SCAP 1.3 validation and certification

[dherder]

Problem

prospect-vetter requires that Fleet become SCAP 1.3 certified.

Becoming SCAP 1.3 compliant involves several steps, from understanding the requirements to passing rigorous testing and validation processes. Here’s a detailed guide on how a software vendor can achieve SCAP 1.3 compliance:

Steps to Achieve SCAP 1.3 Compliance

1. Understand SCAP 1.3 Requirements

   • Familiarize with SCAP Standards: Study the SCAP 1.3 specifications, including CVE, CCE, CPE, CVSS, XCCDF, OVAL, and ARF. Understand how these components interrelate and the specific requirements for each. • Consult NIST Documentation: Review documentation provided by the National Institute of Standards and Technology (NIST), including SCAP specifications, validation program requirements, and other relevant guidelines.

2. Develop or Update Your Product

   • Implement SCAP Standards: Ensure your software can process and generate data compliant with SCAP 1.3 standards. This may involve updating existing features or developing new functionalities. • Ensure Interoperability: Your product should be able to work with other SCAP-compliant tools and data streams. This includes correctly parsing and using SCAP content, such as vulnerability definitions and configuration benchmarks.

3. Internal Testing

   • Conduct Functional Testing: Internally test your product to ensure it correctly implements SCAP 1.3 standards. This includes verifying that it can accurately process SCAP data streams and perform required tasks. • Performance Testing: Assess the performance of your product to ensure it operates efficiently and effectively under typical and peak conditions. • Interoperability Testing: Verify that your product can interact seamlessly with other SCAP-compliant tools and systems.

4. Documentation Preparation

   • Prepare Detailed Documentation: Create comprehensive documentation that outlines how your product complies with each SCAP 1.3 standard. This should include technical details, implementation processes, and evidence of compliance. • User Guides and Manuals: Provide user guides and manuals that explain how to use the SCAP-related features of your product.

5. Submission for Validation

   • Choose an Accredited Lab: Select a SCAP 1.3 validation laboratory accredited by NIST. These labs are authorized to conduct SCAP compliance testing and validation. • Submit Your Product: Submit your product, along with the prepared documentation, to the selected validation lab.

6. Validation Testing

   • Functional Testing by Lab: The lab will perform functional testing to verify that your product meets SCAP 1.3 standards. They will test for accurate parsing, processing, and generation of SCAP data. • Performance and Interoperability Testing: The lab will also conduct performance and interoperability testing to ensure your product operates efficiently and can work with other SCAP-compliant tools.

7. Evaluation and Feedback

   • Review Test Results: The validation lab will provide a detailed report of the test results. Review this report to understand any issues or areas of non-compliance. • Address Issues: If there are any issues or areas where your product does not meet SCAP 1.3 standards, make the necessary changes and resubmit for re-testing if required.

8. Certification

   • Approval: Once your product passes all tests, the validation lab will certify it as SCAP 1.3 compliant. • Official Listing: Your product will be listed on the NIST website as SCAP 1.3 validated, providing official recognition of its compliance.

9. Maintenance and Updates

   • Continuous Compliance: Maintain your product’s compliance with SCAP 1.3 standards, especially as SCAP specifications evolve. • Periodic Re-Validation: Some products may need periodic re-validation to ensure ongoing compliance. Stay informed about any changes to SCAP requirements and update your product accordingly. • Customer Support: Provide support to your customers to help them understand and use the SCAP-compliant features of your product effectively.

Testing Laboratories: https://csrc.nist.gov/Projects/scap-validation-program/accredited-laboratories

[dherder]

Sample vendor validation document: https://csrc.nist.gov/CSRC/media/Projects/Security-Content-Automation-Protocol-Validation-Pr/vendor%20validation/139-IBM-BigFix-Compliance-Vendor-Assertions.pdf

[ireedy]

Resources: A good place to start: https://www.open-scap.org/

Think we've already looked at this one: https://csrc.nist.gov/Projects/scap-validation-program/scap-1-3-validation

[noahtalerman]

Thanks @dherder and @ireedy.

My understanding is that SCAP is a way to measure whether security software has features that align w/ NIST standards. For example, does the security software detect CVEs.

Unlike FIPS, SCAP It's more about the features and less about the underlying technology.

Does prospect-vetter use BigFix?

Looks like here's the SCAP 1.2 requirements that BigFix supports:

Note that not all the boxes are checked.

If so, do we know if this ask from prospect-vetter is about Fleet producing (in addition to a formal report), given our features today, a similar chart with checks and dashes?

Or, do they expect Fleet to match BigFix's table? Or, do they expect Fleet to have all standards checked in the table? ✅

[dherder]

thanks @noahtalerman the ask is more about obtaining the SCAP 1.3 certification than matching BigFix on features. It was unclear to me how we would go about getting the certification and what checkboxes are optional vs required to achieve the certification.

[noahtalerman]

@dherder it sounds like obtaining "SCAP 1.3 Compliance" means you get assessed on which of these boxes are checked and which aren't. Is that your understanding?