draft-ietf-sacm-vuln-scenario-01.txt   draft-ietf-sacm-vuln-scenario-02.txt 
SACM C. Coffin SACM C. Coffin
Internet-Draft B. Cheikes Internet-Draft B. Cheikes
Intended status: Informational C. Schmidt Intended status: Informational C. Schmidt
Expires: January 8, 2017 D. Haynes Expires: March 13, 2017 D. Haynes
The MITRE Corporation The MITRE Corporation
J. Fitzgerald-McKay J. Fitzgerald-McKay
Department of Defense Department of Defense
D. Waltermire D. Waltermire
National Institute of Standards and Technology National Institute of Standards and Technology
July 7, 2016 September 9, 2016
SACM Vulnerability Assessment Scenario SACM Vulnerability Assessment Scenario
draft-ietf-sacm-vuln-scenario-01 draft-ietf-sacm-vuln-scenario-02
Abstract Abstract
This document describes an automated enterprise vulnerability This document describes an automated enterprise vulnerability
assessment scenario aligned with the SACM Use Cases. The scenario assessment scenario aligned with the SACM Use Cases. The scenario
assumes the existence of an endpoint management capability and begins assumes the existence of endpoint management capabilities and begins
with an enterprise ingesting vulnerability description information. with an enterprise ingesting vulnerability description information.
Endpoints are assessed against the vulnerability description Endpoints are assessed against the vulnerability description
information based on a combination of examining known endpoint information based on a combination of examining known endpoint
characterization information and collected endpoint information. characterization information and collected endpoint information.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 8, 2017. This Internet-Draft will expire on March 13, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 21 skipping to change at page 2, line 21
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Vulnerability Assessment Pre-requisites . . . . . . . . . . . 4 4. Vulnerability Assessment Pre-requisites . . . . . . . . . . . 4
4.1. Endpoint Management Capability . . . . . . . . . . . . . 4 4.1. Endpoint Management Capabilities . . . . . . . . . . . . 5
4.2. Vulnerability Description Information . . . . . . . . . . 5 4.2. Vulnerability Description Information . . . . . . . . . . 5
5. Endpoint Vulnerability Assessment Capability . . . . . . . . 5 5. Endpoint Vulnerability Assessment Capabilities . . . . . . . 5
6. Vulnerability Assessment Results . . . . . . . . . . . . . . 7 6. Vulnerability Assessment Results . . . . . . . . . . . . . . 7
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
8. Security Considerations . . . . . . . . . . . . . . . . . . . 7 8. Security Considerations . . . . . . . . . . . . . . . . . . . 7
9. Informative References . . . . . . . . . . . . . . . . . . . 7 9. Informative References . . . . . . . . . . . . . . . . . . . 7
Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 8 Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 8
A.1. Changes in Revision -01 . . . . . . . . . . . . . . . . . 8 A.1. Changes in Revision -02 . . . . . . . . . . . . . . . . . 8
A.2. Changes Since Adopted as a WG I-D -00 . . . . . . . . . . 9 A.2. Changes in Revision -01 . . . . . . . . . . . . . . . . . 9
A.3. Changes in Revision draft-coffin-sacm-vuln-scenario-01 . 9 A.3. Changes Since Adopted as a WG I-D -00 . . . . . . . . . . 9
A.4. Changes in Revision draft-coffin-sacm-vuln-scenario-01 . 10
Appendix B. Implementation Examples . . . . . . . . . . . . . . 11 Appendix B. Implementation Examples . . . . . . . . . . . . . . 11
B.1. Endpoint Data Collection . . . . . . . . . . . . . . . . 11 B.1. Endpoint Data Collection . . . . . . . . . . . . . . . . 11
B.2. Vulnerability Description Information . . . . . . . . . . 12 B.2. Vulnerability Description Information . . . . . . . . . . 12
B.3. Secondary Assessment . . . . . . . . . . . . . . . . . . 12 B.3. Secondary Assessment . . . . . . . . . . . . . . . . . . 12
B.4. Assessment Results . . . . . . . . . . . . . . . . . . . 12 B.4. Assessment Results . . . . . . . . . . . . . . . . . . . 13
Appendix C. Priority . . . . . . . . . . . . . . . . . . . . . . 13 Appendix C. Priority . . . . . . . . . . . . . . . . . . . . . . 13
Appendix D. SACM Usage Scenarios . . . . . . . . . . . . . . . . 14 Appendix D. SACM Usage Scenarios . . . . . . . . . . . . . . . . 14
