Viruses, hackers, and bugs are every computer owner's nightmare. As we all know, it's important to keep operating systems protected from malicious attacks, which can debilitate a computer—or an entire network. In late 2006, for example, a cyber intrusion disabled the U.S. Naval War College's network, forcing the college to shut down its email and computer systems for several weeks.

To reduce computer vulnerability, the federal government has issued a mandate requiring all U.S. agencies to standardize the approximately 300 settings on each and every Windows XP and Vista computer. That means every federally owned desktop and laptop computer running Windows XP or Vista used by organizations as diverse as the U.S. Army and the Census Bureau must comply with the Federal Desktop Core Configuration (FDCC). The FDCC is a set of operating system configurations designed to improve security. Some of those configuration checks include things as simple as aligning clock settings, all the way up to verifying the safety of installed products and confirming ownership and other data on IT assets such as workstations, servers, and routers. Millions of federal computers must be in compliance.

"This baseline of configuration settings is meant to strengthen federal IT security by reducing the chance for hackers to access and exploit government computer systems," explains Andrew Buttner, a lead information security engineer at MITRE. "Having secure configuration uniformly followed across the entire federal enterprise also reduces costs and lessens compatibility conflicts for each specific platform."

The chief way the government is helping its employees successfully attain compliance with the FDCC is through the Security Content Automation Protocol (SCAP). SCAP (pronounced "ess-cap") uses specific standards that automate the way computers detect vulnerabilities and verify that computers are following required security policies. Within SCAP's catalog of approximately 300 checks for Microsoft XP and Vista are several specific safeguards that MITRE engineers have developed for industry and government use.

While the FDCC started by defining secure configurations for Windows XP and Vista systems, other operating systems have not been forgotten. The work that went into creating the FDCC for Windows XP and Vista is being leveraged in the development of FDCC for popular Unix-based operating systems. It is expected that FDCC with SCAP checklists will be available in the near future. This will better support diversity of platforms within an organization.

The four MITRE-developed standards being used in SCAP include the Open Vulnerability and Assessment Language (OVAL), an international information security community yardstick that promotes publicly available security content; the Common Vulnerabilities and Exposures (CVE) List, a public dictionary of known security threats; the Common Platform Enumeration (CPE), a structured naming scheme for IT systems, platforms, and packages; and the Common Configuration Enumeration (CCE), a list of unique tags that provide for quick, accurate configuration data correlation with accepted settings found in security guides, data files, or benchmark standards.

"MITRE has a history in creating IT standards," explains Robert Martin, principal engineer. "We began building consensus among industry, government, and academia 10 years ago on CVE. It quickly evolved and became the first standard to be adopted by the SCAP program."

Making the Grade

It's quite an undertaking to bring all federal computers in line. The Army alone has more than 800,000 desktop computers that must fall in formation with the FDCC. Determining compliance and sustaining these new settings can be a daunting task, requiring significant time and, occasionally, manual efforts. "SCAP, however, is intended to enable automated checking of the specified settings," Buttner says.

The FDCC's automated assessment framework was authored by the National Institute of Standards and Technology (NIST), with help from the National Security Agency. As NIST began devising a program to bring federal computers into compliance, they approached MITRE's security experts for assistance on several aspects that would help mechanize the many configuration guides.

"Given our expertise in standards, we were involved in many early talks with NIST to help them understand the MITRE standards and guide them while they set up SCAP," Martin recalls. "For example, when they had conferences, we'd give talks on our standards to help them grow their SCAP efforts."

In fact, long before the FDCC was devised, MITRE had earned a reputation for achieving consensus in a large portion of the industry in order to solve a problem. Since 1998, Martin and other members of his team have worked tirelessly to get various public and private stakeholders to work together to create common security benchmarks. "We believed that standard lists, accepted by everyone in the security community, would help our sponsors secure their own systems," he says. "We achieved a common vision by outlining the clear value in collaborating on a standard and showing what each party's stake would be in the results."

Martin says one of the most important aspects behind the success of CVE was speaking with vendors to learn what they were doing, what they needed security-wise, and how they were solving the problems of tracking unpatched—and therefore vulnerable—computers.

NIST was one of the earliest supporters of CVE's creation. "From the start, they saw the value of creating a dictionary that provides a baseline index point for evaluating coverage of tools and services," Martin says. "They drafted a special publication to promote CVE's application to the federal government. They have subsequently referenced the use of CVE in many of their published guidelines."

Since CVE was established, MITRE, as a not-for-profit company chartered to work in the public interest, has continued to play an impartial yet integral role in standards development and computer security. CVE, as well as OVAL, CPE, and CCE, are part of MITRE's "Making Security Measurable" collection, a publicly available repository of information about cyber security standards and related efforts for everything from patch guidance and asset management to threat assessment and malware response.

"Our ongoing collaborative relationships with government, industry, and academic stakeholders encourage this information-sharing that ultimately improves everyone's security," Martin points out.

World-Wide Standards

MITRE's standards are used beyond the FDCC and SCAP. The software assurance industry applies MITRE-authored standards towards everyday technology challenges such as attack patterns and source-code analysis.

As moderator of these standards, "We continue striving for community consensus," says Buttner. "We constantly collaborate with vendors and industry experts on possible solutions to meet current and evolving needs, which is how we determine where we're going from a technical standpoint."

To support and collaborate with all constituents of the information security realm, including IT specialists in government, academia, and the private sector, MITRE's security experts routinely take part in major industry conferences. That includes the RSA Security Conference in San Francisco, the world's largest information security forum; Black Hat Briefings, a gathering of thought leaders where insights and knowledge are exchanged; and InfoSec World, a conference for those in charge of developing and applying best practices. "These meetings are a platform for us to educate the public on our standards," Buttner says.

With OVAL, CPE, CVE, and CCE playing a role in the FDCC's massive endeavor, MITRE's standards team maintains a firm commitment to global IT security. "Our goal is to continue to drive community consensus on the technical challenges we're faced with," Buttner concludes.

—by Cheryl B. Scaparrotta

Related Information

Articles and News

• MITRE Releases New Security Software
• Building with Cyber-Steel to Protect Computer Networks
• Private Eyes: Keeping Personal Information Safe
• Helping HUD Give Your Information a Safe Home
• Closing a Can of Worms: Designing an Automated Worm Detection System
• Information Assurance Industry Uses CVE and Oval to Identify Vulnerabilities
• OVAL: A New Language to Determine the Presence of Software Vulnerabilities

Technical Papers and Presentations

• The MITRE Adoption Programs and the NIST SCAP Validation Program [PDF, 440KB]

Websites

• Making Security Measurable
• Open Vulnerability and Assessment Language
• The Common Vulnerabilities and Exposures List
• Common Platform Enumeration
• Common Configuration Enumeration
• National Vulnerability Database

Solutions That Make a Difference.®
Copyright © 1997-2013, The MITRE Corporation. All rights reserved.
MITRE is a registered trademark of The MITRE Corporation.
Material on this site may be copied and distributed with permission only.

Privacy Policy | Contact Us