FW: XCCDF 1.2 Second Public Draft Released

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

FW: XCCDF 1.2 Second Public Draft Released

Charles Schmidt (MITRE)
Administrator
Hi All,

I wanted to forward this along since the new version of XCCDF touches on
several other standards efforts. I summarize the main points of impact below
but this is probably not exhaustive:

OVAL - new complex-values allow exporting of lists to checking systems
OCIL - ditto
AI - fields for holding or referencing identifying information
CPE - update to use the new CPE 2.3

Comments on the new document and schema are welcome.

Thanks,
Charles

>-----Original Message-----
>From: [hidden email] [mailto:[hidden email]] On Behalf Of
>Waltermire, David A.
>Sent: Thursday, July 28, 2011 10:55 AM
>To: Multiple recipients of list
>Subject: XCCDF 1.2 Second Public Draft Released
>
>Community Members,
>
>
>
>I am pleased to announce the second public comment release of DRAFT NIST
>Interagency Report (NISTIR) 7275 Revision 4
><http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7275-r4> ,
>Specification for the Extensible Configuration Checklist Description Format
>(XCCDF) Version 1.2. XCCDF 1.2 supports the Security Content Automation
>Protocol (SCAP) version 1.2.
>
>
>
>The Extensible Configuration Checklist Description Format (XCCDF) Version
>1.2 is the latest revision of an Extensible Markup Language (XML) based
>model that enables the standardized expression of security configuration
>rules. The intent of XCCDF is to provide a uniform foundation for
expression
>and compliance assessment of security checklists and other configuration
>guidance, and thereby foster more widespread application of sound security
>practices.
>
>
>
>The specification has been completely reorganized since the initial public
>comment draft to consolidate related material and improve the clarity of
the
>specification. Other major changes from the first public comment draft to
the

>second public comment draft include the following:
>
>* New high-level XCCDF conformance requirements for products and
>documents
>* Addition of tailoring documents for storing tailoring profiles
>* Updated namespace, along with guidelines on converting XCCDF 1.1.4
>content to XCCDF 1.2
>* TestResult element supports referencing asset identification
>information located in an external document
>* Support for Common Platform Enumeration (CPE) version 2.3 for
>platform specification
>* New mandatory standard format for identifiers (for Benchmark, Rule,
>Group, Value, Profile, TestResult, and Tailoring elements)
>* Addition of the multi-check attribute for Rule checks, to affect
result

>reporting when multiple checks are executed to determine compliance with
>a single Rule
>* Support for zero-length lists in complex-values
>
>
>
>NIST requests comments on draft IR 7275 Revision 4 by August 15, 2011.
>Please submit comments to [hidden email]
><mailto:[hidden email]>  with "Comments IR 7275" in the subject
>line. Public comments may also be posted to [hidden email] by
>members of the xccdf-dev list.
>
>
>
>The XCCDF specification and other resources can be found at:
>
>
>
>http://scap.nist.gov/specifications/xccdf/
>
>
>
>Sincerely,
>
>
>
>David Waltermire
>
>SCAP Architect
>
>National Institute of Standards and Technology
>
>(301) 975-3390
>
>[hidden email] <mailto:[hidden email]>
>
>


smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: FW: XCCDF 1.2 Second Public Draft Released (UNCLASSIFIED)

WOLFKIEL, JOSEPH L CIV DISA PEO-MA
Classification:  UNCLASSIFIED
Caveats: NONE

Does it allow choice between the percent encoded and escape encoded versions, or just one?

Joseph L. Wolfkiel
Engineering Group Lead
DISA PEO MA/IA52
(301) 225-8820
[hidden email]


-----Original Message-----
From: Schmidt, Charles M. [mailto:[hidden email]]
Sent: Thursday, July 28, 2011 12:10 PM
To: [hidden email]
Subject: [CPE-DISCUSSION-LIST] FW: XCCDF 1.2 Second Public Draft Released

Hi All,

I wanted to forward this along since the new version of XCCDF touches on
several other standards efforts. I summarize the main points of impact below
but this is probably not exhaustive:

OVAL - new complex-values allow exporting of lists to checking systems
OCIL - ditto
AI - fields for holding or referencing identifying information
CPE - update to use the new CPE 2.3

Comments on the new document and schema are welcome.

Thanks,
Charles

>-----Original Message-----
>From: [hidden email] [mailto:[hidden email]] On Behalf Of
>Waltermire, David A.
>Sent: Thursday, July 28, 2011 10:55 AM
>To: Multiple recipients of list
>Subject: XCCDF 1.2 Second Public Draft Released
>
>Community Members,
>
>
>
>I am pleased to announce the second public comment release of DRAFT NIST
>Interagency Report (NISTIR) 7275 Revision 4
><http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7275-r4> ,
>Specification for the Extensible Configuration Checklist Description Format
>(XCCDF) Version 1.2. XCCDF 1.2 supports the Security Content Automation
>Protocol (SCAP) version 1.2.
>
>
>
>The Extensible Configuration Checklist Description Format (XCCDF) Version
>1.2 is the latest revision of an Extensible Markup Language (XML) based
>model that enables the standardized expression of security configuration
>rules. The intent of XCCDF is to provide a uniform foundation for
expression
>and compliance assessment of security checklists and other configuration
>guidance, and thereby foster more widespread application of sound security
>practices.
>
>
>
>The specification has been completely reorganized since the initial public
>comment draft to consolidate related material and improve the clarity of
the
>specification. Other major changes from the first public comment draft to
the

>second public comment draft include the following:
>
>* New high-level XCCDF conformance requirements for products and
>documents
>* Addition of tailoring documents for storing tailoring profiles
>* Updated namespace, along with guidelines on converting XCCDF 1.1.4
>content to XCCDF 1.2
>* TestResult element supports referencing asset identification
>information located in an external document
>* Support for Common Platform Enumeration (CPE) version 2.3 for
>platform specification
>* New mandatory standard format for identifiers (for Benchmark, Rule,
>Group, Value, Profile, TestResult, and Tailoring elements)
>* Addition of the multi-check attribute for Rule checks, to affect
result

>reporting when multiple checks are executed to determine compliance with
>a single Rule
>* Support for zero-length lists in complex-values
>
>
>
>NIST requests comments on draft IR 7275 Revision 4 by August 15, 2011.
>Please submit comments to [hidden email]
><mailto:[hidden email]>  with "Comments IR 7275" in the subject
>line. Public comments may also be posted to [hidden email] by
>members of the xccdf-dev list.
>
>
>
>The XCCDF specification and other resources can be found at:
>
>
>
>http://scap.nist.gov/specifications/xccdf/
>
>
>
>Sincerely,
>
>
>
>David Waltermire
>
>SCAP Architect
>
>National Institute of Standards and Technology
>
>(301) 975-3390
>
>[hidden email] <mailto:[hidden email]>
>
>
Classification:  UNCLASSIFIED
Caveats: NONE


smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: FW: XCCDF 1.2 Second Public Draft Released (UNCLASSIFIED)

Waltermire, David A.
Joe,

Section 6.2.5 states "All CPE 2.3 names and applicability language expressions in XCCDF documents SHALL use formatted string bindings, as defined in [IR7695]." This requires the use of formatted strings. We could make this a SHOULD requirement stating a preference for formatted strings, making use of URIs possible.

Thoughts?