Appendix E. SACM Requirements and Charter - Future Work . . . . 15 Appendix E. SACM Requirements and Charter - Future Work . . . . 16
Appendix F. SACM Use Case Alignment . . . . . . . . . . . . . . 16 Appendix F. SACM Use Case Alignment . . . . . . . . . . . . . . 16
F.1. Endpoint Identification . . . . . . . . . . . . . . . . . 16 F.1. Endpoint Identification . . . . . . . . . . . . . . . . . 16
F.2. Endpoint Data Collection . . . . . . . . . . . . . . . . 16 F.2. Endpoint Data Collection . . . . . . . . . . . . . . . . 16
F.3. Vulnerability Description Information . . . . . . . . . . 17 F.3. Vulnerability Description Information . . . . . . . . . . 17
F.4. Applicability . . . . . . . . . . . . . . . . . . . . . . 17 F.4. Applicability . . . . . . . . . . . . . . . . . . . . . . 17
F.5. Secondary Assessment . . . . . . . . . . . . . . . . . . 17 F.5. Secondary Assessment . . . . . . . . . . . . . . . . . . 17
F.6. Assessment Results . . . . . . . . . . . . . . . . . . . 17 F.6. Assessment Results . . . . . . . . . . . . . . . . . . . 18
Appendix G. Alignment with Other Existing Works . . . . . . . . 17 Appendix G. Alignment with Other Existing Works . . . . . . . . 18
G.1. Critical Security Controls . . . . . . . . . . . . . . . 17 G.1. Critical Security Controls . . . . . . . . . . . . . . . 18
G.1.1. Continuous Vulnerability Assessment . . . . . . . . . 18 G.1.1. Continuous Vulnerability Assessment . . . . . . . . . 18
G.1.2. Hardware and Software Inventories . . . . . . . . . . 19 G.1.2. Hardware and Software Inventories . . . . . . . . . . 19
Appendix H. Continuous Vulnerability Assessment . . . . . . . . 19 Appendix H. Continuous Vulnerability Assessment . . . . . . . . 20
Appendix I. Data Attribute Table . . . . . . . . . . . . . . . . 20 Appendix I. Data Attribute Table . . . . . . . . . . . . . . . . 20
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23
1. Introduction 1. Introduction
This document describes a detailed, enterprise-specific vulnerability This document describes a detailed, enterprise-specific vulnerability
assessment scenario from which information model elements can be assessment scenario from which information model elements can be
discovered. This scenario also informs protocol and data model discovered. This scenario also informs protocol and data model
development in support of vulnerability assessment, as part of development in support of vulnerability assessment, as part of
overall posture assessment (see Appendix B for examples of solutions overall posture assessment (see Appendix B for examples of solutions
skipping to change at page 3, line 32 skipping to change at page 3, line 33
2. Terminology 2. Terminology
Vulnerability description information: Information pertaining to the Vulnerability description information: Information pertaining to the
existence of a flaw or flaws in software, hardware, and/or existence of a flaw or flaws in software, hardware, and/or
firmware, which could potentially have an adverse impact on firmware, which could potentially have an adverse impact on
enterprise IT functionality and/or security. Vulnerability enterprise IT functionality and/or security. Vulnerability
description information should contain enough information to description information should contain enough information to
support vulnerability detection. support vulnerability detection.
Vulnerability detection data: A type of guidance extracted from Vulnerability detection data: A type of guidance extracted or
vulnerability description information that describes the derived from vulnerability description information that
specific mechanisms of vulnerability detection that is used by describes the specific mechanisms of vulnerability detection
an enterprise's vulnerability management capability to that is used by an enterprise's vulnerability management
determine if a vulnerability is present on an endpoint. capabilities to determine if a vulnerability is present on an
endpoint.
Endpoint management capability: An enterprise IT capability managing Endpoint management capabilities: An enterprise IT department's
endpoint identity, endpoint information, and associated ability to manage endpoint identity, endpoint information, and
metadata on an ongoing basis. associated metadata on an ongoing basis.
