Search CSRC

OCIL - The Open Checklist Interactive Language - Schema Element Dictionary - OCIL Schema - Element Dictionary Schema: OCIL Version: 1.1 Release Date: May 20, 2009 VERSION 1.1 The Open Checklist Interactive Language (OCIL) is a language to express a set of questions to be presented to a user and procedures to interpret responses to these questions for the purpose of developing security checklists. Although its intended domain of use is IT security, its generic nature allows for other applications. For instance, it could be used for authoring research surveys,...

The Applicability Language specification defines a standardized structure for forming complex logical expressions out of Well-formed Names (WFNs). These expressions, also known as applicability statements, are used to tag checklists, policies, guidance, and other documents with information about the product(s) to which the documents apply. For example, a security checklist for Mozilla Firefox 3.6 running on Microsoft Windows Vista could be tagged with a single applicability statement that ensures only systems with both Mozilla Firefox 3.6 and Microsoft Windows Vista will have the security...

The Dictionary specification defines the concept of a CPE dictionary, which is a repository of CPE names and metadata, with each name identifying a single class of IT product. The Dictionary specification defines processes for using the dictionary, such as how to search for a particular CPE name or look for dictionary entries that belong to a broader product class. Also, the Dictionary specification outlines all the rules that dictionary maintainers must follow when creating new dictionary entries and updating existing entries. CPE Dictionary Resources Release 2.3 CPE 2.3 Dictionary...

The Name Matching specification defines the procedures for comparing Well-formed Names (WFNs) to each other so as to determine whether they refer to some or all of the same products. CPE Name Matching Resources Name Matching CPE 2.3 Name Matching Resources (August 2011) Documentation: NISTIR 7696

The Naming specification defines the logical structure of Well-formed Names (WFNs), URI bindings, and formatted string bindings, and the procedures for converting WFNs to and from the bindings. CPE Naming Resources Release 2.3 CPE 2.3 Naming Resources (August 2011) XML Schema Files: [what is a schema?] CPE 2.3 Naming (XSD 1.0) Documentation: NISTIR 7695

The following products have been placed on the Removed Products List because they do not conform to the requirements of FIPS 201-2 effective since 9/05/14.   Note:  Validation of SP 800-73-1 and SP 800-73-2 based PIV Middleware has been superseded by SP 800-73-3 based PIV Middleware validation. All questions regarding the implementation and/or use of any PIV Middleware included in the validation list should first be directed to the vendor.  SP 800-73-2 PIV Middleware Validation List Certificate # Product Name Vendor Validation Date 12...

Windows Vista Content

CCE entries are currently assigned to configuration issues by members of the CCE Content Team and posted on the public CCE Web site. Operating system vendors are encouraged to coordinate with the CCE Content Team to have CCEs assigned to their configuration controls and/or new platforms. Please contact cce@nist.gov for more information. Typically, a CCE Content Team Analyst first encounters a configuration issue in one of two ways: (1) The most common way an analyst encounters a configuration issue is a configuration guidance statement is in a resource document or audit tool. For example,...

Date: August 18, 2006  Document version: 0.1 This is a draft report and does not represent an official position of The MITRE Corporation. Copyright © 2006, The MITRE Corporation. All rights reserved. Permission is granted to redistribute this document if this paragraph is not removed. This document is subject to change without notice. Table of Contents Summary and Purpose Content Decisions CD.1 Effect vs. Technical Mechanism (Basic CD) CD.2 One Effect/Multiple Technical Mechanisms (Combine) CD.3 One Effect/Multiple Parameter Values (Combine) CD.4 Single Object vs. Parameters...

CCE is industry-endorsed through the CCE Working Group, which includes members from industry, academia, and government. IMPORTANT: Activity on the CCE effort has been suspended Send comments or concerns to cce@nist.gov. Participants American International Group, Inc. Application Security Inc. ArcSight, Inc. Belarc, Inc. Bentley College BlackStratus, Inc. Booz Allen Hamilton Center for Internet Security CERIAS/Purdue University Cisco Systems, Inc. Critical Watch Defense Information Systems Agency (DISA) Department of Homeland...

The government-wide category consists of overlay submissions from federal, state, tribal, and local governments.  Select from overlays listed below for more information and to access the overlay.   Overlay Title Submitted by Overlay Description/Applicability Closed Isolated Network U.S. Army Europe   A Closed Isolated Network is defined as a data communications enclave that operates in a single security domain, implements a security policy administered by a single authority, does not connect to any other network and has a single,...

The government-wide category consists of overlay submissions from commercial, educational, or non-profit organizations.  Select from overlays listed below for more information and to access the overlay.   Overlay Title Submitted by Overlay Description/Applicability               Return to Control Overlay Repository Overview   Disclaimer Statement The National Institute of Standards and Technology (NIST) has established the Security Overlay Repository as a public service. Security control overlays are made available by NIST...

NIST developed category consists of submissions developed by NIST staff or contractors. Select from overlays listed below for more information and to access the overlay.  Overlay Name / Version Author / Point of Contact Technology or System Comment SP 800-82 v1 / Version 2 Author: Keith Stouffer PoC: Keith Stouffer x1234 Industrial Control System The FISMA Implementation Project was established in January 2003 to produce several key security standards and guidelines required by Congressional legislation. These publications include...

Overlay Name:   NIST SP 800-82, Rev 2, Guide to Industrial Control Systems (ICS) Security Overlay Publication Date: June 2015 Technology or System: Industrial Control Systems Overlay Author: Keith Stouffer (NIST), Victoria Pillitteri (NIST), Suzanne Lightman (NIST), Marshall Abrams (MITRE), Adam Hahn (MITRE) Comments: The ICS overlay is a partial tailoring of the controls and control baselines in SP 800-53, Revision 4, for Low, Moderate and High-Impact (per FIPS 199) ICS, with supplementary guidance specific to ICS. Refer to Appendix G in SP 800-82 for the ICS Overlay.  Authors are...

Overlay Name:  NIST SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations Overlay Publication Date: April 2015 Technology or System: Cyber Supply Chain Overlay Author: Jon Boyens (NIST), Celia Paulsen (NIST), Rama Moorthy (Hatha Systems), Nadya Bartol (Utilities Telecom Council) Comments: Identification and augmentation of information and communications technology (ICT) supply chain risk management (SCRM)-related controls in SP 800-53, Revision 4.  Refer to Chapter 3 for the ICT SCRM Controls. The audience for this publication is federal...

Overlay Name:  Email Messaging Systems  Overlay Publication Date: February 19, 2019 Technology or System: Email Messaging Systems  Overlay Author: Scott Rose, NIST Comments: Overlay for email messaging systems using the SP 800-53, Revision 4 controls. Email system is taken to mean any system (as defined by FIPS 199), that is said to generate, send, or store email messages for an enterprise. Refer to Appendix C for the Email Messaging Systems Overlay. Overlay Point of Contact: Scott Rose   Download Overlay   Return to Control Overlay Repository Overview Disclaimer Statement The...