The Internet Engineering Task Force (IETF) has a Security Automation and Continuous Monitoring (SACM) working group which is chartered to develop standardized protocols and data formats to support automated assessment of networked computing
devices. The standards to be produced by this working group are intended to support standardized assessment capabilities as part of an organization’s typical management infrastructure. These assessment capabilities are intended to support vulnerability, configuration,
and software inventory management use cases. DHS, NSA, and NIST have been working with MITRE to develop an IETF Internet Draft that explores vulnerability management in the context of the SACM work.
We believe that exploring a use case targeted at automated enterprise vulnerability assessment will help the working group in developing standard protocols and data formats that are targeted to real enterprise needs and ensure much needed
interoperability between vulnerability data sources and products. There will be a discussion of this draft at the IETF 94 meeting in Japan next week.
Meeting details (also attached):
Date/Time: Wednesday, November 4th, 2015 @ 7pm EST
As key members of the vulnerability community we hope you can attend this meeting either in-person or remotely to help encourage the working group to consider working on an end-to-end set of standards that will support automated vulnerability
assessment by enterprises in addition to other assessment use cases. We think that this work would add value to the CVE, SCAP, and related efforts.
Please let us know if you have any questions.
Information Technology Laboratory | Computer Security Division