A Collection of Information Security Community Standardization Activities and Initiatives
   

By Category

MITRE, in collaboration with government, industry, and academic registries of baseline security data, providing standardized languages as means for accurately communicating the information, defining proper usage, and helping establish community approaches for standardized processes. In addition, please note that the efforts and activities listed here include a range of items from mature, to those continuing to build momentum, to initial concepts.

Languages/Formats Registries Compatible Usage Standardized Processes

OVALOpen Vulnerability and Assessment Language (OVAL®) - standard for determining vulnerability and configuration issues

MAEC Malware Attribute Enumeration and Characterization (MAEC™)

CybOX Cyber Observable Expression (CybOX™)

STIXStructured Threat Information Expression (STIX™)

TAXIITrusted Automated eXchange of Indicator Information (TAXII™)

Common Platform Enumeration (CPE) Specifications

Extensible Configuration Checklist Description Format (XCCDF)

Open Checklist Interactive Language (OCIL)

CWSSCommon Weakness Scoring System (CWSS™)

CWRAFCommon Weakness Risk Analysis Framework (CWRAF™)

Common Vulnerability Scoring System (CVSS)

Policy Language for Assessment Results Reporting (PLARR)

Assessment Results Format (ARF)

Asset Summary Reporting (ASR)

Common Frameworks for Vulnerability Disclosure and Response (CVRF)

Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2 (NIST SP 800-126)

Common Configuration Scoring System CCSS Specification (NIST IR 7502)

Structured Assurance Case Metamodel (SACM) Specification (OMG)

Real-time Inter-network Defense (RID) (IETF/RFC)

Transport of Real-time Inter-network Defense (RID-T) Messages (IETF/RFC)

Knowledge Discovery Metamodel (KDM) (OMG/ISO 19506)

Software Identification (SWID) Specification (ISO 19770-2)

Incident Object Description Exchange Format (IODEF) [RFC 5070]

Extensions to the IODEF-Document Class for Reporting Phishing [RFC 5901]

IODEF-Extension to Support Structured Cybersecurity Information [Active Internet-Drafts]

Guidelines for Extensions to IODEF for Managed Incident Lightweight Exchange [Active Internet-Drafts]

Guidelines for Extensions to IODEF for Managed Incident Lightweight Exchange Template [Active Internet-Drafts]

CVECommon Vulnerabilities and Exposures (CVE®) List

OVALOVAL Repository - community-developed OVAL Vulnerability, Compliance, Inventory, and Patch Definitions

CWECommon Weakness Enumeration (CWE™) List

CAPECCommon Attack Pattern Enumeration and Classification (CAPEC™) List

Common Configuration Enumeration (CCE) List

Common Platform Enumeration (CPE) List

CWE/SANS Top 25 Most Dangerous Software Errors

Center for Internet Security (CIS) Consensus Security Metrics Definitions

Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance

SANS Top Cyber Security Risks - community consensus list of the Most Critical Internet Security Threats and Vulnerabilities that uses CVE-IDs to identify the issues

National Vulnerability Database (NVD) - U.S. vulnerability database based on CVE that integrates all publicly available vulnerability resources and references

Red Hat OVAL Repository

Novell OVAL Repository

Debian OVAL Repository

IT Security Database OVAL Repository

SecPod Technologies SCAP Feed and Repository

Altx-Soft OVAL Repository

SECURITY-DATABASE OVAL Repository

Positive Technologies OVAL Repository

Defense Information Systems Agency Field Security Operations (DISA FSO) DoD SCAP Content Repository

OWASP Top Ten - community consensus list of the ten most critical Web application security flaws that uses CWE-IDs to uniquely identify the issues it describes

WASC Web Security Threat Classification

U.S. Federal Desktop Core Configuration (FDCC) - OMB-mandated security configuration for Microsoft Windows Vista and XP operating system software that uses CCE-IDs as the main identifiers for the settings in the FDCC data file downloads

United States Government Configuration Baseline (USGCB) - security configuration baselines for IT products deployed across federal agencies

U.S. Defense Information Systems Agency’s (DISA) Security Technical Implementation Guides (STIGS)

Center for Internet Security (CIS) Benchmarks

Software Identification (SWID) Tags - when combined, CPE-IDs and SWID Tags provide authoritative identification details

Security Focus Bugtraq IDs

Secunia Advisory IDs

Symantec DeepSight IDs

IBM Internet Security Systems X-Force IDs

Microsoft Security Bulletin IDs

Red Hat Errata IDs

Common Remediation Enumeration (CRE) Version 1.0 (NIST IR-7831)

