SCAP and FDCC

Security Content Automation Protocol, better known as SCAP, was developed to promote interoperability between disparate security products. It is built on a suite of open standards that enumerate security configuration issues, software flaws, and product names and is used to measure systems to determine the presence of known vulnerabilities and to provide a mechanism to rank the results in order to evaluate potential impact.

FDCC

The Federal Desktop Core Configuration standard (FDCC) arose from an effort by the Office of Management and Budget (OMB) to define a standardized desktop configuration for Windows PCs in the Federal government. This standard is designed to provide a single, consistent configuration across the entire enterprise, for both desktop PCs and laptops, and therefore to reduce the costs associated with support, application compatibility and at the same time to improve security.

The NetIQ FDCC Solution

NetIQ's security and administration products aid Federal organizations with ensuring compliance with FDCC by enabling automated assessment for systems, and by providing the ability to securely manage Group Policy Object settings for systems needing to be in compliance with FDCC.

At NetIQ, we develop easy to use, made for the enterprise integrated security management solutions that assist Federal customers with regulatory and policy compliance, while enabling them to secure their IT assets and manage risk.

• Manage configuration baselines for FDCC Compliance within the entire organization. NetIQ Secure Configuration Manager enables effective configuration management from discovery of all systems connected to the network through establishing and managing the baselines across those systems, and identifying where those system drift from their expected configurations.
• Manage FDCC Group Policy Objects. NetIQ Group Policy Administrator enables effective planning, controlling, troubleshooting and reporting on FDCC Group Policy changes. It enables administrators to meet the challenges of FDCC Group Policy Objects by providing total offline management of Group Policy, allowing organizations to minimize risk and prevent service interruptions.

Beyond FDCC and SCAP:

• Manage and measure risk at all levels of the organization. NetIQ Secure Configuration Manager measures the level of threats posed by vulnerabilities and compliance exceptions against the importance of managed assets, and provides powerful metrics to illustrate risk on a system-by-system as well as a group-by-group basis.
• Secure assets within the organization. NetIQ Security Manager monitors heterogeneous security controls throughout the organization, allowing organizations to be proactive rather than reactive in their security management by enabling fast identification of potential and existing threats, and providing detailed and accurate security knowledge to staff to enable quick remediation and reduce exposure times.
• Provide secure and automated management and audit of changes to your Windows environment, leading to further compliance with regulatory mandates. NetIQ's Security Administration Suite products help you manage information access by managing Active Directory permissions for user accounts, groups and computer accounts, controlling file and folder permissions throughout the file system and monitoring changes to group policy-permissions in real time. Real-time monitoring and audit of changes to Active Directory are provided through NetIQ Change Guardian for Active Directory, along with detailed reporting on changes for auditors and management.

SCAP Standards

	CVE	Common Vulnerabilities and Exposures	Standard identifiers and dictionary for security vulnerabilities related to software flaws
	CCE	Common Configuration Enumeration	Standard identifiers and dictionary for system configuration issues related to security
	CPE	Common Platform Enumeration	Standard identifiers and dictionary for platform/product naming
	XCCDF	eXtensible Configuration Checklist Description Format	Standard XML for specifying checklists and for reporting results of checklist evaluation
	OVAL	Open Vulnerability and Assessment Language	Standard XML for testing procedures for security related software flaws, configuration issues, and patches as well as for reporting the results of the tests
	CVSS	Common Vulnerability Scoring System	Standard for conveying and scoring the impact of vulnerabilities

For more information on FDCC, go to: fdcc.nist.gov/

Solutions
	Overview
	Enterprise Sys. & App. Management
	Security & Compliance Management
	Operational VMware Management
	IT Process Automation
	Regulations & Standards
	PCI DSS Sarbanes-Oxley Act HIPAA Gramm-Leach-Bliley Act FISMA / NIST SP800-53 FDCC & SCAP ISO 17799 CobiT
	Platforms & Applications
	Industry Solutions
	IT Infrastructure Library (ITIL)
	By Roles & Responsibilities

Simplify, Automate, and Accelerate FDCC Implementations