Vulnerability management capability: An enterprise IT capability Vulnerability management capabilities: An enterprise IT department's
managing endpoint vulnerabilities and associated metadata on an ability to manage endpoint vulnerabilities and associated
ongoing basis by ingesting vulnerability description metadata on an ongoing basis by ingesting vulnerability
information and vulnerability detection data, and performing a description information and vulnerability detection data, and
vulnerability assessment. performing vulnerability assessments.
Vulnerability assessment: The process of determining whether a set Vulnerability assessment capabilities: An enterprise IT department's
of endpoints is vulnerable according to the information ability to determine whether a set of endpoints is vulnerable
contained in the vulnerability description information. according to the information contained in the vulnerability
description information.
3. Assumptions 3. Assumptions
A number of assumptions must be stated in order to further clarify A number of assumptions must be stated in order to further clarify
the position and scope of this document. the position and scope of this document.
The document assumes that: The document assumes that:
o The enterprise has received vulnerability description information, o The enterprise has received vulnerability description information,
and that the information has already been processed into and that the information has already been processed into
skipping to change at page 4, line 26 skipping to change at page 4, line 28
o The enterprise has a means of identifying enterprise endpoints o The enterprise has a means of identifying enterprise endpoints
through the execution of Target Endpoint Discovery Tasks although through the execution of Target Endpoint Discovery Tasks although
assertions about some details of this capability are made. assertions about some details of this capability are made.
o The enterprise has a means of extracting relevant information o The enterprise has a means of extracting relevant information
about enterprise endpoints in a form that is compatible with the about enterprise endpoints in a form that is compatible with the
vulnerability description data. vulnerability description data.
o All information described in this scenario is available in the o All information described in this scenario is available in the
vulnerability description data and serves as the basis of this vulnerability description data and serves as the basis of
assessment. assessments.
o The enterprise can provide all relevant information about any o The enterprise can provide all relevant information about any
endpoint needed to perform the described assessment. endpoint needed to perform the described assessment.
o The enterprise has a mechanism for long-term storage of o The enterprise has a mechanism for long-term storage of
vulnerability description information, vulnerability detection vulnerability description information, vulnerability detection
data, and vulnerability assessment results. data, and vulnerability assessment results.
o The enterprise has a procedure for reassessment of endpoints at o The enterprise has a procedure for reassessment of endpoints at
some point after initial assessment (see Appendix H for more some point after initial assessment (see Appendix H for more
information). information).
4. Vulnerability Assessment Pre-requisites 4. Vulnerability Assessment Pre-requisites
In order to successfully support the vulnerability assessment In order to successfully support the vulnerability assessment
scenario, an enterprise needs to have the following capabilities scenario, an enterprise needs to have the following capabilities
deployed on their network and information readily available. deployed on their network and information readily available.
4.1. Endpoint Management Capability 4.1. Endpoint Management Capabilities
An endpoint management capability is assumed to be in place within Endpoint management capabilities are assumed to be in place within
the enterprise, and is expected to collect a minimum set of the enterprise, and are expected to collect a minimum set of
attributes from the endpoints under management via Collection Tasks attributes from the endpoints under management via Collection Tasks
and to establish an endpoint's identity within the scope of that and to establish an endpoint's identity within the scope of that
domain. Endpoint identity can be established by collecting certain domain. Endpoint identity can be established by collecting certain
identifying attributes, collectively known as the Target Endpoint identifying attributes, collectively known as the Target Endpoint
Identifier, that allow for unique and persistent tracking of Identifier, that allow for unique and persistent tracking of
endpoints on the enterprise network. Examples include, but are not endpoints on the enterprise network. Examples include, but are not
limited to, IP address, MAC address, Fully Qualified Domain Names limited to, IP address, MAC address, Fully Qualified Domain Names
(FQDNs), pre-provisioned identifiers such as Globally Unique (FQDNs), pre-provisioned identifiers such as Globally Unique
Identifiers (GUIDs) or copies of serial numbers, certificates, Identifiers (GUIDs) or copies of serial numbers, certificates,
hardware identity values, or similar attributes. To simplify the hardware identity values, or similar attributes. To simplify the
identification of an endpoint, a Target Endpoint Label may be created identification of an endpoint, a Target Endpoint Label may be created
and assigned to refer to the Target Endpoint Identifier. All of the and assigned to refer to the Target Endpoint Identifier. All of the
information collected by the endpoint management capability is information collected by the endpoint management capabilities is
stored, with appropriate metadata (i.e. timestamp), in a central stored, with appropriate metadata (i.e. timestamp), in a central
location and used to build up a Target Endpoint Characterization location and used to build up a Target Endpoint Characterization
Record and Target Endpoint Profile via a Target Endpoint Record and Target Endpoint Profile via a Target Endpoint
Characterization Task. The endpoint management capability is Characterization Task. The endpoint management capabilities are
expected to be performed on an ongoing basis, resulting in routine, expected to be performed on an ongoing basis, resulting in routine,
or even event-driven, collection of basic endpoint information. or even event-driven, collection of basic endpoint information.
