Write a proposal and submit it to either NIST or the emerging-specs@nist.gov email list for feedback. Be sure to describe the specification as either a language (e.g., XCCDF, OVAL, OCIL), an enumeration (e.g., CCE, CVE), or a metric (e.g., CVSS, CCSS).
Organizations must categorize the specification as either an enumeration, a language, or a metric. The boundaries between the three categorizations ensures the proposed specifications can be validated once matured and enables products to validate to only those specifications that are applicable to their offering. Use cases which require more than one category of specification, may be implemented through a set of cooperating specifications decomposed into separate categories. For example languages are not prohibited from using enumerations or metrics, only that languages must not define a new enumeration or metric as a function of itself. Likewise, enumerations should not instantiate expression languages, etc. If an enumeration requires an expression language, then a language specification should be created referencing the separate enumeration specification.
The proposal should address the Heilmeyer questions with regard to the new specification.
The Heilmeyer Questions
-
WHAT ARE WE TRYING TO DO?
What is the problem? What are we trying to accomplish?
-
HOW DOES THIS GET DONE AT PRESENT?
Who does it? What are the limitations of the present approaches? Why is it hard?
-
WHAT IS NEW ABOUT OUR APPROACH?
What is the new technical idea? Why do we think we can be successful at this time?
-
IF WE SUCCEED, WHAT DIFFERENCE DO WE THINK IT WILL MAKE?
What is the impact? Provide metrics.
-
HOW LONG DO WE THINK IT WILL TAKE?
How will the program be organized? How will intermediate results be generated? What are our mid term and final exams to see how we are doing?
-
CAN WE FACILITATE ADOPTION?
How do we bring the benefits of the specification to the user community?
-
HOW MUCH WILL IT COST?
Also consider the following questions:
- Who are the stakeholders and what is their role?
- How could this specification work in conjunction with other existing specifications?
- Are we the right organization to develop this specification or are there more appropriate organizations? Have we contacted those organizations and if so are they willing to participate?