DISA SCAP and SCAP Scanners

DISA SCAP and SCAP Scanners

DISA SCAP provides detailed guidelines on how to operate military systems, often down to every detail. Failure to adhere to these standards could result in denied access to DoD networks.

To assess a system’s DISA SCAP compliance, the STIG Viewer tool can be utilized. Although free to use, it does require a DoD certificate in order to operate.

Security Technical Implementation Guide (STIG) Requirements

DISA develops STIGs for specific software, routers and operating systems used by DoD networks. Federal IT teams can utilize these guidelines to harden configuration of commercial off-the-shelf products to mitigate vulnerabilities and lower cyberattack risk against DoD systems. While this process may take time due to all possible configurations being evaluated for compliance testing purposes; its aim is to balance functionality with security while introducing changes gradually so as to prevent unintended consequences from changing implementation.

Traditional methods for developing STIGs required DoD cybersecurity experts working directly with product vendors to devise secure configurations. Unfortunately, this was often impractical for organizations using off-the-shelf IT solutions; to address this shortcoming a tool known as Gold Disk was created which automates scanning a system against STIG requirements and ensures its configurations meet them. Later replaced by Security Content Automation Protocol (SCAP), many STIGs still require manual checks for compliance verification.

STIGs are regularly revised to address emerging threats and technologies, typically released alongside vendor upgrades of software or hardware products. Such updates may introduce new configuration requirements or mitigate vulnerabilities previously unknown; federal IT professionals should carefully follow any such announcements so their systems comply with these new STIG requirements.

One of the biggest challenges lies in understanding which configurations are mandatory versus optional. Some configurations are mandated to protect sensitive information while others aim to enhance security without impacting functionality. Picking an incorrect configuration could prevent your system from functioning as intended, so it’s vital that you understand what constitutes mandatory configurations.

Complying with DISA STIGs can be challenging even for the most seasoned cybersecurity teams. To accelerate this process, utilizing an automated tool to help manage and simplify compliance is often recommended – something like SIEM (security event management) can do this effectively by consuming logs across an environment to identify vulnerabilities quickly and generating reports on compliance automatically. This saves both time and resources of federal IT teams, making compliance much simpler to achieve and maintain.

Requirements for Hardware

Although it may seem counterintuitive, a successful security policy combines what’s necessary with what’s realistic and pro-active rather than reactive in nature – reducing cyberattack risks by addressing vulnerabilities before they become an issue. Therefore, your policy shouldn’t simply specify what actions can or cannot be undertaken securely but should also provide guidance as to how these tasks should be completed safely.

One way of taking a more proactive approach is through SCAP. SCAP serves as the technical infrastructure that enables guidance like CIS benchmarks from DISA’s Gold Disk into cybersecurity tools that use them (like vulnerability scanners). By standardizing information transfer across formats and tools, it allows cyber defenders to focus more on finding and fixing issues than on data conversion processes.

There are various scanning and compliance tools available, including the DoD’s own SCAP Compliance Checker (SCC). While losing DISA funding for FY22 and having only recently regained their development team of six GS-13s again, their developers have worked diligently on improving this software. They recently released new versions with command line access as well as GUI interface. Among their notable changes: they now allow scanning both local and remote machines.

NSWC Crane’s Evaluate-STIG tool is also becoming more prevalent within DoD organizations. While SCC offers both command line and graphical interfaces, Evaluate-STIG utilizes PowerShell scripting technology that automatically scans and documents STIG compliance; additionally it offers advanced functionality like being able to identify all requirements that apply instead of only those configured as vulnerable state requirements.

SCC and Evaluate-STIG can produce the XCCDF files required by SCAP, but neither serves as a full SCAP scanner. To create an actual checklist from a scan with SCAP, import its results into an application that understands and processes XCCDF format – such as OpenRMF(r) OSS – that matches them against appropriate templates to generate an actual checklist for you.

Requirements for Software

SCAP scanners are used to automatically identify vulnerabilities associated with specific STIGs and allow organizations to automatically check for them, making the task simpler than attempting it manually. While SCAP scanners tend to be commercial products requiring subscription fees, open source options can also be downloaded and utilized free of charge.

SCAP provides an effective framework for security configurations, but does not ensure system security. Responsibility for assuring system security ultimately rests with an organization – DISA SCAP can only serve as a starting point.

SCAP uses Extensible Markup Language (XML) and Open Vulnerability and Assessment Language (OVAL) standards to describe system configurations and security vulnerabilities. XML is a text-based format similar to HTML that allows different programs to read the same information; OVAL is an automated language capable of translating XML documents into machine readable forms for scanning tools.

Survey respondents frequently expressed the need for a SCAP authoring tool. Due to OVAL and XML complexity, many found writing SCAP content challenging; others mentioned finding it challenging learning which attributes were needed for creating the optimal output from this content type.

The survey results underscored the necessity of having a central repository to store and share SCAP content. Some respondents mentioned using GitHub or other source control mechanisms as repositories for SCAP content sharing; other respondents created their own databases or scanned public repositories such as the CIS OVAL Repository to identify relevant SCAP materials for them.

Alongside creating a central repository, another area of need involves making it easier to access and import SCAP data into scanning tools. Many respondents suggested an easier method – perhaps through command-line SCAP scanner – than the current Workbench used with validated software packages for SCAP scanning.

Finally, the survey highlighted DISA’s need to create additional SCAP content for IPA and IdM systems to strengthen their foothold within DoD and Intel networks. There are only a handful of STIGs and SCAP content specifically dedicated to these systems currently.

Requirements for Configuration

Defense Information Systems Agency (DISA) operates the US Department of Defense IT infrastructure. DISA supports both military and civilian networks, making their IT essential to DoD operations. Their IT is integral in supporting all their missions while safeguarding against cybersecurity threats; their SCAP tool assists agencies with assessing vulnerabilities as well as compliance with security standards.

SCAP is a set of standards designed to manage configuration of computer hardware and software. It facilitates automated vulnerability management and patch scanning processes as well as easy verification of patched hosts. The SCAP protocol specifies technical plumbing that makes guidance such as CIS Benchmarks machine-readable through tools. Furthermore, this standard provides a common language for sharing security information while making communication among experts about situational awareness easier.

SCAP scanners utilize XCCDF files to analyze and report on the status of host configuration. The SCAP Workbench provides an intuitive user interface for configuring and running scans, and after completion will produce remediation files in HTML, ARF or XCCDF format that can then be used by bash scripts or Ansible playbooks to automatically reconfigure systems.

SCAP scan results should never be trusted completely as there can be multiple reasons a system might fail a SCAP check; one such reason being out-of-date patches and software. Therefore, it’s crucial that systems always maintain the latest versions.

Oracle Linux 7 STIG Image has been modified to meet SCAP standards by applying DISA-specific rules that are included in the scap-security-guide package, available through Yum, with version 0.1.66-1.0.3 being the minimum required version to meet DISA STIG for Oracle Linux 7 Version 2 Revision 11. This includes alignment between its STIG profile and that of DISA STIG for Oracle Linux 7 Ver 2 Rel 11.

Sam is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.