SCAP is on the rise in the federal sector, with the potential to expand its reach well beyond the governments space.
As the third quarter draws to a conclusion today, our colleagues in the government ranks are hurrying to close out their fiscal year, with many agencies signing off on last minute deals to utilize all the budgetary dollars that they were granted in 2010 (is that a bell that I hear ringing?).
That said, a quick trip into the world of the Beltway segment – in my case via the Federal Business Council’s annual IT Security Automation Expo, held in Baltimore this week – makes one point perfectly clear: government decision makers are sinking their teeth into the Security Content Automation Protocol (SCAP) and if you want to play in their world, you better be ready to swallow the standards too.
What exactly is SCAP? In more formal terms, SCAP is a common format for exchanging IT security data that was first conceived by NIST and the National Security Agency (NSA). It comprises a suite of specifications used for organizing and expressing security-related information in standardized manner, and was derived specifically from input solicited from across the government sector.
In layman’s terms, it’s a standard that forces vendors of different security technologies to produce output in a common language, aimed at saving government security teams lots of time and money traditionally spent on translating information and integrating solutions.
The message from policy makers to us vendors couldn’t be more direct: you guys make your stuff work together before we buy it, so that we don’t have to do it ourselves.
As both a taxpayer and a minor cog in this massive security market I’d have to say, that sure seems to make a lot of sense. What good does it do anybody to have proprietary data reporting practices layered throughout our security infrastructure? (Well, anyone but consultants of course.)
In talking to people at the FBC Expo this week, the refrain rang loud that government practitioners are taking SCAP seriously, and that vendors who don’t move to align their products under the standard are likely going to be left behind in the coming fiscal calendar year.
I also heard from various attendees that they are also aware of non-government entities who’ve begun actively subscribing to the standard, including organizations in the financial services and energy sectors.
Of course, that’s why we here at Core made sure that we gained validation around SCAP from NIST long before the day comes that it’s no longer a nice-to-have but a requirement, with IMPACT Pro users able to export information in an XML format using standards to help with continuous monitoring, vulnerability data management and security assessment.
And as SCAP is specifically identified by NIST as a significant element of its rapidly expanding security automation agenda, so Core is obviously very interested in getting onboard, as automation is the lifeblood of our testing solutions.
To quote our VP of Product Management Fred Pinkett who led our SCAP validation efforts and is someone far more familiar with the true operational implications of the standards:
“We are glad to be SCAP certified. We did it because the real-world vulnerability information provided by CORE IMPACT is even more valuable when brought together by our customers in the federal government to optimize their efforts around critical infrastructure. We’ve long been integrated with vulnerability scanners and had XML explorts, so we did this ourselves when there wasn’t a standard. Now that there’s a standard way to share this data out of IMPACT were happy to be a part of it.” he said.
So stay tuned. Be prepared to hear a lot more about SCAP in the coming months and years as it evolves from an emerging security standard to a formal best practice, and then beyond.
Because if there’s common language resonating throughout the government IT security community today in general, particularly as related to shopping for products, much of the talk seems to be about SCAP.
Now we just need to decide once and for all if we’re actually going to pronounce it phonetically, or as “S-CAP,” but please don’t ask me to decide.