UNCLASSIFIED\\FOR OFFICIAL USE ONLY
UNCLASSIFIED\\FOR OFFICIAL USE ONLY
CND Services, Functions, and Related Standards - DRAFT 30 June 2011
Notes: 1) A related standards indication may be "yes" for a given Function / Service if a Standard has a significant contribution to the development or implementation of
that Function or Service, by means of applications, tools, or process 2) Note that per DoDI 8530.2: "CND is predicated upon a robust Information Assurance posture;
however, all policies, standards, technologies, and practices that apply across the IT life cycle and contribute to that posture are not managed as part of CND." So, there
are many standards that apply to IA and Information Security, but these do not apply to the specific services of CND 3) Further work is required for searching standards
(list may be incomplete) and Service / Function Concurrence.
Related
Standard(s) From DoDI 8530.2 - CND Service Areas: Service Descriptions
Identified?
Yes PROTECT
yes Vulnerability Analysis and Assessment (VAA) Support
yes CND Red Teaming
No Virus Protection Support
No Information Operations Condition (INFOCON) Implementation
No Subscriber Protection Support and Training
Yes Information Assurance Vulnerability Management (IAVM)
For Service Area Descriptions see DoDI 8530.2
Yes MONITOR, ANALYZE & DETECT
Yes Network Security Monitoring/Intrusion Detection
Yes Attack Sensing & Warning (AS&W)
Yes Indications & Warning (I&W) / Situational Awareness
Yes RESPOND
Yes Incident Reporting
Yes Incident Response
Yes Incident Response Analysis
Potential CND System Functions: Selected Function Descriptions:
The management of security related change control of subsystem components and
related documents and test fixtures throughout the lifecycle of an Information System
Yes Secure Configuration Management (IS)
Yes Asset Management
Digital configuration policy that can be applied to specific assets based on a
combination of events and operation policies that warrant specific actions based on
Yes Publish Configuration Policy specific circumstances.
Yes Report Policy Compliance Verification and reporting if assets are in compliant with configuration policy.
Remedies implemented to bring system configurations into security policy
Yes Policy Implementation and Vulnerability Remediation compliance (e.g., configuration software patches, etc.)
UNCLASSIFIED\\FOR OFFICIAL USE ONLY
UNCLASSIFIED\\FOR OFFICIAL USE ONLY
Yes Network Sensors and Defenses (global & Local)
Host and Network Intrusion Detection / Prevention (HIDS/HIPS
Yes and NIDS/NIPS)
Yes firewalls and content / packet filtering
No anti-virus and anti-spyware
Yes policy auditing
Yes asset baseline monitoring
Yes rogue system detection
Security Information Managers (SIMs) deploy across Tiers 1-3 and serve to
aggregate and analyze event-related data from different sensor systems to gain real-
time Situational Awareness (SA) of anomalies and potentially malicious network
Yes Security Information Management activity.
Leverages SIM event data and provides capability for network defenders to "tip" each
other off at different tiers and provide an enterprise wide view of potential malicious
No Defensive Tipping and Analytics events.
Yes Sensor Analysis / Attack Sensing and Warning (AS&W)
Yes Incident Management
Yes Situational Awareness (SA)
Provides decision makers at all levels, relevant, and timely information regarding
Yes NetOps information sharing operational, security and performance status.
The vehicle used by a relevant authority to issue tasking that enacts defensive
Yes NetOps Tasking and Coordination security measures.
