This report describes the Software Engineering Institute's work in calendar year 2010 for the National Security Agency Computer Network Defense Research and Technology Program Management Office to develop standards for remediation of vulnerabilities and compliance issues on Department of Defense (DoD) networked systems. The overall goals are to assist in the development of remediation standards, demonstrate the functionality DoD would like in a remediation manager, and increase efficiency and effectiveness of remediation by automating the remediation process. The 2010 Remediation Manager reference implementation demonstrates the following potential applications of remediation and other security automation standards: (1) Ingest scan findings in Security Content Automation Protocol (SCAP) format, extracting host compliance issues (in Common Configuration Enumeration [CCE] format) and vulnerabilities (in Common Vulnerability Enumerations [CVE] format). (2) Map CCE and CVE to remediation actions (in Common Remediation Enumeration [CRE] format). (3) Build remediation tasks in Remediation Tasking Language (RTL), based on CRE. (4) Transmit remediation tasks to a Remediation Tool on a host system. (5) Receive remediation task execution status, in RTL Results Format, from the Remediation Tool. This report identifies capabilities considered for future versions of the reference implementation and the operational system as well as challenges for future work.
Related ReadingStandards-Based Automated Remediation: A Remediation Manager Reference Implementation, 2011 Update