Back to qualys.com
2 posts

QualysGuard SCAP Validation

The National Institute of Standards and Technology (NIST) has re-validated the QualysGuard® FDCC service as conforming to the following SCAP capabilities:

  • Logo of NISTFDCC Scanner
  • Authenticated Configuration Scanner
  • Authenticated Vulnerability and Patch Scanner
  • Unauthenticated Vulnerability Scanner

With the growing adoption of the Security Content Automation Protocol (SCAP), the QualysGuard® FDCC service is committed to supporting the Federal Desktop Core Configuration (FDCC) and has added support for the United States Government Configuration Baseline (USGCB).  Government agencies and industry should use the SCAP-validated QualysGuard® FDCC service to test and assess compliance with FDCC and USGCB standards.

FDCC

What is the Federal Desktop Core Configuration?

In March 2007, the Office of Management and Budget (OMB) Memorandum M-07-11 announced the “Implementation of Commonly Accepted Security Configurations for Windows Operating Systems”, directing agencies who have Windows XP deployed and/or plan to upgrade to the Windows Vista operating system to adopt the Federal Desktop Core Configuration (FDCC) security configurations. On June 20, 2008, the National Institute of Standards and Technology (NIST) published the updated FDCC Major Version 1.0 settings release. FDCC is comprised of settings that can be checked using the updated Security Content Automation Protocol (SCAP) content and SCAP-validated tools with FDCC Scanning capability as specified by NIST.

USGCB

What is the United States Government Configuration Baseline? How does it differ from FDCC?

In May 2010, the Architecture and Infrastructure Committee of the CIO Council announced the United States Government Configuration Baseline (USGCB) settings for Windows 7 and Internet Explorer 8. The USGCB is a further clarification of the Federal Desktop Core Configuration (FDCC); specifically, the USGCB initiative falls within FDCC and comprises the configuration settings component of FDCC. To assist in implementation, NIST will release the supporting Security Content Automation Protocol (SCAP) content for all USGCB settings.

QualysGuard® FDCC Service

The QualysGuard® FDCC service is the first certified cloud based computing solution for FDCC compliance.  It allows federal agencies to scan and report compliance with the FDCC and USGCB requirements through a centralized, integrated solution leveraging the QualysGuard® Software-as-a-Service (SaaS) architecture. The QualysGuard® Scanner Appliances support FDCC and USGCB scanning for internal systems on a global scale.

The QualysGuard® FDCC service is validated by NIST as conforming to SCAP and its component standards. The QualysGuard® FDCC service currently supports the following SCAP content:

  • FDCC: Windows XP
  • FDCC: Windows XP Firewall
  • FDCC: Windows Vista
  • FDCC: Windows Vista Firewall
  • FDCC: Internet Explorer 7
  • USGCB: Windows 7
  • USGCB: Windows 7 Firewall
  • USGCB: Internet Explorer 8

FDCC Enhancement: SCAP Scanning of Windows 7, Windows 7 Firewall, and IE8

With the continued growth and adoption of the Security Content Automation Protocol (SCAP), the National Institutes of Standards and Technology (NIST) is publishing more content to support the new United States Government Configuration Baseline (USGCB). With the release of QualysGuard 6.17, users can now import NIST content and scan Windows 7, Windows 7 Firewall, and Internet Explorer 8 in the QualysGuard FDCC Module.

Importing NIST Content

Since NIST has not finalized the content for Windows 7 and Internet Explorer 8, the FDCC Module does not currently have the new content available for import. However, the current content from NIST can be uploaded as a custom policy in the FDCC Module. To access the NIST content, please visit http://web.nvd.nist.gov/view/ncp/repository. Once you have the files downloaded, you can upload the content by performing the following steps:

  1. From the Tools section, select Policies
  2. From the menu, select New, FDCC Policy…
  3. Choose the following files downloaded from the NIST website.          
      • XCCDF Content
      • CPE OVAL Definitions
      • CPE 2.0 Dictionary
      • OVAL Compliance Definitions
  4. NOTE: Since the NIST content is still in draft, Schematron Validation is not currently supported for Windows 7 and Internet Explorer 8.

    FDCC - Win 7

    Figure 1: New FDCC Policy: Validate

  5. Click Validate to create the policy.
  6. Once validated, verify the Title, FDCC Profile, and Description. Click Save.
  7. FDCC - Policy

    Figure 2: New FDCC Policy : Save

  8. Add Asset Group(s) to the new FDCC policy.

Scanning Targets

Once the FDCC policy has been created, you are ready to scan targets by performing the following steps:

  1. From the Navigation section, select FDCC Scan
  2. From the menu, select New, Scan
  3. Enter the following information and click Launch:
    • Title
    • FDCC Policy
    • Compliance Profile
    • Scanner Appliance
    • Asset Group(s)

FDCC - Launch

Figure 3: Launch FDCC Scan