Introducing Security Content Automation Protocol (SCAP) to the Internet Engineering Task Force (IETF)

Overview

>From the beginning, the intent of the SCAP efforts has been to standardize areas allowing for real interoperability between security-related products.  SCAP and its component open data exchange specifications are being used in many different areas of network and computer security today.  From vulnerability management, to policy compliance, system configuration validation, network access, and threat reporting, SCAP usage is evolving and expanding. The security automation potential that SCAP provides is a real opportunity for the computing community to create a foundation of interoperability allowing much greater visibility into the state of our devices and networks.

The potential of SCAP is starting to be realized.  Independent testing labs have now validated SCAP compatibility in 40 products offered by 30 separate software vendors.  Numerous organizations are successfully using these products to reduce costs while improving security.  SCAP content can be and has been localized and is being sold globally.  But the full value of SCAP will only come when it achieves ubiquitous, worldwide adoption.

Additional information about SCAP is available at http://scap.nist.gov.

For this reason, leaders in the SCAP community (including NIST, NSA, MITRE, and commercial vendors) have decided to explore taking the most stable and successful SCAP specifications to the IETF for adoption as Standards Track RFCs.  This is a natural next step in the maturation of these efforts.
The IETF has a history of providing the structure and community needed to make standards efforts successful on a global scale (e.g. TCP, IP, HTTP, and TLS).  The SCAP community has done a good job getting the security automation component specifications to the level it has.  It is time however to widen the participation in these efforts and expand the areas that security automation addresses.

The SCAP specifications have been developed in a "publicly open participation" model. Anyone can participate and contribute. The intent was to assure all had a voice, from the commercial vendors, to the open source community, to governmental organizations and even to the individual contributors who just wanted to be a part of it.  This open dialog has assisted the community in assuring the SCAP specifications met the goals of the efforts and allowed the security community to buy into SCAP more quickly.  We will continue to use this model for the development of new SCAP specifications and capabilities.  For mature, stable specifications, IETF standardization will allow us to expand the circle of participation and adoption more widely.

Therefore, we invite all SCAP participants to join us in this new stage of our effort.  With your help, we can ensure that this stage is a success and that all requirements are properly considered. Read on to learn about the IETF and how you can be involved.

Introduction to the IETF

The IETF has been a cornerstone for the development of Internet protocols since 1986.  On its web site it states:

The Internet Engineering Task Force (IETF) is a large open international community of network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet. It is open to any interested individual.

The actual technical work of the IETF is done in its working groups, which are organized by topic into several areas (e.g., routing, transport, security, etc.). Much of the work is handled via mailing lists. The IETF holds meetings three times per year.

The IETF's approach to participation and general structure are similar to the approaches SCAP development has used in the past but a bit more elaborate, as behooves an international standards body.    Information for IETF newcomers is available at http://www.ietf.org/newcomers.html. As described there, the first step in starting an IETF effort is a Birds of a Feather session, a BOF. Therefore, an SCAP BOF will be held at the next IETF meeting.

BOF Specifics: SCAP - Synergy of SCAP Program and IETF Activities

BOF Chairs: Steve Hanna, Kent Landfield
Responsible AD: Sean Turner
Location: IETF 79 - Beijing, China<http://www.ietf.org/meeting/79/index.html>

Goal:
Introduce the IETF community to the Security Content Automation Protocol (SCAP), discuss areas of synergy and overlap with IETF activities, and consider whether this technology is sufficiently mature for standardization. Finally, explore whether the IETF would be an appropriate venue for such standardization when ready.


Participating:

The BOF is scheduled for Tuesday, November 16th in the afternoon from 1520-1810, China Standard Time (UTC+8).  If you are unable to attend in person, but are still interested in participating there will be an audio stream available and a jabber room.  Specifics for the audio stream and jabber room will be made available in the near future.



We recognize that the time zone and location for this BOF are not convenient for many SCAP participants.  Rest assured that this is just one step in a lengthy process.  Assuming we proceed to create an SCAP Working Group, there will be many face-to-face meetings at IETF meetings around the world.  And the most important IETF activity happens on the email list anyway.  So there will be plenty of opportunities to participate even if you can't come to the Beijing BOF or participate by audio and jabber.



Internet Drafts:
Internet drafts (the first stage in the IETF standardization process) are in development focusing on XCCDF 1.1.4 and enumeration formats for CVE and CCE. We are targeting specifications for introduction to the IETF which we believe are well understood in the SCAP community.  For example, XCCDF is very stable, well documented and implemented by multiple vendors. Formats for the existing enumerations such as CVE and CCE are good candidates as well.  Note we are only talking about the actual enumeration formats, not the operational uses/administration of the enumerations.  That would remain outside the IETF, as it is today.

For more information on the BOF see the IETF BOFs page at

http://trac.tools.ietf.org/bof/trac/wiki/WikiStart#Security

To learn more about the IETF and its operations, take a look at http://www.ietf.org/tao.html.

How to participate

Please join us!

As a community, we need to assure the standards we depend on are vetted and recognized internationally. Working within the IETF allows us to build on the good work done within the SCAP community and establish a foundation for a globally recognized security automation framework.

We must ensure that the voices of experienced SCAP community members are well represented within the IETF standardization efforts.  IETF operates on the principles of rough consensus and running code.  We applaud this practical engineering approach, which echoes the practical approach taken with SCAP.  In order to ensure that our experience and expertise is properly considered during the IETF efforts, we MUST participate actively in the IETF process.  Therefore, it is essential for all of us who have been actively participating in SCAP development to also participate in the IETF SCAP effort moving forward.  As such a mailing list has been set up to discuss working with the IETF and to show your interest in the effort.  The IETF judges rough consensus based on email discussions NOT on face-to-face meeting attendance or voting. Therefore, it is ESSENTIAL that you join the SCAP mailing list and participate actively.  The mailing list is located at scap_interest@ietf.org<mailto:scap_interest@ietf.org>. The IETF uses Mailman to manage its mailing lists so to subscribe, fill in your information at https://www.ietf.org/mailman/listinfo/scap_interest. You will then receive a confirmation message in your inbox you will need to respond to in order to complete your subscription request.

Subscribe today!  Participate actively, especially on the email list!  We need your continued support to advance SCAP and security automation even further.

--
Kent Landfield
Director, Content Strategy, Architecture and Standards
McAfee, Inc.
+1 972.963.7096 Direct
+1 817.637.8026 Mobile
kent_landfield@mcafee.com<mailto:kent_landfield@mcafee.com>