UNCLASSIFIED\\FOR OFFICIAL USE ONLY
UNCLASSIFIED\\FOR OFFICIAL USE ONLY
UNCLASSIFIED\\FOR OFFICIAL USE ONLY
CND Proposed Standards - DRAFT
Standard Short Title Standard Long Title and / or Description Status Links
NIST Special Publication 800-39 Managing Information Security Risk Standard http://csrc.nist.gov/publications/PubsSPs.html
NIST Special Publication 800-37 Revision 1 Guide for Applying the Risk Management Framework to Federal Information Systems Standard http://csrc.nist.gov/publications/PubsSPs.html
NIST Special Publication 800-30 Risk Management Guide for Information Technology Systems Standard http://csrc.nist.gov/publications/PubsSPs.html
ISO/IEC 27002:2005 Information technology -- Security techniques -- Code of practice for information security management http://www.iso.org/iso/iso_catalogue.htm
The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.1 - The
Security Content Automation Protocol (SCAP) is a suite of specifications that standardize the format and
nomenclature by which security software products communicate security content, particularly software flaw
NIST Special Publication 800-126 and security configuration information. Standard http://csrc.nist.gov/publications/PubsSPs.html
NIST Special Publication 800-117 Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.0 Standard http://csrc.nist.gov/publications/PubsSPs.html
NIST Interagency Report 7275 Revision 3 Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.1.4 Specification http://csrc.nist.gov/publications/PubsSPs.html
NIST/MITRE Specification - Open Vulnerability and OVAL is a language for representing system configuration information, assessing machine state, and reporting
Assessment Language (OVAL) 5.3 and 5.4 assessment results Specification http://oval.mitre.org/
NIST/MITRE Specification - Common Platform
Enumeration (CPE) 2.2 CPE is a nomenclature and dictionary of hardware, operating systems, and applications Specification http://nvd.nist.gov/cpe.cfm
NIST/MITRE Specification - Common Configuration
Enumeration (CCE) 5 CCE is a nomenclature and dictionary of security software configurations Specification http://cce.mitre.org/
NIST/MITRE Specification - Common Vulnerabilities and
Exposures (CVE) CVE is a nomenclature and dictionary of security-related software flaws Specification http://cve.mitre.org/
NIST / Carnegie Mellon University - A Complete Guide to
the Common Vulnerability Scoring System (CVSS) The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the
Version 2.0 characteristics and impacts of IT vulnerabilities. Specification http://www.first.org/cvss/cvss-guide.html
Guide to Using Vulnerability Naming Schemes - A vulnerability naming scheme is a systematic method for
NIST Special Publication 800-51 creating and maintaining a standardized dictionary of common names for a set of vulnerabilities in IT systems,
Revision 1 such as software flaws in an operating system or security configuration issues in an application. Standard http://csrc.nist.gov/publications/PubsSPs.html
NIST Special Publication 800-40 Version 2.0 Creating a Patch and Vulnerability Management Program http://csrc.nist.gov/publications/PubsSPs.html
NIST Interagency Report 7435 The Common Vulnerability Scoring System (CVSS) and Its Applicability to Federal Agency Systems Specification http://csrc.nist.gov/publications/PubsNISTIRs.html
Specification for the Asset Reporting Format 1.1 - ARF is a data model to express the transport format of
information about assets, and the relationships between assets and reports. The standardized data model
NIST Interagency Report 7694 facilitates the reporting, correlating, and fusing of asset information throughout and between organizations. Specification http://csrc.nist.gov/publications/PubsNISTIRs.html
Specification for the Open Checklist Interactive Language (OCIL) Version 2.0 - OCIL defines a framework for
expressing a set of questions to be presented to a user and corresponding procedures to interpret responses to
NIST Interagency Report 7692 - Open Checklist these questions. OCIL can be used in conjunction with SCAP specifications such as XCCDF to help handle cases
Interactive Language (OCIL) - (Officially Part of SCAP 1.1) where lower-level checking languages such as OVAL are unable to automate a particular check. Emerging http://csrc.nist.gov/publications/PubsNISTIRs.html
UNCLASSIFIED\\FOR OFFICIAL USE ONLY
UNCLASSIFIED\\FOR OFFICIAL USE ONLY
Standard Short Title Standard Long Title and / or Description Status Links
Open Checklist Reporting Language is a language for writing machine-readable XML definitions that gather
information from systems and present it as a standardized report for human evaluation of policy compliance.
NIST / MITRE - Open Checklist Reporting Language Each generated report file corresponds to a single policy recommendation.
