This report describes the Software Engineering Institute’s (SEI’s) 2011 work for the National Security Agency (NSA) to develop standards for automated remediation of vulnerabilities and compliance issues on Department of Defense (DoD) networked systems. The SEI developed a remediation manager reference implementation that demonstrates how evolving standards can communicate and process information on vulnerabilities, compliance issues, remediation policy, and remediation actions. An earlier report, Standards-Based Automated Remediation: A Remediation Manager Reference Implementation (CMU/SEI-11-SR-007), described the project’s concept, vision, scope, requirements, and the remediation manager implementation as of December 30, 2010. Since then, the SEI has analyzed additional user scenarios, continued remediation standards development, and added new capabilities to the reference implementation.
The remediation manager can employ standards throughout the compliance issue remediation cycle. Using common formats and languages, the reference implementation ingests scan findings, extracts host compliance issues and vulnerabilities, maps them to remediation actions, builds remediation tasks, transmits remediation tasks to a Remediation Tool on a host system, and receives remediation task execution status from the Remediation Tool. In 2011 the SEI added a standards-based remediation policy management capability, enabling users to examine, tailor, and apply standard DoD policy to meet local needs.