Cybersecurity gets faster with blending of two protocols

Combination of unrelated protocols now being tested in South Carolina

A suite of automated network access control standards from the Trusted Computing Group has been integrated with the government’s Security Content Automation Protocols to enable automated policy enforcement on networks. The South Carolina Department of Probation, Parole and Pardon Services is testing the combination in a pilot program.

The integration of the Trusted Network Connect standards with SCAP was announced Tuesday at a NIST security automation workshop in Baltimore.

Steve Hanna, co-chairman of the TCG’s TNC Working Group and distinguished engineer at Juniper Networks, said the two standards offer “a complementary set of capabilities,” each valuable in its own right but much more powerful when combined.

“What we are getting is automation,” Hanna said. “We can take the human out of the loop now,” so that security tools can operate at the speed of the increasingly sophisticated and automated attacks they must counter.

Tony Sager, chief of the National Security Agency’s Vulnerability Analysis and Operations Group, said automation is an imperative for IT security and called the combination of the protocols “a great step forward.”

TNC and SCAP will remain separate sets of standards developed under the auspices of their own organizations. The initial pilot integration is being tested in Juniper’s TNC network enforcement tool called Unified Access Control, and the SCAP-validated Resolution Manager from Triumfant.

Related coverage:

NIST releases guide to security automation protocol

NIST out to ensure security products comply with vulnerability assessment language

SCAP is a specification for expressing and manipulating security data in standardized ways, developed under the authority of the National Institute of Standards and Technology in cooperation with other organizations including the NSA, MITRE Corp., and the Forum for Incident Response and Security Teams.

The protocols address the challenge of managing the configurations and security settings of information systems manually. A wide variety of hardware and software platforms typically are used for many purposes, with differing levels of risk in a single environment. Security is further complicated by the fact that these platforms and the threats they face are constantly evolving. Agencies are supposed to conduct continuous monitoring of security configurations and be able to determine the security posture of IT systems at any time. SCAP was developed to provide a standardized, automated approach to help agencies overcome these difficulties.

The Office of Management and Budget requires agencies to use products that have been validated as capable of using the protocols for checking compliance with Federal Desktop Core Configuration Settings. The protocols enumerate hardware and software product names and vulnerabilities, including software flaws and configuration issues. They also identify the presence of vulnerabilities and assign severity scores to software flaws.

TNC was created separately by Trusted Computing Group, an industry organization developing standardized and interoperable security platforms and schemes. The TNC architecture integrates the collection of pertinent security data from devices requesting access to or already on a network with the enforcement of security policies for the network based on that data. It combines network access control—the ability to control who can access a network and what resources they can use—with coordinated security, which correlates data from a variety of security systems for decision-making.

The use of SCAP data for decision-making and enforcement by TNC grew out of a meeting of the TCG with NIST, MITRE and NSA in June, Hanna said.

“It’s not so difficult,” he said of the integration. “It turns out the specifications fit together quite well.”

Prototype tools were available by July and demonstrated in August, and the South Carolina pilot now is under way. The development reflects the maturity of the SCAP and TNC schemes, Hanna said.

“Great ideas seem obvious in retrospect,” he said. But until recently both teams have been focused on developing their own sets of protocols and ensuring that they work as intended. “It is only in the last year or two that we’ve reached that level of capability” that would allow the integration.

Fully functional production products integrating the two suites are expected to be available by year’s end.

About the Author

William Jackson is a Maryland-based freelance writer.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Thu, Oct 7, 2010 Earth

A suite of automated network access control standards … has been integrated with … Security Content Automation Protocols to enable automated policy enforcement on networks. …each valuable in its own right but much more powerful when combined. …We can take the human out of the loop now.
…who called cyberspace the fourth area of warfare along with land, sea and air.

A virus of unusual complexity, indicating a state sponsor, has been unleashed with the assumed intent to infect Iran’s nuclear power plant and give the attacker the ability to cause it to destroy itself.

And so begins the birth of “Sky Net”. For all automated protocols, lacking human oversight, are fodder for self-attack. Guns don’t shoot children, children shoot children.

Wed, Sep 29, 2010 Linda Joy Adams

Does this mean that the 17 medicare numbers created to steal my id and cliams info will now be shut down and monies returned inside the Medciare contractors on their offline systems. And the offline system at ACS-Xerox for Federal workers comp will now have to use the offical data from the US Dept of labor's computer and can't alter the info on their offline system so my bills can get paid? instead of using a 'dummy' file? Unless these systems inside the contractors ( business associates) are secured, does little good whe so much of the govt's biz is done inside contractors. Madoff went to jail for such shenaighans, but Congress made contractors immune from prosecutions and internal audits. Why the double standard? Linda Joy Adams can't stop it alone

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group