The security compliance space is very diverse. There are many standards, specifications and recommendations out there. Some of them are designed to be used with SCAP and we do our best to support those use-cases. Some are orthogonal and may even be designed to replace SCAP at some point.
We are pro-actively discovering new standards and are evaluating possibilities to extend OpenSCAP to be inter-operable with them.
Security Automation and Continuous Monitoring is a life-cycle process which provides effective asset control and efficient delivery of information. The process includes managing resources (infrastructure, data), capabilities (people) and artifacts (HWs, SWs, Documentation).
As of September 2015 SACM is a standard proposed via an IETF working group. The specification documents are in draft state.
Software identification tags (SWID tags) record unique information about an installed software application, including its name, edition, version, whether it’s part of a bundle and more. It’s an XML file that’s installed alongside software, and which uniquely identifies the software, providing data for software inventory and asset management.
While SWID is not widely used yet it may have a promising future as its adoption ramps up.
Common Criteria is an international standard for certifying computer security software. Using Protection Profiles, computer systems can be secured to certain levels that meet requirements laid out by the Common Criteria.
The Federal Information Processing Standards is official set of standards developed by the United States federal government. They apply to use of computer systems by non-military government agencies, government contractors and vendors who work with the agencies. These standards are issued to establish requirements for various purposes such as ensuring computer security and interoperability, and are intended for cases in which suitable industry standards do not already exist.
For more information, please visit the FIPS website at NIST.