See Appendix I for information-specific details. See Appendix I for information-specific details.
4.2. Vulnerability Description Information 4.2. Vulnerability Description Information
Vulnerability description information is expected to be periodically Vulnerability description information is expected to be periodically
received by the enterprise. Upon receipt, the vulnerability received by the enterprise. Upon receipt, the vulnerability
description information is expected to be assigned a unique tracking description information is expected to be assigned a unique tracking
identifier, stored in a repository (with appropriate metadata) in raw identifier, stored in a repository (with appropriate metadata) in raw
form, and transformed into a machine-readable vulnerability detection form, and transformed into a machine-readable vulnerability detection
data with unique tracking identifier understood by the components data with unique tracking identifier understood by the components
described by this scenario. This transformed form can be referred to described by this scenario. This transformed form can be referred to
as the vulnerability detection data. At some point, receipt and as the vulnerability detection data. At some point, receipt and
processing of vulnerability description data is expected to trigger processing of vulnerability description data is expected to trigger
the vulnerability assessment. the vulnerability assessment.
See Appendix I for information-specific details. See Appendix I for information-specific details.
5. Endpoint Vulnerability Assessment Capability 5. Endpoint Vulnerability Assessment Capabilities
When new vulnerability description information is received by the When new vulnerability description information is received by the
enterprise, affected endpoints are identified and assessed. The enterprise, affected endpoints are identified and assessed. The
vulnerability is said to apply to an endpoint if the endpoint vulnerability is said to apply to an endpoint if the endpoint
satisfies the conditions expressed in the vulnerability detection satisfies the conditions expressed in the vulnerability detection
data. data.
A vulnerability assessment (i.e. vulnerability detection) is A vulnerability assessment (i.e. vulnerability detection) is
performed in two steps: performed in two steps:
o Endpoint information collected by the endpoint management o Endpoint information collected by the endpoint management
capability is examined by the vulnerability management capability capabilities is examined by the vulnerability management
through Evaluation Tasks. capabilities through Evaluation Tasks.
o If the data possessed by the endpoint management capability is o If the data possessed by the endpoint management capabilities is
insufficient, a Collection Task is triggered and the necessary insufficient, a Collection Task is triggered and the necessary
data is collected from the target endpoint. data is collected from the target endpoint.
Vulnerability detection relies on the examination of different Vulnerability detection relies on the examination of different
endpoint information depending on the nature of a specific endpoint information depending on the nature of a specific
vulnerability. Common endpoint information used to detect a vulnerability. Common endpoint information used to detect a
vulnerability includes: vulnerability includes:
o A specific software version is installed on the endpoint o A specific software version is installed on the endpoint
o File system attributes o File system attributes
o Specific state attributes o Specific state attributes
In many cases, the endpoint information needed to determine an In many cases, the endpoint information needed to determine an
endpoint's vulnerability status will have been previously collected endpoint's vulnerability status will have been previously collected
by the Endpoint Management Capability and available in a Repository. by the endpoint management capabilities and available in a
However, in other cases, the necessary endpoint information will not Repository. However, in other cases, the necessary endpoint
be readily available in a Repository and a Collection Task will be information will not be readily available in a Repository and a
triggered to collect it from the target endpoint. Of course, an Collection Task will be triggered to collect it from the target
implementation of an endpoint management capability may prefer to endpoint. Of course, some implementations of endpoint management
enable operators to perform this collection under certain capabilities may prefer to enable operators to perform this
circumstances, even when sufficient information can be provided by collection under certain circumstances, even when sufficient
the endpoint management capability (e.g. there may be freshness information can be provided by the endpoint management capabilities
requirements for information). (e.g. there may be freshness requirements for information).
