Transformational Vulnerability Management Through Standards
March 2005
Robert A. Martin, The MITRE Corporation
ABSTRACT
The Department of Defense's new enterprise licenses for vulnerability
assessment and remediation tools [1,2] call for use of capabilities
that conform to both the Common Vulnerabilities and Exposures (CVE)
[3] and Open Vulnerability and Assessment Language (OVAL) [4] standards
efforts, as does a new Air Force enterprise-wide software agreement
with Microsoft [5]. These contracting activities are part of a larger
transformation of the Department of Defense's (DoD's) management
and measurement of the information assurance posture of their network-enabled
systems with respect to vulnerabilities, configuration settings, and
policy compliance. In combination with procedural changes, the adoption
of these [6] and other standards, such as the National Security Agency's
(NSA's) Extensible Markup Language (XML) Configuration Checklist
Data Format (XCCDF) [7], are making it possible to radically improve
the accuracy and timeliness of the DoD's remediation and measurement
activities which are critical to ensuring the network and systems integrity
of their network-centric warfare capabilities.

Additional Search Keywords
N/A
|