Sincerely,
 
David Waltermire
SCAP Architect
National Institute of Standards and Technology
(301) 975-3390
[hidden email]


> -----Original Message-----
> From: WOLFKIEL, JOSEPH L CIV DISA PEO-MA
> [mailto:[hidden email]]
> Sent: Thursday, July 28, 2011 12:22 PM
> To: [hidden email]
> Subject: Re: [CPE-DISCUSSION-LIST] FW: XCCDF 1.2 Second Public Draft
> Released (UNCLASSIFIED)
>
> Classification:  UNCLASSIFIED
> Caveats: NONE
>
> Does it allow choice between the percent encoded and escape encoded
> versions, or just one?
>
> Joseph L. Wolfkiel
> Engineering Group Lead
> DISA PEO MA/IA52
> (301) 225-8820
> [hidden email]
>
>
> -----Original Message-----
> From: Schmidt, Charles M. [mailto:[hidden email]]
> Sent: Thursday, July 28, 2011 12:10 PM
> To: [hidden email]
> Subject: [CPE-DISCUSSION-LIST] FW: XCCDF 1.2 Second Public Draft
> Released
>
> Hi All,
>
> I wanted to forward this along since the new version of XCCDF touches
> on
> several other standards efforts. I summarize the main points of impact
> below
> but this is probably not exhaustive:
>
> OVAL - new complex-values allow exporting of lists to checking systems
> OCIL - ditto
> AI - fields for holding or referencing identifying information
> CPE - update to use the new CPE 2.3
>
> Comments on the new document and schema are welcome.
>
> Thanks,
> Charles
>
> >-----Original Message-----
> >From: [hidden email] [mailto:[hidden email]] On Behalf Of
> >Waltermire, David A.
> >Sent: Thursday, July 28, 2011 10:55 AM
> >To: Multiple recipients of list
> >Subject: XCCDF 1.2 Second Public Draft Released
> >
> >Community Members,
> >
> >
> >
> >I am pleased to announce the second public comment release of DRAFT
> NIST
> >Interagency Report (NISTIR) 7275 Revision 4
> ><http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7275-r4> ,
> >Specification for the Extensible Configuration Checklist Description
> Format
> >(XCCDF) Version 1.2. XCCDF 1.2 supports the Security Content
> Automation
> >Protocol (SCAP) version 1.2.
> >
> >
> >
> >The Extensible Configuration Checklist Description Format (XCCDF)
> Version
> >1.2 is the latest revision of an Extensible Markup Language (XML)
> based
> >model that enables the standardized expression of security
> configuration
> >rules. The intent of XCCDF is to provide a uniform foundation for
> expression
> >and compliance assessment of security checklists and other
> configuration
> >guidance, and thereby foster more widespread application of sound
> security
> >practices.
> >
> >
> >
> >The specification has been completely reorganized since the initial
> public
> >comment draft to consolidate related material and improve the clarity
> of
> the
> >specification. Other major changes from the first public comment draft
> to
> the
> >second public comment draft include the following:
> >
> >* New high-level XCCDF conformance requirements for products and
> >documents
> >* Addition of tailoring documents for storing tailoring profiles
> >* Updated namespace, along with guidelines on converting XCCDF
> 1.1.4
> >content to XCCDF 1.2
> >* TestResult element supports referencing asset identification
> >information located in an external document
> >* Support for Common Platform Enumeration (CPE) version 2.3 for
> >platform specification
> >* New mandatory standard format for identifiers (for Benchmark,
> Rule,
> >Group, Value, Profile, TestResult, and Tailoring elements)
> >* Addition of the multi-check attribute for Rule checks, to affect
> result
> >reporting when multiple checks are executed to determine compliance
> with
> >a single Rule
> >* Support for zero-length lists in complex-values
> >
> >
> >
> >NIST requests comments on draft IR 7275 Revision 4 by August 15, 2011.
> >Please submit comments to [hidden email]
> ><mailto:[hidden email]>  with "Comments IR 7275" in the
> subject
> >line. Public comments may also be posted to [hidden email] by
> >members of the xccdf-dev list.
> >
> >
> >
> >The XCCDF specification and other resources can be found at:
> >
> >
> >
> >http://scap.nist.gov/specifications/xccdf/
> >
> >
> >
> >Sincerely,
> >
> >
> >
> >David Waltermire
> >
> >SCAP Architect
> >
> >National Institute of Standards and Technology
> >
> >(301) 975-3390
> >
> >[hidden email] <mailto:[hidden email]>
> >
> >
>
> Classification:  UNCLASSIFIED
> Caveats: NONE
Reply | Threaded
Open this post in threaded view
|

Re: FW: XCCDF 1.2 Second Public Draft Released (UNCLASSIFIED)

Charles Schmidt (MITRE)
Administrator
I'll add that use of CPE 2.0 content is deprecated but still allowed for
backwards compatibility.

Charles

>-----Original Message-----
>From: Waltermire, David A. [mailto:[hidden email]]
>Sent: Thursday, July 28, 2011 11:26 AM
>To: cpe-discussion-list CPE Community Forum
>Subject: Re: [CPE-DISCUSSION-LIST] FW: XCCDF 1.2 Second Public Draft
>Released (UNCLASSIFIED)
>
>Joe,
>
>Section 6.2.5 states "All CPE 2.3 names and applicability language
expressions

>in XCCDF documents SHALL use formatted string bindings, as defined in
>[IR7695]." This requires the use of formatted strings. We could make this a
>SHOULD requirement stating a preference for formatted strings, making use
>of URIs possible.
>
>Thoughts?
>
>Sincerely,
>
>David Waltermire
>SCAP Architect
>National Institute of Standards and Technology
>(301) 975-3390
>[hidden email]
>
>
>> -----Original Message-----
>> From: WOLFKIEL, JOSEPH L CIV DISA PEO-MA
>> [mailto:[hidden email]]
>> Sent: Thursday, July 28, 2011 12:22 PM
>> To: [hidden email]
>> Subject: Re: [CPE-DISCUSSION-LIST] FW: XCCDF 1.2 Second Public Draft
>> Released (UNCLASSIFIED)
>>
>> Classification:  UNCLASSIFIED
>> Caveats: NONE
>>
>> Does it allow choice between the percent encoded and escape encoded
>> versions, or just one?
>>
>> Joseph L. Wolfkiel
>> Engineering Group Lead
>> DISA PEO MA/IA52
>> (301) 225-8820
>> [hidden email]
>>
>>
>> -----Original Message-----
>> From: Schmidt, Charles M. [mailto:[hidden email]]
>> Sent: Thursday, July 28, 2011 12:10 PM
>> To: [hidden email]
>> Subject: [CPE-DISCUSSION-LIST] FW: XCCDF 1.2 Second Public Draft
>> Released
>>
>> Hi All,
>>
>> I wanted to forward this along since the new version of XCCDF touches
>> on
>> several other standards efforts. I summarize the main points of impact
>> below
>> but this is probably not exhaustive:
>>
>> OVAL - new complex-values allow exporting of lists to checking systems
>> OCIL - ditto
>> AI - fields for holding or referencing identifying information
>> CPE - update to use the new CPE 2.3
>>
>> Comments on the new document and schema are welcome.
>>
>> Thanks,
>> Charles
>>
>> >-----Original Message-----
>> >From: [hidden email] [mailto:[hidden email]] On Behalf Of
>> >Waltermire, David A.
>> >Sent: Thursday, July 28, 2011 10:55 AM
>> >To: Multiple recipients of list
>> >Subject: XCCDF 1.2 Second Public Draft Released
>> >
>> >Community Members,
>> >
>> >
>> >
>> >I am pleased to announce the second public comment release of DRAFT
>> NIST
>> >Interagency Report (NISTIR) 7275 Revision 4
>> ><http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7275-r4> ,
>> >Specification for the Extensible Configuration Checklist Description
>> Format
>> >(XCCDF) Version 1.2. XCCDF 1.2 supports the Security Content
>> Automation
>> >Protocol (SCAP) version 1.2.
>> >
>> >
>> >
>> >The Extensible Configuration Checklist Description Format (XCCDF)
>> Version
>> >1.2 is the latest revision of an Extensible Markup Language (XML)
>> based
>> >model that enables the standardized expression of security
>> configuration
>> >rules. The intent of XCCDF is to provide a uniform foundation for
>> expression
>> >and compliance assessment of security checklists and other
>> configuration
>> >guidance, and thereby foster more widespread application of sound
>> security
>> >practices.
>> >
>> >
>> >
>> >The specification has been completely reorganized since the initial
>> public
>> >comment draft to consolidate related material and improve the clarity
>> of
>> the
>> >specification. Other major changes from the first public comment draft
>> to
>> the
>> >second public comment draft include the following:
>> >
>> >* New high-level XCCDF conformance requirements for products and
>> >documents
>> >* Addition of tailoring documents for storing tailoring profiles
>> >* Updated namespace, along with guidelines on converting XCCDF
>> 1.1.4
>> >content to XCCDF 1.2
>> >* TestResult element supports referencing asset identification
>> >information located in an external document
>> >* Support for Common Platform Enumeration (CPE) version 2.3 for
>> >platform specification
>> >* New mandatory standard format for identifiers (for Benchmark,
>> Rule,
>> >Group, Value, Profile, TestResult, and Tailoring elements)
>> >* Addition of the multi-check attribute for Rule checks, to affect
>> result
>> >reporting when multiple checks are executed to determine compliance
>> with
>> >a single Rule
>> >* Support for zero-length lists in complex-values
>> >
>> >
>> >
>> >NIST requests comments on draft IR 7275 Revision 4 by August 15, 2011.
>> >Please submit comments to [hidden email]
>> ><mailto:[hidden email]>  with "Comments IR 7275" in the
>> subject
>> >line. Public comments may also be posted to [hidden email] by
>> >members of the xccdf-dev list.
>> >
>> >
>> >
>> >The XCCDF specification and other resources can be found at:
>> >
>> >
>> >
>> >http://scap.nist.gov/specifications/xccdf/
>> >
>> >
>> >
>> >Sincerely,
>> >
>> >
>> >
>> >David Waltermire
>> >
>> >SCAP Architect
>> >
>> >National Institute of Standards and Technology
>> >
>> >(301) 975-3390
>> >
>> >[hidden email] <mailto:[hidden email]>
>> >
>> >
>>
>> Classification:  UNCLASSIFIED
>> Caveats: NONE

