XCCDF
From SCADApedia
The Extensible Configuration Checklist Description Format (XCCDF) is a specification language used for security checklists and benchmarks. The XCCDF standard effort is led primarily by the NSA with assistance from other organizations, most notably NIST. NIST maintains the specifications and documentatation. The NIST site provides the following description for XCCDF:
An XCCDF document represents a structured collection of security configuration rules for some set of target systems. The specification is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance scoring. The specification also defines a data model and format for storing results of benchmark compliance testing. The intent of XCCDF is to provide a uniform foundation for expression of security checklists, benchmarks, and other configuration guidance, and thereby foster more widespread application of good security practices.
The XCCDF language is written in XML and is designed to interface with OVAL, the Open Vulnerability and Assessment Language. The XCCDF document defines the security setting at a high level and the OVAL document further defines the testing mechanism. For example, an XCCDF security best practice document for Windows might define that the password be at least eight characters. It could pass that requirement to an OVAL document that defines the registry key that should be evaluated to perform the check.
Control System Impact
Digital Bond, as part of the Bandolier project, is developing XCCDF/OVAL files for many control system applications that define a best practice security configuration. These files can be integrated into a variety of security tools.
External Links
XCCDF - The Extensible Configuration Checklist Description Format
