The National Security Agency (NSA) and National Institute of Standards and Technology (NIST) have published Specification for the Extensible Configuration Checklist Description Format (XCCDF) for public review.

The XCCDF specification is "designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance scoring. The specification also defines a data model and format for storing results of benchmark compliance testing. XCCDF documents are expressed in XML, and may be validated with an XML Schema-validating parser. The intent of XCCDF is to provide a uniform foundation for expression of security checklists, benchmarks, and other configuration guidance, and thereby foster more widespread application of good security practices."

The Checklist Description Format has been developed in response to the Cyber Security Research and Development Act of 2002 which "tasks the National Institute of Standards and Technology (NIST) to 'develop, and revise as necessary, a checklist setting forth settings and option selections that minimize the security risks associated with each computer hardware or software system that is, or is likely to become widely used within the Federal Government.' Such checklists, when combined with well-developed guidance, leveraged with high-quality security expertise, vendor product knowledge, operational experience, and accompanied with tools, can markedly reduce the vulnerability exposure of an organization."

The specification document released by NIST and NSA defines the data model and XML representation for the Extensible Configuration Checklist Description Format (XCCDF). An XCCDF document is "a structured collection of security configuration rules for some set of target systems. The model and its XML representation are intended to be platform-independent and portable, to foster broad adoption and sharing of rules. The processing discipline of the format requires, for some uses, a service layer that can collect and store system information and perform simple policy-neutral tests against the system information."

XCCDF was designed to support integration with multiple underlying configuration checking 'engines'. The expected or default checking technology is MITRE's Open Vulnerability Assessment Language (OVAL). For document and reference metadata, XCCDF uses the Dublin Core Metadata element set."

The XCCDF specification will be of special interest to government and industry security analysts, and industry security management product developers. NIST and NSA welcome feedback from the public to improve the XCCDF specification.

Bibliographic Information

Specification for the Extensible Configuration Checklist Description Format (XCCDF). NISTIR [NIST Interagency Report] #7188. January 2005. Author: Neal Ziring (Information Assurance Directorate, National Security Agency, Fort Meade, MD, USA). Edited by John Wack (Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, Gaithersburg, MD, USA). 82 pages.

Acknowledgements: [to] "the following individuals who contributed to the initial definition of XCCDF and its initial development: David Proulx, Mike Michinikov, Andrew Buttner, Todd Wittbold, Adam Compton, George Jones, Chris Calabrese, John Banghart, Murugiah Souppaya, John Wack, Trent Pitsenbarger, and Robert Stafford. David Waltermire of the Center for Internet Security was instrumental in supporting the development of XCCDF; he contributed many important concepts and constructs, performed a great deal of proofreading on this specification document, and provided critical input based on implementation experience. Ryan Wilson of Georgia Institute of Technology also made substantial contributions."

From the Announcement

To make it easier to measure the security of an information technology product or system, researchers at the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) have developed a common specification language — Extensible Configuration Checklist Description Format (XCCDF) — for writing security checklists and related documents.

Increasingly, computers and other information technology products are vulnerable to multiple threats including viruses, worms and identity or information theft. One basic, yet effective, security tool is the security configuration checklist — a series of instructions for configuring an information technology (IT) product to a baseline or benchmark level of security. Configuring a system into conformance with a benchmark or other security specification is a time-consuming and very technical task. Automated tools are available to help system administrators determine a system's conformance and recommend corrective measures. However, most of these tools are designed for a particular IT product or system.

XCCDF is an XML-based format that is flexible, vendor-neutral and suited for a wide variety of checklist applications including measuring conformance of an IT system to security benchmarks and generating a record of a benchmark test. XML is a language — analogous to the HTML codes used to format web pages — that describes information in a standard way to allow computers to exchange information and act on it.

"XCCDF's common format will help security professionals, vendors and system auditors to more quickly exchange information and improve automation of security testing and configuration checking," said John Wack, a researcher in NIST's Computer Security Division.

XCCDF Specification Overview

Motivation: "XCCDF is designed to enable easier, more uniform creation of security benchmarks, and allow benchmarks to be used with a variety of commercial and open tools. The motivation for this is improvement of security for IT systems, including the Internet, by better application of known security practices and configuration settings."

