The U.S. National Institute of Standards and Technology (NIST) has today certified Qualys SCAP Auditor 1.2 for use by federal agencies as an SCAP tool. Federal agencies are required to use the Security Content Automation Protocol (SCAP) to automate the vulnerability management and policy compliance processes they use to demonstrate compliance with FISMA and USGCB mandates.
Qualys SCAP Auditor is the first certified cloud-based solution meeting SCAP requirements. Qualys SCAP Auditor allows federal agencies to scan and report compliance with standardized desktop security configuration requirements using a centralized, integrated solution featuring the Qualys Software-as-a-Service (SaaS) architecture. Qualys Scanner Appliances support USGCB scanning for internal systems on a global basis. Qualys solutions in the Qualys Security and Compliance Suite also enable immediate compliance with other key FISMA requirements by allowing subscribers to automatically discover and manage all devices and applications on the network, identify and remediate network security vulnerabilities, measure and manage overall security exposure and risk, and ensure compliance with internal and external FISMA policies.
With the growing adoption of SCAP, Qualys SCAP Auditor 1.2 is committed to continuing support for the United States Government Configuration Baseline (USGCB). Government agencies and associated industries should use the SCAP-validated Qualys SCAP Auditor service to test and assess compliance with FDCC and USGCB standards.
NIST has validated Qualys SCAP Auditor 1.2 as conforming to the following SCAP capabilities:
- Authenticated Configuration Scanner
- Common Vulnerabilities and Exposures (CVE)
- assessment of: Windows 7 (32 and 64 bit) and Red Hat Enterprise Linux (RHEL) 5 Desktop (32 and 64 bit)
The Qualys SCAP 1.2 Auditor is compliant with SCAP version 1.2: XCCDF 1.2, OVAL 5.10, CCE 5, CPE 2.3, CVE, and CVSS 2, OCIL 2.0, CCSS 1.0, Asset Identification 1.1, ARF 1.1, TMSAD 1.0. This certification covers the ability to audit and assess a target system to determine its compliance with USGCB requirements. Previous certification was for SCAP 1.0 which provided coverage for FDCC. In addition to the SCAP certified assessment capabilities, SCAP Auditor can process SCAP tier III content intended for the following systems: Windows 7 (32 and 64 bit), Windows XP (32 bit), Windows Vista, Windows 2008, Windows 2012, RHEL 5 (32 and 64 bit) and most Linux distributions.
What is the United States Government Configuration Baseline? How does it differ from FDCC?
In May 2010, the Architecture and Infrastructure Committee of the CIO Council announced the United States Government Configuration Baseline (USGCB) settings for Windows 7 and Internet Explorer 8. The USGCB is a further clarification of the Federal Desktop Core Configuration (FDCC); specifically, the USGCB initiative falls within FDCC and comprises the configuration settings component of FDCC. To assist in implementation, NIST will release the supporting Security Content Automation Protocol (SCAP) content for all USGCB settings.
See additional information about Qualys SCAP Auditor 1.2.