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: FW: XCCDF 1.2 Second Public Draft Released (UNCLASSIFIED)

Waltermire, David A.
If we make the use of formatted strings as a SHOULD requirement, allowing the use of 2.3 URIs, then CPE 2.2 URIs will be a compatible use in their deprecated state.

Dave


> -----Original Message-----
> From: Schmidt, Charles M. [mailto:[hidden email]]
> Sent: Thursday, July 28, 2011 12:29 PM
> To: [hidden email]
> Subject: Re: [CPE-DISCUSSION-LIST] FW: XCCDF 1.2 Second Public Draft
> Released (UNCLASSIFIED)
>
> I'll add that use of CPE 2.0 content is deprecated but still allowed
> for
> backwards compatibility.
>
> Charles
>
> >-----Original Message-----
> >From: Waltermire, David A. [mailto:[hidden email]]
> >Sent: Thursday, July 28, 2011 11:26 AM
> >To: cpe-discussion-list CPE Community Forum
> >Subject: Re: [CPE-DISCUSSION-LIST] FW: XCCDF 1.2 Second Public Draft
> >Released (UNCLASSIFIED)
> >
> >Joe,
> >
> >Section 6.2.5 states "All CPE 2.3 names and applicability language
> expressions
> >in XCCDF documents SHALL use formatted string bindings, as defined in
> >[IR7695]." This requires the use of formatted strings. We could make
> this a
> >SHOULD requirement stating a preference for formatted strings, making
> use
> >of URIs possible.
> >
> >Thoughts?
> >
> >Sincerely,
> >
> >David Waltermire
> >SCAP Architect
> >National Institute of Standards and Technology
> >(301) 975-3390
> >[hidden email]
> >
> >
> >> -----Original Message-----
> >> From: WOLFKIEL, JOSEPH L CIV DISA PEO-MA
> >> [mailto:[hidden email]]
> >> Sent: Thursday, July 28, 2011 12:22 PM
> >> To: [hidden email]
> >> Subject: Re: [CPE-DISCUSSION-LIST] FW: XCCDF 1.2 Second Public Draft
> >> Released (UNCLASSIFIED)
> >>
> >> Classification:  UNCLASSIFIED
> >> Caveats: NONE
> >>
> >> Does it allow choice between the percent encoded and escape encoded
> >> versions, or just one?
> >>
> >> Joseph L. Wolfkiel
> >> Engineering Group Lead
> >> DISA PEO MA/IA52
> >> (301) 225-8820
> >> [hidden email]
> >>
> >>
> >> -----Original Message-----
> >> From: Schmidt, Charles M. [mailto:[hidden email]]
> >> Sent: Thursday, July 28, 2011 12:10 PM
> >> To: [hidden email]
> >> Subject: [CPE-DISCUSSION-LIST] FW: XCCDF 1.2 Second Public Draft
> >> Released
> >>
> >> Hi All,
> >>
> >> I wanted to forward this along since the new version of XCCDF
> touches
> >> on
> >> several other standards efforts. I summarize the main points of
> impact
> >> below
> >> but this is probably not exhaustive:
> >>
> >> OVAL - new complex-values allow exporting of lists to checking
> systems
> >> OCIL - ditto
> >> AI - fields for holding or referencing identifying information
> >> CPE - update to use the new CPE 2.3
> >>
> >> Comments on the new document and schema are welcome.
> >>
> >> Thanks,
> >> Charles
> >>
> >> >-----Original Message-----
> >> >From: [hidden email] [mailto:[hidden email]] On Behalf Of
> >> >Waltermire, David A.
> >> >Sent: Thursday, July 28, 2011 10:55 AM
> >> >To: Multiple recipients of list
> >> >Subject: XCCDF 1.2 Second Public Draft Released
> >> >
> >> >Community Members,
> >> >
> >> >
> >> >
> >> >I am pleased to announce the second public comment release of DRAFT
> >> NIST
> >> >Interagency Report (NISTIR) 7275 Revision 4
> >> ><http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7275-
> r4> ,
> >> >Specification for the Extensible Configuration Checklist
> Description
> >> Format
> >> >(XCCDF) Version 1.2. XCCDF 1.2 supports the Security Content
> >> Automation
> >> >Protocol (SCAP) version 1.2.
> >> >
> >> >
> >> >
> >> >The Extensible Configuration Checklist Description Format (XCCDF)
> >> Version
> >> >1.2 is the latest revision of an Extensible Markup Language (XML)
> >> based
> >> >model that enables the standardized expression of security
> >> configuration
> >> >rules. The intent of XCCDF is to provide a uniform foundation for
> >> expression
> >> >and compliance assessment of security checklists and other
> >> configuration
> >> >guidance, and thereby foster more widespread application of sound
> >> security
> >> >practices.
> >> >
> >> >
> >> >
> >> >The specification has been completely reorganized since the initial
> >> public
> >> >comment draft to consolidate related material and improve the
> clarity
> >> of
> >> the
> >> >specification. Other major changes from the first public comment
> draft
> >> to
> >> the
> >> >second public comment draft include the following:
> >> >
> >> >* New high-level XCCDF conformance requirements for products and
> >> >documents
> >> >* Addition of tailoring documents for storing tailoring profiles
> >> >* Updated namespace, along with guidelines on converting XCCDF
> >> 1.1.4
> >> >content to XCCDF 1.2
> >> >* TestResult element supports referencing asset identification
> >> >information located in an external document
> >> >* Support for Common Platform Enumeration (CPE) version 2.3 for
> >> >platform specification
> >> >* New mandatory standard format for identifiers (for Benchmark,
> >> Rule,
> >> >Group, Value, Profile, TestResult, and Tailoring elements)
> >> >* Addition of the multi-check attribute for Rule checks, to affect
> >> result
> >> >reporting when multiple checks are executed to determine compliance
> >> with
> >> >a single Rule
> >> >* Support for zero-length lists in complex-values
> >> >
> >> >
> >> >
> >> >NIST requests comments on draft IR 7275 Revision 4 by August 15,
> 2011.
> >> >Please submit comments to [hidden email]
> >> ><mailto:[hidden email]>  with "Comments IR 7275" in the
> >> subject
> >> >line. Public comments may also be posted to [hidden email] by
> >> >members of the xccdf-dev list.
> >> >
> >> >
> >> >
> >> >The XCCDF specification and other resources can be found at:
> >> >
> >> >
> >> >
> >> >http://scap.nist.gov/specifications/xccdf/
> >> >
> >> >
> >> >
> >> >Sincerely,
> >> >
> >> >
> >> >
> >> >David Waltermire
> >> >
> >> >SCAP Architect
> >> >
> >> >National Institute of Standards and Technology
> >> >
> >> >(301) 975-3390
> >> >
> >> >[hidden email] <mailto:[hidden email]>
> >> >
> >> >
> >>
> >> Classification:  UNCLASSIFIED
> >> Caveats: NONE
Reply | Threaded
Open this post in threaded view
|

