Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains
暂无分享,去创建一个
This publication binds together the CM workflows and capabilities described in NIST IR 7799 to specific data domains. It focuses on the Asset Management, Configuration, and Vulnerability data domains. It leverages the Security Content Automation Protocol (SCAP) version 1.2 for configuration and vulnerability scan content, and it dictates reporting results in an SCAPcompliant format. This specification describes an overview of the approach to each of the three domains, how they bind to specific communication protocols, and how those protocols interact. It then defines the specific requirements levied upon the various capabilities of the subsystems defined in NIST IR 7799 that enable each data domain. 1 The acronym CM in this publication is not to be confused with other NIST 800 series publications that use the abbreviation CM to denote “Configuration Management.” 2 The co-chairs are listed on the Office of Management and Budget website https://max.omb.gov/community/display/Egov/Continuous+Monitoring+Working+Group+Members. APPLYING THE CONTINUOUS MONITORING TECHNICAL REFERENCE MODEL TO THE ASSET, CONFIGURATION, AND VULNERABILITY MANAGEMENT DOMAINS iv Table of
[1] Marianne Swanson,et al. SP 800-18 Rev. 1. Guide for Developing Security Plans for Federal Information Systems , 2006 .
[2] Scott O. Bradner,et al. Key words for use in RFCs to Indicate Requirement Levels , 1997, RFC.
[3] Karen A. Scarfone,et al. Common Platform Enumeration: Applicability Language Specification Version 2.3 , 2011 .