I don’t want to bore you with yet another summary of what Security Content Automation Protocol (SCAP) is, how SCAP works, or how the mix of six XML based standards work together. You can find that information all over the place.
I do want to talk about “the what” and “the why” of SCAP because those technologies could be affecting you sooner than you think.
If you work for or with a United States government agency and you work with computer security then you have heard of the Federal Desktop Core Configuration initiative. The Office of Management and Budget (OMB) some time ago mandated standardization of computer configurations – the settings that govern how the system operates, which users can take what actions, etc. The goal of the FDCC initiative is to improve the security posture of all government desktop computer systems by defining what secure means.
It is possible to meet FDCC requirement without tools that perform configuration, and without tools that measure and report the configuration. However, doing so costs a lot and does not scale. On the other hand, the SCAP collection of technologies is being heavily promoted by theDepartment of Homeland Security, through National Institute of Standards and Technologies and the MITRE corporation, as the preferred mechanism for measuring compliance with FDCC. In response, vendors are creating tools to accommodate those technologies.
“I’m not part of nor do I work with a US government agency”, you say, “So that does not affect me.” I wouldn’t be too certain of that, or I’d at least add “yet” to the end of the sentence. Let’s review some things we know.
You can see that the US government is not shy about mandating computer security controls.
You may also be aware that there is rising concern over “Cyber Warfare” and that one method of cyber warfare is the use of Botnets. One can make a convincing case that best way to fight Botnets is to make them hard to create. One might also argue that Botnets are primarily composed of compromised consumer and small business computer systems. What might happen if (when?) the FDCC initiative shows a measurable increase in the cost to “pwn” a computer? I can already imagine various paths through which SCAP mandates might affect a wider audience.
So, be prepared – SCAP may be coming to a theater near you.