Re: FW: XCCDF 1.2 Second Public Draft Released (UNCLASSIFIED)

WOLFKIEL, JOSEPH L CIV DISA PEO-MA
Classification:  UNCLASSIFIED
Caveats: NONE

That would be my preference.

Joseph L. Wolfkiel
Engineering Group Lead
DISA PEO MA/IA52
(301) 225-8820
[hidden email]


-----Original Message-----
From: Waltermire, David A. [mailto:[hidden email]]
Sent: Thursday, July 28, 2011 12:38 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] FW: XCCDF 1.2 Second Public Draft Released (UNCLASSIFIED)

If we make the use of formatted strings as a SHOULD requirement, allowing the use of 2.3 URIs, then CPE 2.2 URIs will be a compatible use in their deprecated state.

Dave


> -----Original Message-----
> From: Schmidt, Charles M. [mailto:[hidden email]]
> Sent: Thursday, July 28, 2011 12:29 PM
> To: [hidden email]
> Subject: Re: [CPE-DISCUSSION-LIST] FW: XCCDF 1.2 Second Public Draft
> Released (UNCLASSIFIED)
>
> I'll add that use of CPE 2.0 content is deprecated but still allowed
> for
> backwards compatibility.
>
> Charles
>
> >-----Original Message-----
> >From: Waltermire, David A. [mailto:[hidden email]]
> >Sent: Thursday, July 28, 2011 11:26 AM
> >To: cpe-discussion-list CPE Community Forum
> >Subject: Re: [CPE-DISCUSSION-LIST] FW: XCCDF 1.2 Second Public Draft
> >Released (UNCLASSIFIED)
> >
> >Joe,
> >
> >Section 6.2.5 states "All CPE 2.3 names and applicability language
> expressions
> >in XCCDF documents SHALL use formatted string bindings, as defined in
> >[IR7695]." This requires the use of formatted strings. We could make
> this a
> >SHOULD requirement stating a preference for formatted strings, making
> use
> >of URIs possible.
> >
> >Thoughts?
> >
> >Sincerely,
> >
> >David Waltermire
> >SCAP Architect
> >National Institute of Standards and Technology
> >(301) 975-3390
> >[hidden email]
> >
> >
> >> -----Original Message-----
> >> From: WOLFKIEL, JOSEPH L CIV DISA PEO-MA
> >> [mailto:[hidden email]]
> >> Sent: Thursday, July 28, 2011 12:22 PM
> >> To: [hidden email]
> >> Subject: Re: [CPE-DISCUSSION-LIST] FW: XCCDF 1.2 Second Public Draft
> >> Released (UNCLASSIFIED)
> >>
> >> Classification:  UNCLASSIFIED
> >> Caveats: NONE
> >>
> >> Does it allow choice between the percent encoded and escape encoded
> >> versions, or just one?
> >>
> >> Joseph L. Wolfkiel
> >> Engineering Group Lead
> >> DISA PEO MA/IA52
> >> (301) 225-8820
> >> [hidden email]
> >>
> >>
> >> -----Original Message-----
> >> From: Schmidt, Charles M. [mailto:[hidden email]]
> >> Sent: Thursday, July 28, 2011 12:10 PM
> >> To: [hidden email]
> >> Subject: [CPE-DISCUSSION-LIST] FW: XCCDF 1.2 Second Public Draft
> >> Released
> >>
> >> Hi All,
> >>
> >> I wanted to forward this along since the new version of XCCDF
> touches
> >> on
> >> several other standards efforts. I summarize the main points of
> impact
> >> below
> >> but this is probably not exhaustive:
> >>
> >> OVAL - new complex-values allow exporting of lists to checking
> systems
> >> OCIL - ditto
> >> AI - fields for holding or referencing identifying information
> >> CPE - update to use the new CPE 2.3
> >>
> >> Comments on the new document and schema are welcome.
> >>
> >> Thanks,
> >> Charles
> >>
> >> >-----Original Message-----
> >> >From: [hidden email] [mailto:[hidden email]] On Behalf Of
> >> >Waltermire, David A.
> >> >Sent: Thursday, July 28, 2011 10:55 AM
> >> >To: Multiple recipients of list
> >> >Subject: XCCDF 1.2 Second Public Draft Released
> >> >
> >> >Community Members,
> >> >
> >> >
> >> >
> >> >I am pleased to announce the second public comment release of DRAFT
> >> NIST
> >> >Interagency Report (NISTIR) 7275 Revision 4
> >> ><http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7275-
> r4> ,
> >> >Specification for the Extensible Configuration Checklist
> Description
> >> Format
> >> >(XCCDF) Version 1.2. XCCDF 1.2 supports the Security Content
> >> Automation
> >> >Protocol (SCAP) version 1.2.
> >> >
> >> >
> >> >
> >> >The Extensible Configuration Checklist Description Format (XCCDF)
> >> Version
> >> >1.2 is the latest revision of an Extensible Markup Language (XML)
> >> based
> >> >model that enables the standardized expression of security
> >> configuration
> >> >rules. The intent of XCCDF is to provide a uniform foundation for
> >> expression
> >> >and compliance assessment of security checklists and other
> >> configuration
> >> >guidance, and thereby foster more widespread application of sound
> >> security
> >> >practices.
> >> >
> >> >
> >> >
> >> >The specification has been completely reorganized since the initial
> >> public
> >> >comment draft to consolidate related material and improve the
> clarity
> >> of
> >> the
> >> >specification. Other major changes from the first public comment
> draft
> >> to
> >> the
> >> >second public comment draft include the following:
> >> >
> >> >* New high-level XCCDF conformance requirements for products and
> >> >documents
> >> >* Addition of tailoring documents for storing tailoring profiles
> >> >* Updated namespace, along with guidelines on converting XCCDF
> >> 1.1.4
> >> >content to XCCDF 1.2
> >> >* TestResult element supports referencing asset identification
> >> >information located in an external document
> >> >* Support for Common Platform Enumeration (CPE) version 2.3 for
> >> >platform specification
> >> >* New mandatory standard format for identifiers (for Benchmark,
> >> Rule,
> >> >Group, Value, Profile, TestResult, and Tailoring elements)
> >> >* Addition of the multi-check attribute for Rule checks, to affect
> >> result
> >> >reporting when multiple checks are executed to determine compliance
> >> with
> >> >a single Rule
> >> >* Support for zero-length lists in complex-values
> >> >
> >> >
> >> >
> >> >NIST requests comments on draft IR 7275 Revision 4 by August 15,
> 2011.
> >> >Please submit comments to [hidden email]
> >> ><mailto:[hidden email]>  with "Comments IR 7275" in the
> >> subject
> >> >line. Public comments may also be posted to [hidden email] by
> >> >members of the xccdf-dev list.
> >> >
> >> >
> >> >
> >> >The XCCDF specification and other resources can be found at:
> >> >
> >> >
> >> >
> >> >http://scap.nist.gov/specifications/xccdf/
> >> >
> >> >
> >> >
> >> >Sincerely,
> >> >
> >> >
> >> >
> >> >David Waltermire
> >> >
> >> >SCAP Architect
> >> >
> >> >National Institute of Standards and Technology
> >> >
> >> >(301) 975-3390
> >> >
> >> >[hidden email] <mailto:[hidden email]>
> >> >
> >> >
> >>
> >> Classification:  UNCLASSIFIED
> >> Caveats: NONE
Classification:  UNCLASSIFIED
Caveats: NONE


smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: FW: XCCDF 1.2 Second Public Draft Released (UNCLASSIFIED)

Waltermire, David A.
This sounds reasonable.