The collection of additional endpoint information for the purpose of The collection of additional endpoint information for the purpose of
vulnerability assessment does not necessarily need to be a pull by vulnerability assessment does not necessarily need to be a pull by
the vulnerability assessment capability. Over time, some new pieces the vulnerability assessment capabilities. Over time, some new
of information that are needed during common types of assessments pieces of information that are needed during common types of
might be identified. An endpoint management capability can be assessments might be identified. Endpoint management capabilities
reconfigured to have this information delivered automatically. This can be reconfigured to have this information delivered automatically.
avoids the need to trigger additional Collection Tasks to gather this This avoids the need to trigger additional Collection Tasks to gather
information during assessments, streamlining the assessment process. this information during assessments, streamlining the assessment
Likewise, it might be observed that certain information delivered by process. Likewise, it might be observed that certain information
an endpoint management capability is rarely used. In this case, it delivered by endpoint management capabilities is rarely used. In
might be useful to re-configure the endpoint management capability to this case, it might be useful to re-configure the endpoint management
no longer collect this information to reduce network and processing capabilities to no longer collect this information to reduce network
overhead. Instead, a new Collection Task can be triggered to gather and processing overhead. Instead, a new Collection Task can be
this data on the rare occasions when it is needed. triggered to gather this data on the rare occasions when it is
needed.
See Appendix I for information-specific details. See Appendix I for information-specific details.
6. Vulnerability Assessment Results 6. Vulnerability Assessment Results
Vulnerability assessment results present evaluation results along Vulnerability assessment results present evaluation results along
with sufficient context, so that appropriate action can be taken. with sufficient context, so that appropriate action can be taken.
Vulnerability assessment results are ideally stored for later use. Vulnerability assessment results are ideally stored for later use.
See Appendix I for information-specific details. See Appendix I for information-specific details.
skipping to change at page 7, line 45 skipping to change at page 8, line 5
[critical-controls] [critical-controls]
Center for Internet Security, "Critical Security Controls, Center for Internet Security, "Critical Security Controls,
Version 6.0", <https://www.cisecurity.org/critical- Version 6.0", <https://www.cisecurity.org/critical-
controls.cfm>. controls.cfm>.
[cvrf] Industry Consortium for Advancement of Security on the [cvrf] Industry Consortium for Advancement of Security on the
Internet, "Common Vulnerability and Reporting Framework", Internet, "Common Vulnerability and Reporting Framework",
May 2012, <http://www.icasi.org/cvrf/>. May 2012, <http://www.icasi.org/cvrf/>.
[draft-hansbury-sacm-oval-info-model-mapping-02]
Security Automation and Continuous Monitoring, "OVAL and
the SACM Information Model", March 2016,
<https://datatracker.ietf.org/doc/draft-hansbury-sacm-
oval-info-model-mapping>.
[I-D.coffin-sacm-nea-swid-patnc] [I-D.coffin-sacm-nea-swid-patnc]
Coffin, C., Haynes, D., Schmidt, C., and J. Fitzgerald- Coffin, C., Haynes, D., Schmidt, C., and J. Fitzgerald-
McKay, "SWID Message and Attributes for PA-TNC", draft- McKay, "SWID Message and Attributes for PA-TNC", draft-
coffin-sacm-nea-swid-patnc-01 (work in progress), June coffin-sacm-nea-swid-patnc-01 (work in progress), June
2016. 2016.
[I-D.cokus-sacm-oval-results-model] [I-D.cokus-sacm-oval-results-model]
Cokus, M., Haynes, D., Rothenberg, D., and J. Gonzalez, Cokus, M., Haynes, D., Rothenberg, D., and J. Gonzalez,
"OVAL(R) Results Model", draft-cokus-sacm-oval-results- "OVAL(R) Results Model", draft-cokus-sacm-oval-results-
model-00 (work in progress), March 2016. model-01 (work in progress), September 2016.
