3.3 Creating a Compliance Report

The U.S. Office of Management and Budget requires the agency or department CIO to report compliance for the associated organization. The SCAP module provides two methods for generating reports that meet the NIST guidelines: the CyberScope Data Feed scheduled job and the FDCC Reporting Utility.

3.3.1 Creating a CyberScope Data Feed Report

NIST collaborated with CyberScope to create a web-based program that automatically processes the data feeds from agencies reporting under the Federal Information Security Management Act (FISMA) standards. The SCAP policy templates that you import to Secure Configuration Manager are associated with specific SCAP benchmarks. The CyberScope program can process reports sent in a designated format that uses the following content in the SCAP benchmarks:

Content Format

Description

Common Configuration Enumeration (CCE)

Represents a unique identifier for common system configuration issues, such as a specific security setting.

Common Vulnerabilities and Exposures (CVE)

Represents unique identifiers that map to standard names for publicly known information security vulnerabilities and exposures.

Common Platform Enumeration (CPE)

Represents a structured naming scheme for information technology systems, platforms, and packages, based upon the Uniform Resource Identifiers (URI) syntax.

The CyberScope Data Feed report in the Scheduled Jobs queue includes aggregated data on all specified SCAP-enabled endpoints, such as the number of non-compliant computers for each CVE point listed in the SCAP template. When you run the CyberScope job, Secure Configuration Manager gathers from the database the results of the most recent SCAP policy template runs, including offline assessments imported to the database. Then, Secure Configuration Manager compiles this information into an .xml file for the aggregated report and exports the file to a specified folder or email address.

You must specify the managed groups and SCAP benchmarks to include in the report, as well as the component, agency, and enclave names for the reporting department. Complete the following steps to configure the content that you want to include in the report.

To configure the content in the CyberScope Data Feed report:

  1. Log on to the Core Services computer with a Secure Configuration Manager administrator account.

  2. Open the Core Services Configuration Utility.

  3. On the SCAP tab, specify the managed groups and SCAP benchmarks that you want to include in the report.

  4. Specify the names that CyberScope associates with your organization, agency, and enclave.

  5. Click OK.

  6. (Optional) As a best practice, schedule the CyberScope Data Feed job to regularly export the aggregated data report.

3.3.2 Creating an FDCC Compliance Report

The Office of Management and Budget mandates that federal agencies with desktop and laptop computers running the Windows XP operating system adopt the FDCC standard. If you cannot implement some settings in the FDCC standard, you can report deviations from the FDCC settings in your compliance report to NIST.

To create an FDCC compliance report:

  1. In the Secure Configuration Manager console, assign an FDCC role to each endpoint that you want to include in the report using the Endpoint Properties window Use field. Select one of the following FDCC roles:

    • Centrally Managed General Purpose Desktop

    • Centrally Managed General Purpose Laptop

    • Development System

    • Special Use System

    • Other

  2. Run the SCAP policy template against the endpoints that you want to assess. For more information about running policy templates, see the NetIQ Secure Configuration Manager User Guide.

  3. If you want to run an SCAP policy template on an offline computer, see Section 3.2, Assessing Offline Computers.

  4. View the completed policy template report. For more information about viewing a policy template report, see the NetIQ Secure Configuration Manager User Guide.

  5. If you want to create an exception for a security check or endpoint, see the NetIQ Secure Configuration Manager User Guide.

  6. Export the policy template report to XCCDF format by performing the following steps:

    NOTE:

    • To export a policy template report in XCCDF format, you must specify the major and minor version of the operating system in the Endpoint Properties window for each endpoint in the report.

    • When you export an SCAP policy template report to XCCDF format, the Secure Configuration Manager validates the XML against the XCCDF schema. If you export a non-SCAP policy template report, Secure Configuration Manager does not validate the XML against the XCCDF schema.

    1. On the Action menu, click Export Full Report.

    2. Type the file name.

    3. Select the XCCDF file format.

    4. Click Save.

  7. Run the FDCCReporter.exe file. By default, this file is located in the C:\Program Files (x86)\NetIQ\ Secure Configuration Manager\FDCC Reporting Utility folder.

  8. In the Source Directory field, browse to the directory location of the policy template for which you want to create a compliance report.

  9. In the Destination File field, browse to the folder where you want to save the compliance report and specify a file name.

  10. Click Accept.

  11. In the Agency Name field, specify the agency to which you are submitting the compliance report.

  12. In the Chief Information Officer (CIO) field, specify the name of the CIO reporting the compliance of the agency.

  13. Click Create.