Dave

> -----Original Message-----
> From: WOLFKIEL, JOSEPH L CIV DISA PEO-MA
> [mailto:[hidden email]]
> Sent: Thursday, July 28, 2011 12:44 PM
> To: [hidden email]
> Subject: Re: [CPE-DISCUSSION-LIST] FW: XCCDF 1.2 Second Public Draft
> Released (UNCLASSIFIED)
>
> Classification:  UNCLASSIFIED
> Caveats: NONE
>
> That would be my preference.
>
> Joseph L. Wolfkiel
> Engineering Group Lead
> DISA PEO MA/IA52
> (301) 225-8820
> [hidden email]
>
>
> -----Original Message-----
> From: Waltermire, David A. [mailto:[hidden email]]
> Sent: Thursday, July 28, 2011 12:38 PM
> To: [hidden email]
> Subject: Re: [CPE-DISCUSSION-LIST] FW: XCCDF 1.2 Second Public Draft
> Released (UNCLASSIFIED)
>
> If we make the use of formatted strings as a SHOULD requirement,
> allowing the use of 2.3 URIs, then CPE 2.2 URIs will be a compatible
> use in their deprecated state.
>
> Dave
>
>
> > -----Original Message-----
> > From: Schmidt, Charles M. [mailto:[hidden email]]
> > Sent: Thursday, July 28, 2011 12:29 PM
> > To: [hidden email]
> > Subject: Re: [CPE-DISCUSSION-LIST] FW: XCCDF 1.2 Second Public Draft
> > Released (UNCLASSIFIED)
> >
> > I'll add that use of CPE 2.0 content is deprecated but still allowed
> > for
> > backwards compatibility.
> >
> > Charles
> >
> > >-----Original Message-----
> > >From: Waltermire, David A. [mailto:[hidden email]]
> > >Sent: Thursday, July 28, 2011 11:26 AM
> > >To: cpe-discussion-list CPE Community Forum
> > >Subject: Re: [CPE-DISCUSSION-LIST] FW: XCCDF 1.2 Second Public Draft
> > >Released (UNCLASSIFIED)
> > >
> > >Joe,
> > >
> > >Section 6.2.5 states "All CPE 2.3 names and applicability language
> > expressions
> > >in XCCDF documents SHALL use formatted string bindings, as defined
> in
> > >[IR7695]." This requires the use of formatted strings. We could make
> > this a
> > >SHOULD requirement stating a preference for formatted strings,
> making
> > use
> > >of URIs possible.
> > >
> > >Thoughts?
> > >
> > >Sincerely,
> > >
> > >David Waltermire
> > >SCAP Architect
> > >National Institute of Standards and Technology
> > >(301) 975-3390
> > >[hidden email]
> > >
> > >
> > >> -----Original Message-----
> > >> From: WOLFKIEL, JOSEPH L CIV DISA PEO-MA
> > >> [mailto:[hidden email]]
> > >> Sent: Thursday, July 28, 2011 12:22 PM
> > >> To: [hidden email]
> > >> Subject: Re: [CPE-DISCUSSION-LIST] FW: XCCDF 1.2 Second Public
> Draft
> > >> Released (UNCLASSIFIED)
> > >>
> > >> Classification:  UNCLASSIFIED
> > >> Caveats: NONE
> > >>
> > >> Does it allow choice between the percent encoded and escape
> encoded
> > >> versions, or just one?
> > >>
> > >> Joseph L. Wolfkiel
> > >> Engineering Group Lead
> > >> DISA PEO MA/IA52
> > >> (301) 225-8820
> > >> [hidden email]
> > >>
> > >>
> > >> -----Original Message-----
> > >> From: Schmidt, Charles M. [mailto:[hidden email]]
> > >> Sent: Thursday, July 28, 2011 12:10 PM
> > >> To: [hidden email]
> > >> Subject: [CPE-DISCUSSION-LIST] FW: XCCDF 1.2 Second Public Draft
> > >> Released
> > >>
> > >> Hi All,
> > >>
> > >> I wanted to forward this along since the new version of XCCDF
> > touches
> > >> on
> > >> several other standards efforts. I summarize the main points of
> > impact
> > >> below
> > >> but this is probably not exhaustive:
> > >>
> > >> OVAL - new complex-values allow exporting of lists to checking
> > systems
> > >> OCIL - ditto
> > >> AI - fields for holding or referencing identifying information
> > >> CPE - update to use the new CPE 2.3
> > >>
> > >> Comments on the new document and schema are welcome.
> > >>
> > >> Thanks,
> > >> Charles
> > >>
> > >> >-----Original Message-----
> > >> >From: [hidden email] [mailto:[hidden email]] On Behalf Of
> > >> >Waltermire, David A.
> > >> >Sent: Thursday, July 28, 2011 10:55 AM
> > >> >To: Multiple recipients of list
> > >> >Subject: XCCDF 1.2 Second Public Draft Released
> > >> >
> > >> >Community Members,
> > >> >
> > >> >
> > >> >
> > >> >I am pleased to announce the second public comment release of
> DRAFT
> > >> NIST
> > >> >Interagency Report (NISTIR) 7275 Revision 4
> > >> ><http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7275-
> > r4> ,
> > >> >Specification for the Extensible Configuration Checklist
> > Description
> > >> Format
> > >> >(XCCDF) Version 1.2. XCCDF 1.2 supports the Security Content
> > >> Automation
> > >> >Protocol (SCAP) version 1.2.
> > >> >
> > >> >
> > >> >
> > >> >The Extensible Configuration Checklist Description Format (XCCDF)
> > >> Version
> > >> >1.2 is the latest revision of an Extensible Markup Language (XML)
> > >> based
> > >> >model that enables the standardized expression of security
> > >> configuration
> > >> >rules. The intent of XCCDF is to provide a uniform foundation for
> > >> expression
> > >> >and compliance assessment of security checklists and other
> > >> configuration
> > >> >guidance, and thereby foster more widespread application of sound
> > >> security
> > >> >practices.
> > >> >
> > >> >
> > >> >
> > >> >The specification has been completely reorganized since the
> initial
> > >> public
> > >> >comment draft to consolidate related material and improve the
> > clarity
> > >> of
> > >> the
> > >> >specification. Other major changes from the first public comment
> > draft
> > >> to
> > >> the
> > >> >second public comment draft include the following:
> > >> >
> > >> >* New high-level XCCDF conformance requirements for products
> and
> > >> >documents
> > >> >* Addition of tailoring documents for storing tailoring
> profiles
> > >> >* Updated namespace, along with guidelines on converting
> XCCDF
> > >> 1.1.4
> > >> >content to XCCDF 1.2
> > >> >* TestResult element supports referencing asset
> identification
> > >> >information located in an external document
> > >> >* Support for Common Platform Enumeration (CPE) version 2.3
> for
> > >> >platform specification
> > >> >* New mandatory standard format for identifiers (for
> Benchmark,
> > >> Rule,
> > >> >Group, Value, Profile, TestResult, and Tailoring elements)
> > >> >* Addition of the multi-check attribute for Rule checks, to
> affect
> > >> result
> > >> >reporting when multiple checks are executed to determine
> compliance
> > >> with
> > >> >a single Rule
> > >> >* Support for zero-length lists in complex-values
> > >> >
> > >> >
> > >> >
> > >> >NIST requests comments on draft IR 7275 Revision 4 by August 15,
> > 2011.
> > >> >Please submit comments to [hidden email]
> > >> ><mailto:[hidden email]>  with "Comments IR 7275" in the
> > >> subject
> > >> >line. Public comments may also be posted to [hidden email] by
> > >> >members of the xccdf-dev list.
> > >> >
> > >> >
> > >> >
> > >> >The XCCDF specification and other resources can be found at:
> > >> >
> > >> >
> > >> >
> > >> >http://scap.nist.gov/specifications/xccdf/
> > >> >
> > >> >
> > >> >
> > >> >Sincerely,
> > >> >
> > >> >
> > >> >
> > >> >David Waltermire
> > >> >
> > >> >SCAP Architect
> > >> >
> > >> >National Institute of Standards and Technology
> > >> >
> > >> >(301) 975-3390
> > >> >
> > >> >[hidden email] <mailto:[hidden email]>
> > >> >
> > >> >
> > >>
> > >> Classification:  UNCLASSIFIED
> > >> Caveats: NONE
> Classification:  UNCLASSIFIED
> Caveats: NONE
Reply | Threaded
Open this post in threaded view
|