CVERequirements and Recommendations for CVE Compatibility

List of CVE-Compatible Products/Services

OVALRequirements and Recommendations for OVAL Adoption and Use

List of OVAL Adopter Products/Services

CWERequirements and Recommendations for CWE Compatibility and CWE Effectiveness

List of CWE-Compatible Products/Services

CAPEC Requirements and Recommendations for CAPEC Compatibility

MAEC Requirements and Recommendations for MAEC Compatibility

Guide to Adopting and Using the Security Content Automation Protocol (SCAP) (NIST SP 800-117)

Security Content Automation Protocol (SCAP) Validation Program Derived Test Requirements Document (NIST IR-7511)

List of NIST SCAP-Validated Tools

Guide to Using Vulnerability Naming Schemes (CVE/CCE) (NIST SP 800-51,Revision 1)

OVAL Interpreter - free reference implementation tool for collecting information for testing, carrying out OVAL Definitions, and presenting results of the tests (MITRE)

XCCDF Interpreter - free open-source Java-based tool that facilitates use of XCCDF (NIST)

OCIL Interpreter - free Java-based tool for evaluating OCIL documents (NIST)

NIST Security Content Automation Protocol (SCAP) - security content for automating technical control compliance activities, vulnerability checking, and security measurement

Security Content Automation Protocol (SCAP) Validation (NIST IR-7511)

Information Security Continuous Monitoring for Federal Information Systems and Organizations (SP 800-137)

Common Criteria (ISO 18045 & ISO 15408)

Vulnerability Assessment (ISO TR 20004)

Assurance Case (ISO 15026-2)

Guide to Selecting Information Technology Security Products (NIST SP 800-36)

Creating a Patch and Vulnerability Management Program (NIST SP 800-40 Version 2)

Technical Guide to Information Security Testing and Assessment (NIST SP 800-115)

Guidelines on Securing Public Web Servers (NIST SP 800-44 Version 2)

Guide to Using Vulnerability Naming Schemes (CVE/CCE) (NIST SP 800-51)

Guide for Assessing the Security Controls in Federal Information Systems (NIST SP 800-53a)

Computer Security Incident Handling Guide (NIST SP 800-61 Revision 2)

U.S. National Checklist Program for IT Products: Guidelines for Checklist Users and Developers (NIST SP 800-70 Revision 2)

Guide to Industrial Control Systems (ICS) Security (NIST SP 800-82)

Guide to Integrating Forensic Techniques into Incident Response (NIST SP 800-86)

Guide to Intrusion Detection and Prevention Systems (IDPS) (NIST SP 800-94)

Technical Guide to Information Security Testing and Assessment (NIST SP 800-115)

Guide to Adopting and Using the Security Content Automation Protocol (SCAP) (NIST SP 800-117)

Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2 (NIST SP 800-126)

Information Security Continuous Monitoring for Federal Information Systems and Organizations (NIST SP 800-137)

Overview of Issues in Testing Intrusion Detection Systems (NIST IR-7007)

Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.2 (NIST IR-7275 Revision 4)

Common Vulnerability Scoring System (CVSS) and Its Applicability to Federal Agency Systems (NIST IR-7435)

Security Content Automation Protocol (SCAP) Version 1.0 Validation Program Test Requirements (NIST IR-7511 Revision 3)

Common Misuse Scoring System (CMSS): Metrics for Software Feature Misuse Vulnerabilities (NIST IR-7517)

System and Network Security Acronyms and Abbreviations (NIST IR-7581)

Guidelines for Smart Grid Cyber Security (NIST IR-7628); NIST IR-7628_vol1.pdf; NIST IR-7628_vol2.pdf; and NIST IR-7628_vol3.pdf

Open Vulnerability Assessment Language (OVAL) Validation Program Derived Test Requirements (NIST IR-7669)

Proposed Open Specifications for an Enterprise Remediation Automation Framework (NIST IR-7670)

Specification for the Open Checklist Interactive Language (OCIL) Version 2.0 (NIST IR-7692)

Specification for the Asset Reporting Format 1.1 (NIST IR-7694)

Common Platform Enumeration: Dictionary Specification Version 2.3 (NIST IR-7697)

Common Platform Enumeration: Applicability Language Specification Version 2.3 (NIST IR-7698)

CAESARS Framework Extension: An Enterprise Continuous Monitoring Technical Reference Architecture (NIST IR-7756)

Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs (NIST IR-7788)

Event Management Automation Protocol (EMAP) - a suite of interoperable specifications designed to enable standardized content, representation, exchange, correlation, searching, storing, prioritization, and auditing of event records within an organizational IT environment