DOD tests vulnerability management tools

The Defense Department is testing a process to automate system
vulnerability collection data from across the services and military

The Security Content Automation Protocol (SCAP) eventually will use Web services and a service-oriented architecture to scan as many as 1
million information technology assets to manage vulnerabilities and deal with possible threats.

SCAP will help DOD, and eventually other agencies, examine how security content automation will help achieve compliance with the Federal Information Security Management Act and other cybersecurity directives and improve overall IT security.

"The pilot using the SCAP protocols will give us more advanced
capabilities and optimize current business practices," said Ryan Larson, of the National Security Agency's systems information assurance systems engineering office. "We want to develop plans to implement Web services to expose network defense data enterprisewide."

The Army tested about 30,000 assets, which gave the service a better
understanding of what was vulnerable and what was safe, DOD officials
said today at the National Institute of Standards and Technology
Security Automation Conference.

DOD and other agencies face a number of issues in automating
vulnerability data. For example, the Army found that officials defined systems, hardware and software differently. Officials also said they found that sometimes people didn't report important incidents or potential problems because they didn't think they were important.

Through this SCAP effort, officials say this will change.

Joe Wolfkiel, chief of DOD's computer network defense research
technology office, said his group is developing a data exchange model to help deal with taxonomy issues.

"We had to set up the constructs of what information the network
defender cares about and then build the SCAP standards around that," he said.

The data exchange model eventually will use Web services to obtain data from five areas of the network:

  • Assets -- what is connected to the network.
  • Vulnerabilities -- which platforms, hardware and software have potential problems and the severity of those problems.
  • Events -- where vulnerabilities happen on the network in basic terms.
  • Incident -- what happened, who caused it and what assets was it directed against.
  • Threats -- how they negatively affected the network.

Wolfkiel said that when the testing is done, DOD will turn over the data exchange model and lessons to NIST to figure out if the agency should take this governmentwide.

"NIST can decide to define the schemas and publish them as Web services so we can all use the same thing," he said.

Margaret Myers, DOD's deputy chief information officer, said the SCAP
work will have the biggest effect on a common vocabulary.

"Once you do that, then you can tag and expose the data and use Web
services to give access across the department," she said. "Then people
will understand what the data means and how they can improve their cyber defenses."


  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.