Re: FW: XCCDF 1.2 Second Public Draft Released (UNCLASSIFIED)

Charles Schmidt (MITRE)
Administrator
Joe,

I'm personally neutral on this. That said, to tie this in to the previous
discussion on this topic, could you explain why you wouldn't want to use the
Formatted String binding for new CPE content?

For context, in the July 13 telecon there was, I believe, unanimous
consensus that the Formatted String binding was the direction to go in
*eventually*. The consensus on MUST vs. SHOULD was not quite as absolute,
but it was simply felt that the former was much more effective way to reach
the ultimate objective. (Full minutes are here, but I think I summarized the
relevant points -
http://making-security-measurable.1364806.n2.nabble.com/attachment/6596256/0
/TeleconMinutes-July13.pdf)

Do you disagree with the goal of moving towards the Formatted String
binding, or do you agree with that long-term goal but feel that a MUST is
simply too restrictive for new content at this time?

Charles

>-----Original Message-----
>From: Waltermire, David A. [mailto:[hidden email]]
>Sent: Thursday, July 28, 2011 11:45 AM
>To: cpe-discussion-list CPE Community Forum
>Subject: Re: [CPE-DISCUSSION-LIST] FW: XCCDF 1.2 Second Public Draft
>Released (UNCLASSIFIED)
>
>This sounds reasonable.
>
>Dave
>
>> -----Original Message-----
>> From: WOLFKIEL, JOSEPH L CIV DISA PEO-MA
>> [mailto:[hidden email]]
>> Sent: Thursday, July 28, 2011 12:44 PM
>> To: [hidden email]
>> Subject: Re: [CPE-DISCUSSION-LIST] FW: XCCDF 1.2 Second Public Draft
>> Released (UNCLASSIFIED)
>>
>> Classification:  UNCLASSIFIED
>> Caveats: NONE
>>
>> That would be my preference.
>>
>> Joseph L. Wolfkiel
>> Engineering Group Lead
>> DISA PEO MA/IA52
>> (301) 225-8820
>> [hidden email]
>>
>>
>> -----Original Message-----
>> From: Waltermire, David A. [mailto:[hidden email]]
>> Sent: Thursday, July 28, 2011 12:38 PM
>> To: [hidden email]
>> Subject: Re: [CPE-DISCUSSION-LIST] FW: XCCDF 1.2 Second Public Draft
>> Released (UNCLASSIFIED)
>>
>> If we make the use of formatted strings as a SHOULD requirement,
>> allowing the use of 2.3 URIs, then CPE 2.2 URIs will be a compatible
>> use in their deprecated state.
>>
>> Dave
>>
>>
>> > -----Original Message-----
>> > From: Schmidt, Charles M. [mailto:[hidden email]]
>> > Sent: Thursday, July 28, 2011 12:29 PM
>> > To: [hidden email]
>> > Subject: Re: [CPE-DISCUSSION-LIST] FW: XCCDF 1.2 Second Public Draft
>> > Released (UNCLASSIFIED)
>> >
>> > I'll add that use of CPE 2.0 content is deprecated but still allowed
>> > for
>> > backwards compatibility.
>> >
>> > Charles
>> >
>> > >-----Original Message-----
>> > >From: Waltermire, David A. [mailto:[hidden email]]
>> > >Sent: Thursday, July 28, 2011 11:26 AM
>> > >To: cpe-discussion-list CPE Community Forum
>> > >Subject: Re: [CPE-DISCUSSION-LIST] FW: XCCDF 1.2 Second Public Draft
>> > >Released (UNCLASSIFIED)
>> > >
>> > >Joe,
>> > >
>> > >Section 6.2.5 states "All CPE 2.3 names and applicability language
>> > expressions
>> > >in XCCDF documents SHALL use formatted string bindings, as defined
>> in
>> > >[IR7695]." This requires the use of formatted strings. We could make
>> > this a
>> > >SHOULD requirement stating a preference for formatted strings,
>> making
>> > use
>> > >of URIs possible.
>> > >
>> > >Thoughts?
>> > >
>> > >Sincerely,
>> > >
>> > >David Waltermire
>> > >SCAP Architect
>> > >National Institute of Standards and Technology
>> > >(301) 975-3390
>> > >[hidden email]
>> > >
>> > >
>> > >> -----Original Message-----
>> > >> From: WOLFKIEL, JOSEPH L CIV DISA PEO-MA
>> > >> [mailto:[hidden email]]
>> > >> Sent: Thursday, July 28, 2011 12:22 PM
>> > >> To: [hidden email]
>> > >> Subject: Re: [CPE-DISCUSSION-LIST] FW: XCCDF 1.2 Second Public
>> Draft
>> > >> Released (UNCLASSIFIED)
>> > >>
>> > >> Classification:  UNCLASSIFIED
>> > >> Caveats: NONE
>> > >>
>> > >> Does it allow choice between the percent encoded and escape
>> encoded
>> > >> versions, or just one?
>> > >>
>> > >> Joseph L. Wolfkiel
>> > >> Engineering Group Lead
>> > >> DISA PEO MA/IA52
>> > >> (301) 225-8820
>> > >> [hidden email]
>> > >>
>> > >>
>> > >> -----Original Message-----
>> > >> From: Schmidt, Charles M. [mailto:[hidden email]]
>> > >> Sent: Thursday, July 28, 2011 12:10 PM
>> > >> To: [hidden email]
>> > >> Subject: [CPE-DISCUSSION-LIST] FW: XCCDF 1.2 Second Public Draft
>> > >> Released
>> > >>
>> > >> Hi All,
>> > >>
>> > >> I wanted to forward this along since the new version of XCCDF
>> > touches
>> > >> on
>> > >> several other standards efforts. I summarize the main points of
>> > impact
>> > >> below
>> > >> but this is probably not exhaustive:
>> > >>
>> > >> OVAL - new complex-values allow exporting of lists to checking
>> > systems
>> > >> OCIL - ditto
>> > >> AI - fields for holding or referencing identifying information
>> > >> CPE - update to use the new CPE 2.3
>> > >>
>> > >> Comments on the new document and schema are welcome.
>> > >>
>> > >> Thanks,
>> > >> Charles
>> > >>
>> > >> >-----Original Message-----
>> > >> >From: [hidden email] [mailto:[hidden email]] On Behalf Of
>> > >> >Waltermire, David A.
>> > >> >Sent: Thursday, July 28, 2011 10:55 AM
>> > >> >To: Multiple recipients of list
>> > >> >Subject: XCCDF 1.2 Second Public Draft Released
>> > >> >
>> > >> >Community Members,
>> > >> >
>> > >> >
>> > >> >
>> > >> >I am pleased to announce the second public comment release of
>> DRAFT
>> > >> NIST
>> > >> >Interagency Report (NISTIR) 7275 Revision 4
>> > >> ><http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7275-
>> > r4> ,
>> > >> >Specification for the Extensible Configuration Checklist
>> > Description
>> > >> Format
>> > >> >(XCCDF) Version 1.2. XCCDF 1.2 supports the Security Content
>> > >> Automation
>> > >> >Protocol (SCAP) version 1.2.
>> > >> >
>> > >> >
>> > >> >
>> > >> >The Extensible Configuration Checklist Description Format (XCCDF)
>> > >> Version
>> > >> >1.2 is the latest revision of an Extensible Markup Language (XML)
>> > >> based
>> > >> >model that enables the standardized expression of security
>> > >> configuration
>> > >> >rules. The intent of XCCDF is to provide a uniform foundation for
>> > >> expression
>> > >> >and compliance assessment of security checklists and other
>> > >> configuration
>> > >> >guidance, and thereby foster more widespread application of sound
>> > >> security
>> > >> >practices.
>> > >> >
>> > >> >
>> > >> >
>> > >> >The specification has been completely reorganized since the
>> initial
>> > >> public
>> > >> >comment draft to consolidate related material and improve the
>> > clarity
>> > >> of
>> > >> the
>> > >> >specification. Other major changes from the first public comment
>> > draft
>> > >> to
>> > >> the
>> > >> >second public comment draft include the following:
>> > >> >
>> > >> >* New high-level XCCDF conformance requirements for
>products
>> and
>> > >> >documents
>> > >> >* Addition of tailoring documents for storing tailoring
>> profiles
>> > >> >* Updated namespace, along with guidelines on converting
>> XCCDF
>> > >> 1.1.4
>> > >> >content to XCCDF 1.2
>> > >> >* TestResult element supports referencing asset
>> identification
>> > >> >information located in an external document
>> > >> >* Support for Common Platform Enumeration (CPE) version 2.3
>> for
>> > >> >platform specification
>> > >> >* New mandatory standard format for identifiers (for
>> Benchmark,
>> > >> Rule,
>> > >> >Group, Value, Profile, TestResult, and Tailoring elements)
>> > >> >* Addition of the multi-check attribute for Rule checks, to
>> affect
>> > >> result
>> > >> >reporting when multiple checks are executed to determine
>> compliance
>> > >> with
>> > >> >a single Rule
>> > >> >* Support for zero-length lists in complex-values
>> > >> >
>> > >> >
>> > >> >
>> > >> >NIST requests comments on draft IR 7275 Revision 4 by August 15,
>> > 2011.
>> > >> >Please submit comments to [hidden email]
>> > >> ><mailto:[hidden email]>  with "Comments IR 7275" in the
>> > >> subject
>> > >> >line. Public comments may also be posted to [hidden email] by
>> > >> >members of the xccdf-dev list.
>> > >> >
>> > >> >
>> > >> >
>> > >> >The XCCDF specification and other resources can be found at:
>> > >> >
>> > >> >
>> > >> >
>> > >> >http://scap.nist.gov/specifications/xccdf/
>> > >> >
>> > >> >
>> > >> >
>> > >> >Sincerely,
>> > >> >
>> > >> >
>> > >> >
>> > >> >David Waltermire
>> > >> >
>> > >> >SCAP Architect
>> > >> >
>> > >> >National Institute of Standards and Technology
>> > >> >
>> > >> >(301) 975-3390
>> > >> >
>> > >> >[hidden email] <mailto:[hidden email]>
>> > >> >
>> > >> >
>> > >>
>> > >> Classification:  UNCLASSIFIED
>> > >> Caveats: NONE
>> Classification:  UNCLASSIFIED
>> Caveats: NONE

