April 16, 2008

NetIQ Achieves SCAP Validation So That U.S. Federal Agencies Can Best Meet FDCC Mandate

Secure Configuration Manager Automates Configuration and Security Assessment to Meet Stringent Standards and Reduce Ongoing Cost of Compliance

Press Release


NetIQ Corporation, an Attachmate business, today announced the Security Content Automation Protocol (SCAP) validation of NetIQ® Secure Configuration Manager™ (SCM). One of the very few SCAP-validated solutions on the market, SCM provides U.S. Federal agencies with a comprehensive configuration management solution that automates compliance with the Federal Desktop Core Configuration (FDCC) baseline, preventing organizations from manually satisfying this mandated configuration requirement.

The U.S. Office of Management and Budget (OMB) decreed in March 2007 that Federal organizations must meet a core configuration standard for desktop computers. Known today as the FDCC baseline, this mandate has the objective of increasing overall system security and reducing the cost of system and application maintenance for every Federal entity. In parallel, the National Institute of Standards and Technology (NIST) devised the SCAP validation program so that security technologies can exchange systems and vulnerability information in a common format. This ensures that security content can be correctly processed within any SCAP-validated tool, providing agencies with the freedom to choose configuration management solutions that best fit the needs and cost requirements of their environment.

"Interoperability and standardized methods for communication between security and compliance tools are essential in order for agencies to optimize their security dollar and increase their return on investment," said Andrew Buttner, lead INFOSEC Engineer at The MITRE Corporation. "The SCAP validation program for security products is a huge next step in accomplishing that goal."

As a result of SCAP-validation, Federal agencies can rely upon the automated configuration assessment capabilities of SCM to meet the FDCC baseline and NIST common security content format requirements. Moreover, agencies that utilize SCM can routinely monitor their systems and certify that the FDCC settings have not been changed as a result of patching, installation of new software or human interaction. By automating desktop configuration assessment against FDCC content, SCM can report on any discrepancies so that corrective action can be taken to bring systems into compliance.

To achieve recognition as a SCAP-validated FDCC Scanner, NetIQ partnered with ThreatGuard. Through this technology partnership, SCM has been validated to audit and assess a target system in order to determine its state of compliance. Combined, NetIQ and ThreatGuard standardize upon the six components of SCAP validation:

  • Common Vulnerabilities and Exposures (CVE) – a dictionary of publicly known information security vulnerabilities and exposures.
  • Common Configuration Enumeration (CCE) – provides unique identifiers to system configuration issues to facilitate fast and accurate correlation of configuration data across multiple information sources and tools.
  • Common Platform Enumeration (CPE) – a structured naming scheme for information technology systems, platforms, and packages.
  • Common Vulnerability Scoring System (CVSS) – provides an open framework for communicating the characteristics and impacts of IT vulnerabilities.
  • eXtensible Configuration Checklist Description Format (XCCDF) – a structured collection of specification language for writing configuration, security checklists and benchmarks.
  • Open Vulnerability and Assessment Language (OVAL) – an international, information security standard to promote open and publicly available security content.

"Standards-based security content is becoming more common across the Federal industry in an effort to maintain the highest level of vulnerability and compliance management without adding additional cost to this process," said Geoff Webb, senior manager, Product Marketing at NetIQ. "SCAP validation is likely just the tip of iceberg. With SCAP-validation, customers can confidently maintain and continue their investments in SCM. Additionally, they can trust that its automated assessment capabilities will continue to improve the allocation of Federal agencies' security resources to protect potentially vulnerable systems on a consistent basis per the FDCC mandate."

More information about SCAP-validated products can be found at http://nvd.nist.gov/scapproducts.cfm.

About NetIQ Secure Configuration Manager

With compliance at the forefront of IT managers' minds, establishing a defensible posture for internal and external auditors means providing accurate and comprehensive documentation wherein IT controls are in place and enforced. SCM is specifically designed to help evaluate system configurations against predefined security and privacy policies, provide reports detailing compliance levels and identified issues and assist in remediation. With SCM, organizations can simplify system audits and manage IT risks while ensuring accordance with corporate policies and regulations.

About NetIQ

NetIQ, an Attachmate business, is a leading provider of comprehensive systems and security management solutions that help enterprises maximize IT service delivery and efficiency. With more than 12,000 customers worldwide, NetIQ solutions yield measurable business value and results that dynamic organizations demand. NetIQ's best-of-breed solutions help IT organizations deliver critical business services, mitigate operational risk, and document policy compliance. The company's portfolio of award-winning management solutions includes IT Process Automation, Systems Management, Security Management, Configuration Control and Enterprise Administration.

Let's Talk

Welcome, Want to talk to someone? Call our Sales team or request a call and we'll get right back to you.

  • Sales: (888) 323-6768

For support information, please visit Technical Support.

Amy Sachrison
Media and Analyst Relations

Phone: (713) 418-5368
Email: amy.sachrison@netiq.com