by executing rules provided in SCAP-based check­lists on the agent machines and provides the ability to generate both XCCDF results and PDF reports. It allows the users to import SCAP data stream archives (zip files) into the Continuous Assessment’s SCAP script library. Depending on the number of profiles included in the XCCDF benchmark, SCAP script library will have the corresponding labels. Users can then create tasks to check for the rules on any agent machine. The XCCDF specification allows the use of different checking systems for automatic checks. Continuous Assessment supports two checking systems: OVAL and Xacta HostInfo JavaScript. This enables the use of two checking systems in the same XCCDF document. Xacta IA Manager users can then use this information as part of a system-based risk management effort, as well as create Plans of Actions and Milestones (POA&Ms) for the associated remediation. Additionally, the output XCCDF document may be used for configuration reporting to authoritative oversight organizations.

Statement of OVAL Implementation:
Open Vulnerability and Assessment Language (OVAL) is an international information security standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. OVAL standard is maintained by MITRE (http://oval.mitre.org). OVAL is XML-based language for writing automated tests or checks, called definitions, to determine the presence of a specified machine (asset) state. It defines four different classes of definitions compliance, vulnerability, patch and inventory.

As an example, FDCC SCAP checklists include OVAL definition documents. Definitions in the OVAL documents, referenced from within the XCCDF document rules, are used for automatic compliance and vulnerability checking. The CPE dictionary that is part of the SCAP checklist includes references to OVAL inventory definitions that check for the presence of a specified operating system or application, as discussed under the CPE section within this statement of SCAP implementation.

Xacta IA Manager's Continuous Assessment has the ability to execute OVAL vulnerability and/or patch checks on the agent machine and produce the results in one central location. As in the FDCC example discussed above, Continuous Assessment agent executes OVAL inventory definition(s) to determine the applicability of a checklist to the platform on which it is being run. It then executes the OVAL compliance (mis-configuration and vulnerability) checks and passes the results to the Continuous Assessment server.

Xacta IA Manager’s Continuous Assessment has the ability to convert OVAL definitions, as a part of SCAP data stream, into JavaScript for distribution to thousands of distributed HostInfo Agents. The results of these checks and JavaScript tests can be used to determine configuration compliance management, and when the OVAL definitions are referenced to CVE IDs, users can conduct vulnerability research. Finally, Xacta IA Manager users can then use this compliance information as part of a system-based risk management effort, as well as create Plans of Actions and Milestones (POA&Ms) for the associated remediation.