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: FW: XCCDF 1.2 Second Public Draft Released (UNCLASSIFIED)

WOLFKIEL, JOSEPH L CIV DISA PEO-MA
Classification:  UNCLASSIFIED
Caveats: NONE

Mostly for backwards interoperability.  We have spent the past couple of years deploying an infrastructure in DoD based on the 2.2 CPE percent encoded format.  I'd like to be able to use current RegEx filters for percent encoded CPEs as long as possible so I can avoid rebuilding our infrastructure at a huge taxpayer expense.

Joseph L. Wolfkiel
Engineering Group Lead
DISA PEO MA/IA52
(301) 225-8820
[hidden email]


-----Original Message-----
From: Schmidt, Charles M. [mailto:[hidden email]]
Sent: Thursday, July 28, 2011 1:00 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] FW: XCCDF 1.2 Second Public Draft Released (UNCLASSIFIED)

Joe,

I'm personally neutral on this. That said, to tie this in to the previous
discussion on this topic, could you explain why you wouldn't want to use the
Formatted String binding for new CPE content?

For context, in the July 13 telecon there was, I believe, unanimous
consensus that the Formatted String binding was the direction to go in
*eventually*. The consensus on MUST vs. SHOULD was not quite as absolute,
but it was simply felt that the former was much more effective way to reach
the ultimate objective. (Full minutes are here, but I think I summarized the
relevant points -
http://making-security-measurable.1364806.n2.nabble.com/attachment/6596256/0
/TeleconMinutes-July13.pdf)

Do you disagree with the goal of moving towards the Formatted String
binding, or do you agree with that long-term goal but feel that a MUST is
simply too restrictive for new content at this time?

