DHS and NIST Set Foundations for Enterprise-Wide Automation Specifications

The National Institute of Standards and Technology (NIST) is preparing for yet another release update regarding the Security Content Automation Protocol (SCAP). SCAP comprises of different specification methods under one unified umbrella aimed toward creating a standardized automation approach. This includes enabling automated configuration and vulnerability management, security readiness measurement, vulnerability and patch checking, technical control, and compliance activities, as well as policy compliance evaluation.

It appears that after one of the most serious governmental breaches in recent history regarding the theft of millions of biometric templates from the Office of Personnel Management (OPM), the US Department of Homeland Security (DHS) is working more closely with NIST in preparation for more drastic measures regarding cybersecurity automation.

Last year (January 2016), NIST published a validation report regarding Red Hat Enterprise Linux Client, which gave slight hints regarding the latest updates concerning the SCAP automation specifications. One hint specifically points toward the very first version for a Trust Model for Security Automation Data (TMSDA), which contains a new specification regarding the usage of digital signatures as part of an overarching automated solution.

This comes as no surprise since the DHS, the United States Computer Emergency Readiness Team (US-CERT), and the National Cybersecurity and Communications Integration Center (NCCIC) have shown much interest in this endeavor in recent years. Their stance is also reflected in a more “aggressive” push of the Automated Indicator Sharing (AIS) enabling for real-time bidirectional sharing of cyber threat indicators for its participants. This allows threat intelligence gathered by one member to be quickly and (almost) autonomously transmuted into actionable insights for other members protecting them from similar cyberattacks, while at the same time limiting the potential reach and resources invested by attackers. 

ABI Research posits that both SCAP and AIS in combination contain an excellent preparatory phase for more advanced autonomous processes in cybersecurity. Through NIST and its partners, SCAP’s endeavor is to instigate a new wave of standardized security implementations in governmental and enterprise IT systems particularly targeted toward improving automated security through new industry standards and specifications. Standardization focuses primarily on achieving a higher human- and machine-readable threshold, with regards to format and security terminology originated by software flaws and vulnerabilities.

The challenge, however, remains that both these initiatives were created and developed in the interconnected governmental environment, which obviously flaunts a larger IT budget and multiple communication trust levels already in place for involved agencies (especially in North America). This is a task that is far more difficult to be realized in the enterprise segment. For now, an open-source tool called OpenSCAP has also been developed in order to assist developers in creating more advanced tools for managing system security and achieving greater levels of standards compliance. It remains to be seen how the non-governmental verticals plan to adapt to the SCAP specifications and standardization practices. ABI Research predicts that due to the nascent aspect of automation, it will still take at least two more years before standardizations make their way into enterprise IT.