(OCRL™) Emerging http://ocrl.mitre.org/
The Common Configuration Scoring System (CCSS): Metrics for Software Security Configuration Vulnerabilities -
The Common Configuration Scoring System (CCSS) is a set of measures of the severity of software security
configuration issues. CCSS is derived from CVSS, which was developed to measure the severity of vulnerabilities
NIST Interagency Report 7502 due to software flaws. Specification http://csrc.nist.gov/publications/PubsNISTIRs.html
The Common Misuse Scoring System (CMSS): Metrics for Software Feature Misuse Vulnerabilities (DRAFT) - The
Common Misuse Scoring System (CMSS) consists of a set of measures of the severity of software feature
misuse vulnerabilities. A software feature misuse vulnerability is present when the trust assumptions made
NIST Interagency Report 7517 (Draft) when designing software features can be abused in a way that violates security. Emerging http://csrc.nist.gov/publications/PubsNISTIRs.html
EMAP is a Framework to standardize the communication of event management data. EMAP is an emerging
protocol within the NIST Security Automation Program, and is a peer to similar automation protocols such as
the Security Content Automation Protocol (SCAP). Where SCAP standardizes the data models of configuration
NIST The Event Management Automation Protocol and vulnerability management domains, EMAP will focus on standardizing the data models relating to event
(EMAP) and audit management. Emerging http://scap.nist.gov/emap/
CEE™ standardizes the way computer events are described, logged, and exchanged. By using CEE’s common
language and syntax, enterprise-wide log management, correlation, aggregation, auditing, and incident
NIST / MITRE Common Event Expression (CEE) handling can be performed more efficiently. CEE is a critical foundation necessary for EMAP to work. Emerging http://cee.mitre.org/
ISO/IEC 19770-1:2006 Information technology -- Software asset management -- Part 1: Processes Standard http://www.iso.org/iso/iso_catalogue.htm
ISO/IEC 19770-2:2009 Information technology -- Software asset management -- Part 2: Software identification tag Standard http://www.iso.org/iso/iso_catalogue.htm
NIST Special Publication 800-94 Guide to Intrusion Detection and Prevention Systems (IDPS) Standard http://csrc.nist.gov/publications/PubsSPs.html
Information technology -- Security techniques -- Selection, deployment and operations of intrusion detection
ISO/IEC 18043:2006 systems Standard http://www.iso.org/iso/iso_catalogue.htm
(draft-ietf-idwg-idmef-xml) The Intrusion Detection Message Exchange Format (IDMEF) 2007-03 RFC 4765
IETF RFC 4765 (Experimental) Sam Hartman Experimental http://www.ietf.org/
(draft-ietf-idwg-requirements) Intrusion Detection Message Exchange Requirements 2007-03 RFC 4766
IETF RFC 4766 (Informational) Sam Hartman Informational http://www.ietf.org/
(draft-ietf-idwg-beep-idxp) The Intrusion Detection Exchange Protocol (IDXP) 2007-03 RFC 4767
IETF RFC 4767 (Experimental) Sam Hartman Experimental http://www.ietf.org/
NIST Special Publication 800-41 Revision 1 Guidelines on Firewalls and Firewall Policy Standard
IETF RFC 2647 Benchmarking Terminology for Firewall Performance Informational http://www.ietf.org/
IETF RFC 3511 Benchmarking Methodology for Firewall Performance Informational http://www.ietf.org/
ISO/IEC TR 18044:2004 Information technology -- Security techniques -- Information security incident management http://www.iso.org/iso/iso_catalogue.htm
IETF RFC 2350 Expectations for Computer Security Incident Response Best Practice http://www.ietf.org/
IETF RFC 3067 TERENA'S Incident Object Description and Exchange Format Requirements Informational http://www.ietf.org/
IETF RFC 5070 The Incident Object Description Exchange Format Standard http://www.ietf.org/
NIST Special Publication 800-86 Guide to Integrating Forensic Techniques into Incident Response Standard http://csrc.nist.gov/publications/PubsSPs.html
NIST Special Publication 800-83 Guide to Malware Incident Prevention and Handling Standard http://csrc.nist.gov/publications/PubsSPs.html
NIST Special Publication 800-61 Revision 1 Computer Security Incident Handling Guide Standard http://csrc.nist.gov/publications/PubsSPs.html
UNCLASSIFIED\\FOR OFFICIAL USE ONLY