Charles

>-----Original Message-----
>From: Waltermire, David A. [mailto:[hidden email]]
>Sent: Thursday, July 28, 2011 11:45 AM
>To: cpe-discussion-list CPE Community Forum
>Subject: Re: [CPE-DISCUSSION-LIST] FW: XCCDF 1.2 Second Public Draft
>Released (UNCLASSIFIED)
>
>This sounds reasonable.
>
>Dave
>
>> -----Original Message-----
>> From: WOLFKIEL, JOSEPH L CIV DISA PEO-MA
>> [mailto:[hidden email]]
>> Sent: Thursday, July 28, 2011 12:44 PM
>> To: [hidden email]
>> Subject: Re: [CPE-DISCUSSION-LIST] FW: XCCDF 1.2 Second Public Draft
>> Released (UNCLASSIFIED)
>>
>> Classification:  UNCLASSIFIED
>> Caveats: NONE
>>
>> That would be my preference.
>>
>> Joseph L. Wolfkiel
>> Engineering Group Lead
>> DISA PEO MA/IA52
>> (301) 225-8820
>> [hidden email]
>>
>>
>> -----Original Message-----
>> From: Waltermire, David A. [mailto:[hidden email]]
>> Sent: Thursday, July 28, 2011 12:38 PM
>> To: [hidden email]
>> Subject: Re: [CPE-DISCUSSION-LIST] FW: XCCDF 1.2 Second Public Draft
>> Released (UNCLASSIFIED)
>>
>> If we make the use of formatted strings as a SHOULD requirement,
>> allowing the use of 2.3 URIs, then CPE 2.2 URIs will be a compatible
>> use in their deprecated state.
>>
>> Dave
>>
>>
>> > -----Original Message-----
>> > From: Schmidt, Charles M. [mailto:[hidden email]]
>> > Sent: Thursday, July 28, 2011 12:29 PM
>> > To: [hidden email]
>> > Subject: Re: [CPE-DISCUSSION-LIST] FW: XCCDF 1.2 Second Public Draft
>> > Released (UNCLASSIFIED)
>> >
>> > I'll add that use of CPE 2.0 content is deprecated but still allowed
>> > for
>> > backwards compatibility.
>> >
>> > Charles
>> >
>> > >-----Original Message-----
>> > >From: Waltermire, David A. [mailto:[hidden email]]
>> > >Sent: Thursday, July 28, 2011 11:26 AM
>> > >To: cpe-discussion-list CPE Community Forum
>> > >Subject: Re: [CPE-DISCUSSION-LIST] FW: XCCDF 1.2 Second Public Draft
>> > >Released (UNCLASSIFIED)
>> > >
>> > >Joe,
>> > >
>> > >Section 6.2.5 states "All CPE 2.3 names and applicability language
>> > expressions
>> > >in XCCDF documents SHALL use formatted string bindings, as defined
>> in
>> > >[IR7695]." This requires the use of formatted strings. We could make
>> > this a
>> > >SHOULD requirement stating a preference for formatted strings,
>> making
>> > use
>> > >of URIs possible.
>> > >
>> > >Thoughts?
>> > >
>> > >Sincerely,
>> > >
>> > >David Waltermire
>> > >SCAP Architect
>> > >National Institute of Standards and Technology
>> > >(301) 975-3390
>> > >[hidden email]
>> > >
>> > >
>> > >> -----Original Message-----
>> > >> From: WOLFKIEL, JOSEPH L CIV DISA PEO-MA
>> > >> [mailto:[hidden email]]
>> > >> Sent: Thursday, July 28, 2011 12:22 PM
>> > >> To: [hidden email]
>> > >> Subject: Re: [CPE-DISCUSSION-LIST] FW: XCCDF 1.2 Second Public
>> Draft
>> > >> Released (UNCLASSIFIED)
>> > >>
>> > >> Classification:  UNCLASSIFIED
>> > >> Caveats: NONE
>> > >>
>> > >> Does it allow choice between the percent encoded and escape
>> encoded
>> > >> versions, or just one?
>> > >>
>> > >> Joseph L. Wolfkiel
>> > >> Engineering Group Lead
>> > >> DISA PEO MA/IA52
>> > >> (301) 225-8820
>> > >> [hidden email]
>> > >>
>> > >>
>> > >> -----Original Message-----
>> > >> From: Schmidt, Charles M. [mailto:[hidden email]]
>> > >> Sent: Thursday, July 28, 2011 12:10 PM
>> > >> To: [hidden email]
>> > >> Subject: [CPE-DISCUSSION-LIST] FW: XCCDF 1.2 Second Public Draft
>> > >> Released
>> > >>
>> > >> Hi All,
>> > >>
>> > >> I wanted to forward this along since the new version of XCCDF
>> > touches
>> > >> on
>> > >> several other standards efforts. I summarize the main points of
>> > impact
>> > >> below
>> > >> but this is probably not exhaustive:
>> > >>
>> > >> OVAL - new complex-values allow exporting of lists to checking
>> > systems
>> > >> OCIL - ditto
>> > >> AI - fields for holding or referencing identifying information
>> > >> CPE - update to use the new CPE 2.3
>> > >>
>> > >> Comments on the new document and schema are welcome.
>> > >>
>> > >> Thanks,
>> > >> Charles
>> > >>
>> > >> >-----Original Message-----
>> > >> >From: [hidden email] [mailto:[hidden email]] On Behalf Of
>> > >> >Waltermire, David A.
>> > >> >Sent: Thursday, July 28, 2011 10:55 AM
>> > >> >To: Multiple recipients of list
>> > >> >Subject: XCCDF 1.2 Second Public Draft Released
>> > >> >
>> > >> >Community Members,
>> > >> >
>> > >> >
>> > >> >
>> > >> >I am pleased to announce the second public comment release of
>> DRAFT
>> > >> NIST
>> > >> >Interagency Report (NISTIR) 7275 Revision 4
>> > >> ><http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7275-
>> > r4> ,
>> > >> >Specification for the Extensible Configuration Checklist
>> > Description
>> > >> Format
>> > >> >(XCCDF) Version 1.2. XCCDF 1.2 supports the Security Content
>> > >> Automation
>> > >> >Protocol (SCAP) version 1.2.
>> > >> >
>> > >> >
>> > >> >
>> > >> >The Extensible Configuration Checklist Description Format (XCCDF)
>> > >> Version
>> > >> >1.2 is the latest revision of an Extensible Markup Language (XML)
>> > >> based
>> > >> >model that enables the standardized expression of security
>> > >> configuration
>> > >> >rules. The intent of XCCDF is to provide a uniform foundation for
>> > >> expression
>> > >> >and compliance assessment of security checklists and other
>> > >> configuration
>> > >> >guidance, and thereby foster more widespread application of sound
>> > >> security
>> > >> >practices.
>> > >> >
>> > >> >
>> > >> >
>> > >> >The specification has been completely reorganized since the
>> initial
>> > >> public
>> > >> >comment draft to consolidate related material and improve the
>> > clarity
>> > >> of
>> > >> the
>> > >> >specification. Other major changes from the first public comment
>> > draft
>> > >> to
>> > >> the
>> > >> >second public comment draft include the following:
>> > >> >
>> > >> >* New high-level XCCDF conformance requirements for
>products
>> and
>> > >> >documents
>> > >> >* Addition of tailoring documents for storing tailoring
>> profiles
>> > >> >* Updated namespace, along with guidelines on converting
>> XCCDF
>> > >> 1.1.4
>> > >> >content to XCCDF 1.2
>> > >> >* TestResult element supports referencing asset
>> identification
>> > >> >information located in an external document
>> > >> >* Support for Common Platform Enumeration (CPE) version 2.3
>> for
>> > >> >platform specification
>> > >> >* New mandatory standard format for identifiers (for
>> Benchmark,
>> > >> Rule,
>> > >> >Group, Value, Profile, TestResult, and Tailoring elements)
>> > >> >* Addition of the multi-check attribute for Rule checks, to
>> affect
>> > >> result
>> > >> >reporting when multiple checks are executed to determine
>> compliance
>> > >> with
>> > >> >a single Rule
>> > >> >* Support for zero-length lists in complex-values
>> > >> >
>> > >> >
>> > >> >
>> > >> >NIST requests comments on draft IR 7275 Revision 4 by August 15,
>> > 2011.
>> > >> >Please submit comments to [hidden email]
>> > >> ><mailto:[hidden email]>  with "Comments IR 7275" in the
>> > >> subject
>> > >> >line. Public comments may also be posted to [hidden email] by
>> > >> >members of the xccdf-dev list.
>> > >> >
>> > >> >
>> > >> >
>> > >> >The XCCDF specification and other resources can be found at:
>> > >> >
>> > >> >
>> > >> >
>> > >> >http://scap.nist.gov/specifications/xccdf/
>> > >> >
>> > >> >
>> > >> >
>> > >> >Sincerely,
>> > >> >
>> > >> >
>> > >> >
>> > >> >David Waltermire
>> > >> >
>> > >> >SCAP Architect
>> > >> >
>> > >> >National Institute of Standards and Technology
>> > >> >
>> > >> >(301) 975-3390
>> > >> >
>> > >> >[hidden email] <mailto:[hidden email]>
>> > >> >
>> > >> >
>> > >>
>> > >> Classification:  UNCLASSIFIED
>> > >> Caveats: NONE
>> Classification:  UNCLASSIFIED
>> Caveats: NONE
Classification:  UNCLASSIFIED
Caveats: NONE


smime.p7s (7K) Download Attachment