[I-D.hansbury-sacm-oval-info-model-mapping]
mhansbury@mitre.org, m., Haynes, D., and J. Gonzalez,
"OVAL and the SACM Information Model", draft-hansbury-
sacm-oval-info-model-mapping-03 (work in progress),
September 2016.
[I-D.haynes-sacm-oval-definitions-model] [I-D.haynes-sacm-oval-definitions-model]
Cokus, M., Haynes, D., Rothenberg, D., and J. Gonzalez, Cokus, M., Haynes, D., Rothenberg, D., and J. Gonzalez,
"OVAL(R) Definitions Model", draft-haynes-sacm-oval- "OVAL(R) Definitions Model", draft-haynes-sacm-oval-
definitions-model-00 (work in progress), March 2016. definitions-model-01 (work in progress), September 2016.
[I-D.ietf-sacm-requirements] [I-D.ietf-sacm-requirements]
Cam-Winget, N. and L. Lorenzin, "Security Automation and Cam-Winget, N. and L. Lorenzin, "Security Automation and
Continuous Monitoring (SACM) Requirements", draft-ietf- Continuous Monitoring (SACM) Requirements", draft-ietf-
sacm-requirements-13 (work in progress), March 2016. sacm-requirements-13 (work in progress), March 2016.
[I-D.rothenberg-sacm-oval-sys-char-model] [I-D.rothenberg-sacm-oval-sys-char-model]
Cokus, M., Haynes, D., Rothenberg, D., and J. Gonzalez, Cokus, M., Haynes, D., Rothenberg, D., and J. Gonzalez,
"OVAL(R) System Characteristics Model", draft-rothenberg- "OVAL(R) System Characteristics Model", draft-rothenberg-
sacm-oval-sys-char-model-00 (work in progress), March sacm-oval-sys-char-model-01 (work in progress), September
2016. 2016.
[RFC7632] Waltermire, D. and D. Harrington, "Endpoint Security [RFC7632] Waltermire, D. and D. Harrington, "Endpoint Security
Posture Assessment: Enterprise Use Cases", RFC 7632, Posture Assessment: Enterprise Use Cases", RFC 7632,
DOI 10.17487/RFC7632, September 2015, DOI 10.17487/RFC7632, September 2015,
<http://www.rfc-editor.org/info/rfc7632>. <http://www.rfc-editor.org/info/rfc7632>.
Appendix A. Change Log Appendix A. Change Log
A.1. Changes in Revision -01 A.1. Changes in Revision -02
Changed "capability" in the context of endpoint management,
vulnerability management, and vulnerability assessments to
"capabilities" to avoid confusion with the term "capability" in the
terminology draft.
Made a few other minor editorial and clarification changes.
A.2. Changes in Revision -01
Clarified how the endpoint management capability can reconfigured Clarified how the endpoint management capability can reconfigured
over time to adapt to the needs of an enterprise. GitHub issue #12 over time to adapt to the needs of an enterprise. GitHub issue #12
(https://github.com/sacmwg/vulnerability-scenario/issues/12). (https://github.com/sacmwg/vulnerability-scenario/issues/12).
Included references to the various appendices in the document. Included references to the various appendices in the document.
GitHub issue #18 (https://github.com/sacmwg/vulnerability-scenario/ GitHub issue #18 (https://github.com/sacmwg/vulnerability-scenario/
issues/18). issues/18).
Fixed typos and other minor editorial changes in the document. Fixed typos and other minor editorial changes in the document.
skipping to change at page 9, line 14 skipping to change at page 9, line 28
vulnerability-scenario/issues/20). GitHub issue #22 vulnerability-scenario/issues/20). GitHub issue #22
(https://github.com/sacmwg/vulnerability-scenario/issues/22). (https://github.com/sacmwg/vulnerability-scenario/issues/22).
Updated references to the Critical Controls to Version 6.0. GitHub Updated references to the Critical Controls to Version 6.0. GitHub
issue #23 (https://github.com/sacmwg/vulnerability-scenario/ issue #23 (https://github.com/sacmwg/vulnerability-scenario/
issues/23). issues/23).
