Skip to Content

Default language.

BMC Client Management - SCAP Implementation Statement

SCAP Implementation Statement

The SCAP features in BMC Client Management comply with the Technical Specification for the Security Content Automation Protocol (SCAP) Version 1.3 (NIST Special Publication 800-126 Revision 3). Using features in the BMC Client Management Console, you import SCAP content from third-party sources, such as the NIST NVD National Checklist Program repository. Results are generated as XML files compliant with both the SCAP (for ARF) and XCCDF specifications.

BMC Software, Inc. asserts that BMC Client Management (BCM) version 21.02 meets or exceeds the Security Content Automation Protocol (SCAP) Version 1.3 Validation Program Test Requirements for SCAP 1.1, 1.2 and 1.3 as described in NISTIR 7511 Revision 5 for the following SCAP capabilities and supported platform family:

Capabilities

  • Authenticated Configuration Scanner.
  • Common Vulnerabilities and Exposures (CVE) Option.
  • Microsoft Windows 7 SP1 or later, 64-bit edition.
  • Microsoft Windows 8.1 SP0 or later, 64-bit edition.
  • Microsoft Windows 10 SP0 or later, 64-bit edition.
  • Microsoft Windows Server 2012 R2 SP0 or later, 64-bit edition.
  • Red Hat Enterprise Linux 6, 64-bit edition.
  • Red Hat Enterprise Linux 7, 64-bit edition.

Platform Families

BMC Client Management additionally provides SCAP capabilities for systems such as MacOS and other Windows/Linux flavors, but these are not certified.

SCAP 1.3 Conformance

BMC Client Management conforms to the specifications of the Security Content Automation Protocol, version 1.3 (SCAP 1.3), as outlined in NIST Special Publication (SP) 800-126 rev 3. As part of the SCAP 1.3 protocol, BMC Client Management assessment capabilities have been expanded to include the consumption of source data stream collection XML files and the generation of well-formed SCAP result data streams.

To exercise this capability, users may download the SCAP 1.3 content from the NIST NVD National Checklist Program repository, or any other source of SCAP 1.3 compliant content, and perform assessments in a similar manner as with BMC Client Management custom compliance.

The BMC Client Management implementation includes the following components:

  • Asset Identification (AI) version 1.1. A format for uniquely identifying assets based on known identifiers and/or known information about the assets.
  • Asset Reporting Format (ARF) version 1.1. A format for expressing the transport format of information about assets and the relationships between assets and reports.
  • Common Configuration Enumeration (CCE) version 5. A nomenclature and dictionary of software security configurations.
  • Common Configuration Scoring System (CCSS) version 1.0. A system for measuring the relative severity of system security configuration issues.
  • Common Platform Enumeration (CPE) version 2.3. A nomenclature and dictionary of hardware, operating systems, and applications.
  • Common Vulnerabilities and Exposures (CVE). A nomenclature and dictionary of security-related software flaws.
  • Common Vulnerability Scoring System (CVSS) version 2.0. A system for measuring the relative severity of software flaw vulnerabilities.
  • Software Identification tags (SWID) revision 2015. A format for representing software identifiers and associated metadata.
  • Open Vulnerability and Assessment Language (OVAL) 5.11.2. A language for representing system configuration information, assessing machine state, and reporting assessment results.
  • Trust Model for Security Automation Data (TMSAD) signatures version 1.0. A common trust model that can be applied to specifications within the security automation domain. Digital signatures verification is performed during the content validation operation, but XML reports generated by Client Management will not include TMSAD signatures.
  • Extensible Configuration Checklist Description Format (XCCDF) version 1.2. A language for authoring security checklists/benchmarks and for reporting results of evaluating them.

SCAP 1.0 Compatibility

BMC Client Management natively supports the SCAP 1.0 specification, including:

  • Extensible Configuration Checklist Description Format (XCCDF) version 1.1.4.
  • Open Vulnerability and Assessment Language (OVAL) version 5.3 and 5.4.
  • Common Configuration Enumeration (CCE) version 5.
  • Common Platform Enumeration (CPE) version 2.2.
  • The Common Vulnerabilities and Exposures (CVE).
  • Common Vulnerability Scoring System (CVSS) version 2.0.

Note that BMC Client Management can process SCAP 1.0 content but cannot validate this content anymore. Only SCAP 1.1, SCAP 1.2 and SCAP 1.3 content can be validated.

SCAP 1.1 Compatibility

BMC Client Management natively supports the SCAP 1.1 specification, including:

  • Extensible Configuration Checklist Description Format (XCCDF) version 1.1.4.
  • Open Vulnerability and Assessment Language (OVAL) version 5.8.
  • Common Configuration Enumeration (CCE) version 5.
  • Common Platform Enumeration (CPE) version 2.2.
  • Common Vulnerabilities and Exposures (CVE).
  • Common Vulnerability Scoring System (CVSS) version 2.0.

SCAP 1.2 Compatibility

BMC Client Management natively supports the SCAP 1.2 specification, including:

  • Asset Identification (AI) version 1.1.
  • Asset Reporting Format (ARF) version 1.1.
  • Common Configuration Enumeration (CCE) version 5.
  • Common Configuration Scoring System (CCSS) version 1.0.
  • Common Platform Enumeration (CPE) version 2.3.
  • Common Vulnerabilities and Exposures (CVE).
  • Common Vulnerability Scoring System (CVSS) version 2.0.
  • Open Vulnerability and Assessment Language (OVAL) version 5.10.1.
  • Trust Model for Security Automation Data (TMSAD) version 1.0.
  • Extensible Configuration Checklist Description Format (XCCDF) version 1.2.

CVE and CCE lists

BMC Client Management allows to import CVE and CCE lists. These lists belong to the open standards used by the NIST in its Security Content Automation Protocol (SCAP) program. They help, using consistent identifiers, to improve data correlation, enable interoperability, foster automation, and ease the gathering of metrics for use in situation awareness, IT security audits, and regulatory compliance. CVE provides this capability for information security vulnerabilities whereas CCE assigns a unique and common identifier to a particular security-related configuration issue:

  • CVE® (Common Vulnerabilities and Exposures) is a dictionary of common names (that is, CVE Identifiers) for publicly known information security vulnerabilities. CVE is now the industry standard for vulnerability and exposure names. CVE Identifiers provide reference points for data exchange so that information security products and services can speak with each other.
  • CCE (Common configuration Enumeration) lists provide unique identifiers to security-related system configuration issues to improve workflow by facilitating fast and accurate correlation of configuration data across multiple information sources and tools.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Client Management 26.1