Use cases:

• An academic group produces a benchmark for secure configuration of a particular server operating system version. A government organization issues a set of rules extending the academic benchmark to meet more stringent user authorization criteria imposed by statute. A medical enterprise downloads both the academic benchmark and the government extension, tailors the combination to fit their internal security policy, and applies an enterprise-wide audit using a commercial security audit tool. Reports output by the tool include remediative measures which the medical enterprise IT staff use to bring their systems into full internal policy compliance.

• A federally-funded lab issues a security advisory about a new Internet worm. In addition to a prose description of the worm's attack vector, they include a set of short benchmarks in a standard format that assess vulnerability to the worm for various operating system platforms. Organizations all over the world pick up the advisory, and use installed tools that support the standard format to check their status and fix vulnerable systems.

• An industry consortium wants to produce a security checklist for a popular commercial server. The core security settings are the same for all OS platforms on which the server runs, but a few settings are OS-specific. The consortium can craft one checklist in a standard format for the core settings, and then write several OS-specific ones that incorporate the core settings by reference. Users download the core checklist and the OS-specific checklists that apply to their installations, and run a checking tool to score their compliance with the checklist.

Requirements:

• Security and domain experts create a benchmark, which is an organized collection of rules about a particular kind of system or platform. To support this use, XCCDF must be an open, standardized format, amenable to generation and editing with a variety of tools. It must be expressive enough to represent complex conditions and relationships about the systems to be benchmarked, and it must also be able to incorporate descriptive material and remediative measures. (XCCDF benchmarks may include specification of the hardware and/or software platforms to which they apply. The specification should be concrete and granular enough for compliance checking tools to detect whether a rule is suited for a target platform.)
• Auditors and system administrators may employ tailoring tools to customize a benchmark for their local environment or policies. An XCCDF document must include the structure and interrogative text needed to guide the user in tailoring a benchmark, and it must be able to hold or incorporate the user's tailoring responses.
• In addition to supporting tailoring and security audits, an XCCDF document should be structured to foster generation of hardcopy benchmark guides.
• The structure of a XCCDF document should support transformation into HTML, for posting the benchmark as a web page.
• An XCCDF document should be transformable into (other) XML formats, to promote portability and interoperability.
• The primary use for an XCCDF benchmark is to drive automated security benchmarking tools. Such tools should accept one or more XCCDF documents, and supporting system test definitions, and check whether their rules are satisfied by some particular target system. The XCCDF document should support generation of a compliance report, including a weighted compliance score.
• In addition to a benchmark report, some benchmarking tools may be capable of generating scripts or procedures for helping to bring a system into compliance. XCCDF must be able to hold or encapsulate the remediation scripts or texts.
• XCCDF documents might also be used in vulnerability scanners, to test whether a target system is vulnerable to a particular kind of attack. For this purpose, the XCCDF document would play the role of a vulnerability alert, but with the ability to both describe the problem and drive automated verification of its presence. [from the spec Introduction]

About National Security Agency (NSA) and National Institute of Standards and Technology (NIST)

National Security Agency: "The National Security Agency/Central Security Service is America's cryptologic organization. It coordinates, directs, and performs highly specialized activities to protect U.S. information systems and produce foreign intelligence information. A high technology organization, NSA is on the frontiers of communications and data processing. It is also one of the most important centers of foreign language analysis and research within the government. NSA conducts one of the U.S. government's leading research and development (R&D) programs. Some of the Agency's R&D projects have significantly advanced the state of the art in the scientific and business worlds...

NSA's early interest in cryptanalytic research led to the first large-scale computer and the first solid-state computer, predecessors to the modern computer. NSA pioneered efforts in flexible storage capabilities, which led to the development of the tape cassette. NSA also made ground-breaking developments in semiconductor technology and remains a world leader in many technological fields. NSA employs the country's premier cryptologists. It is said to be the largest employer of mathematicians in the United States and perhaps the world. Its mathematicians contribute directly to the two missions of the Agency: designing cipher systems that will protect the integrity of U.S. information systems and searching for weaknesses in adversaries' systems and codes..."

NIST Computer Security Division (CSD) "CSD is one of eight divisions within NIST's Information Technology Laboratory. The mission of NIST's Computer Security Division is to improve information systems security by:

• Raising awareness of IT risks, vulnerabilities and protection requirements, particularly for new and emerging technologies
• Researching, studying, and advising agencies of IT vulnerabilities and devising techniques for the cost-effective security and privacy of sensitive Federal systems
• Developing standards, metrics, tests and validation programs: to promote, measure, and validate security in systems and services, to educate consumers, and to establish minimum security requirements for Federal systems..."