Aligned the scenario with SACM Tasks. GitHub issue #25 Aligned the scenario with SACM Tasks. GitHub issue #25
(https://github.com/sacmwg/vulnerability-scenario/issues/25). (https://github.com/sacmwg/vulnerability-scenario/issues/25).
A.2. Changes Since Adopted as a WG I-D -00 A.3. Changes Since Adopted as a WG I-D -00
Made various organizational and editorial changes as proposed by Adam Made various organizational and editorial changes as proposed by Adam
Montville. GitHub issue #4 (https://github.com/sacmwg/vulnerability- Montville. GitHub issue #4 (https://github.com/sacmwg/vulnerability-
scenario/issues/4). scenario/issues/4).
Removed the TODO from the Security Considerations section Removed the TODO from the Security Considerations section
(https://github.com/sacmwg/vulnerability-scenario/issues/8). (https://github.com/sacmwg/vulnerability-scenario/issues/8).
Clarified the definition of "vulnerability detection data" to explain Clarified the definition of "vulnerability detection data" to explain
how it was guidance and provided instructions for security tools on how it was guidance and provided instructions for security tools on
skipping to change at page 9, line 47 skipping to change at page 10, line 13
issues/15). issues/15).
Determine if we need to remove references to the long-term storage of Determine if we need to remove references to the long-term storage of
data in repositories. GitHub issue #16 (https://github.com/sacmwg/ data in repositories. GitHub issue #16 (https://github.com/sacmwg/
vulnerability-scenario/issues/16). vulnerability-scenario/issues/16).
Moved the information needs captured in Appendix D.2 into the Moved the information needs captured in Appendix D.2 into the
Information Model. GitHub issue #17 (https://github.com/sacmwg/ Information Model. GitHub issue #17 (https://github.com/sacmwg/
vulnerability-scenario/issues/17). vulnerability-scenario/issues/17).
A.3. Changes in Revision draft-coffin-sacm-vuln-scenario-01 A.4. Changes in Revision draft-coffin-sacm-vuln-scenario-01
Clarification of the vulnerability description data IDs in sections 4 Clarification of the vulnerability description data IDs in sections 4
and 6. and 6.
Added "vulnerability remediation" to the Assessment Results and Data Added "vulnerability remediation" to the Assessment Results and Data
Attribute Table and Definitions sections. Attribute Table and Definitions sections.
Added Implementation Examples to Endpoint Identification and Initial Added Implementation Examples to Endpoint Identification and Initial
(Pre-Assessment) Data Collection, Vulnerability Description Data, (Pre-Assessment) Data Collection, Vulnerability Description Data,
Endpoint Applicability and Assessment, and Assessment Results Endpoint Applicability and Assessment, and Assessment Results
skipping to change at page 13, line 8 skipping to change at page 13, line 22
B.4. Assessment Results B.4. Assessment Results
The OVAL Results Model [I-D.cokus-sacm-oval-results-model] provides a The OVAL Results Model [I-D.cokus-sacm-oval-results-model] provides a
data model to encode the results of the assessment, which could then data model to encode the results of the assessment, which could then
be stored in a Repository and later accessed. The assessment results be stored in a Repository and later accessed. The assessment results
described in this scenario could be stored and later accessed using described in this scenario could be stored and later accessed using
the OVAL Results Model. Note that the use of the OVAL Results Model the OVAL Results Model. Note that the use of the OVAL Results Model
for sharing results is not recommended per section 7.3 of the OVAL for sharing results is not recommended per section 7.3 of the OVAL
and the SACM Information Model and the SACM Information Model
[draft-hansbury-sacm-oval-info-model-mapping-02]. [I-D.hansbury-sacm-oval-info-model-mapping].
Within the SACM Architecture, the generation of the assessment Within the SACM Architecture, the generation of the assessment
results would occur in the Report Generator component. Those results results would occur in the Report Generator component. Those results
might then be moved to a Data Store component for later sharing and might then be moved to a Data Store component for later sharing and
retrieval as defined by SACM. retrieval as defined by SACM.
Appendix C. Priority Appendix C. Priority
Priorities associated with the vulnerability description information, Priorities associated with the vulnerability description information,
assessment results, and any remedy is important, but is treated as a assessment results, and any remedy is important, but is treated as a
 End of changes. 34 change blocks. 
77 lines changed or deleted 90 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/