Hi Sean,

Please accept our request for a second, WG-forming SACM BOF at IETF-86, as follows: 

•Description: Securing information and the systems that store, process, and transmit that information has become a challenging task for organizations of all sizes, and we find that security practitioners spend most of their time on manual processes relegating them to ineffectiveness. Security automation to verify system configurations with the ability to prioritize risk based on increased situational awareness from shared intelligence is the key to escaping this rut. This working group will develop security automation protocols and data format standards in support of information security processes and practices where practical. These standards will help security practitioners to be better utilized within their organizations by automating routine tasks related to client and server security so that practitioners can focus on more advanced tasks. The initial focus of this work is to address enterprise use cases pertaining to the assessment of endpoint posture (using the definitions of Endpoint and Posture from RFC 5209).

•Responsible AD: Sean Turner 

•BoF Chairs: Kathleen Moriarty & Dan Romascanu

•Number of people expected to attend: 80 

•Length of session; 90 mins 

•Conflicts to avoid: SEC area WGs especially MILE, XRBLOCK, EMAN, OPSAWG 

•Does it require WebEX? No 

•Does it require Meetecho? Yes 

•Mailing list: ​sacm@ietf.org 

•List archive: ​https://www.ietf.org/mailman/listinfo/sacm 

•Draft charter: ​

Name: Security Automation and Continuous Monitoring (SACM)
AREA: Security

Chairs:
TBD
TBD

Security Area Directors:
     Stephen Farrell <stephen.farrell at cs.tcd.ie>
     Sean Turner <turners at ieca.com>

Security Area Advisor:
     Sean Turner <turners at ieca.com>

Mailing Lists:
     General Discussion: sacm at ietf.org
     To Subscribe:       http://www.ietf.org/mailman/listinfo/sacm
     Archive:            http://www.ietf.org/mail-archive/web/sacm

Description of Working Group

Securing information and the systems that store, process, and transmit that information has become a challenging task for organizations of all sizes, and we find that security practitioners spend most of their time on manual processes relegating them to ineffectiveness. Security automation to verify system configurations with the ability to prioritize risk based on increased situational awareness from shared intelligence is the key to escaping this rut. This working group will develop security automation protocols and data format standards in support of information security processes and practices where practical. These standards will help security practitioners to be better utilized within their organizations by automating routine tasks related to client and server security so that practitioners can focus on more advanced tasks. The initial focus of this work is to address enterprise use cases pertaining to the assessment of endpoint posture (using the definitions of Endpoint and Posture from RFC 5209).

The working group will achieve this by enabling the exchange of shared intelligence regarding endpoint posture and continuing the security automation work already performed by various organizations around the world. The initial work has been fruitful, and the data formats previously published are ready for expansion on the international stage. Of particular interest to this working group are the security automation specifications supporting asset, change, configuration, and vulnerability management.

By undertaking this work, we recognize that there are multiple categories of problems in the security automation domain: enabling interoperable data exchanges through standardized protocols, defining expressions for particular domain concepts (i.e. data formats), establishing a standards-based foundation supporting the curation and exchange of security automation content collections in content repositories, and enabling interoperability through the development and use of standard interfaces and communications protocols. Content based on rich data standards and protocols will provide the authoritative instructions needed by data-driven tools to enable the automated collection and exchange of configuration and vulnerability data pertaining to enterprise assets. Information produced by these tools will provide accurate and timely situational awareness in support of organizational decision making.

The data exchange protocols will need to meet several exchange types including requesting assessments and reporting on assessment results.
Exchanging information across organizational boundaries will not be within scope for this effort at this time.

This working group will provide solutions to these categories of problems and the main areas of focus for this working group are described as follows:

1. Define, either by normative reference, adoption, or creation, a set of standards to enable assessment of endpoint posture. This area of focus provides for necessary language and data format specifications.

2. Define, either by normative reference, adoption, or creation, a set of standards for interacting with repositories of content related to assessment of endpoint posture.

This working group will achieve the following milestones:

- An Informational document on Use Cases and Requirements
- An Informational document on SACM Architecture
- A Standards Track document to define a protocol for interacting
  with content repositories
- Standards Track documents specifying communication protocols and
  data formats used for assessment of endpoint posture

After this work is completed, complementary deliverables may be defined.
 

•Internet-Drafts:
https://datatracker.ietf.org/doc/draft-waltermire-sacm-use-cases/
https://datatracker.ietf.org/doc/draft-booth-sacm-vuln-model/
https://datatracker.ietf.org/doc/draft-davidson-sacm-asr/
https://datatracker.ietf.org/doc/draft-hanna-sacm-assessment-protocols/
https://datatracker.ietf.org/doc/draft-montville-sacm-asset-identification/