Migration of DISA Benchmarks to SCAP 1.2
Beginning with the January 2018 Quarterly Release, DISA will publish updated benchmarks using the Security Content Automation Protocol (SCAP), version 1.2. Migration to the SCAP 1.2 standard started with the recent release of the Windows Server 2016 Benchmark and will continue with the forthcoming release of the Red Hat Enterprise Linux 7 Benchmark.
SCAP 1.2 introduces new capabilities for automated assessments through its updated component languages, providing more flexibility in developing new content. Some of these capabilities, listed below, may be utilized in future DISA Benchmark updates or new releases.
- The Open Vulnerability and Assessment Language (OVAL), version 5.10, adds support for Windows PowerShell cmdlets, shared resource effective rights tests, and shared resource audited permissions tests. OVAL 5.10 improves support for Linux RPM verification. OVAL 5.10 also adds last-logon checks to Windows and UNIX/Linux checks.
- The Common Platform Enumeration (CPE), version 2.3, includes an applicability language that gives the benchmark the ability to determine whether a particular STIG Rule applies to the system being evaluated. This facility has allowed the Windows Server 2016 Benchmark to be published as a single benchmark, with domain-controller and member-server checks being evaluated only as necessary.
DISA continues validation testing of SCAP 1.2 content with recent versions of HBSS/ePO/Policy Auditor, SPAWAR SCC, and ACAS. Though the content will be published as a ZIP file, ePO requires that the contents of the ZIP be extracted and then imported, rather than the ZIP file itself.
As SCAP 1.2 releases of benchmarks are posted, previous SCAP 1.1 releases will be removed from IASE. To prepare for SCAP 1.2 content, please ensure your organization is using the current STIG tools and automation content available from IASE.