Vulnerabilities Checklists Product Dictionary Impact Metrics Data Feeds Statistics
Home ISAP/SCAP SCAP Validated Tools SCAP Events About Contact Vendor Comments
Mission and Overview
NVD is the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance (e.g. FISMA).
Resource Status

NVD contains:

32678 CVE Vulnerabilities
161Checklists
151 US-CERT Alerts
2257 US-CERT Vuln Notes
2097OVAL Queries

Last updated:  09/15/08

CVE Publication rate:

11 vulnerabilities / day
Email List

NVD provides four mailing lists to the public. For information and subscription instructions please visit NVD Mailing Lists

Workload Index
Vulnerability Workload Index: 6.66
About Us

NVD is a product of the NIST Computer Security Division and is sponsored by the Department of Homeland Security’s National Cyber Security Division. It supports the U.S. government multi-agency (OSD, DHS, NSA, DISA, and NIST) Information Security Automation Program. It is the U.S. government content repository for the Security Content Automation Protocol (SCAP).

XCCDF - The Extensible Configuration Checklist Description Format

XCCDF Logo

XCCDF is a specification language for writing security checklists, benchmarks, and related kinds of documents.  An XCCDF document represents a structured collection of security configuration rules for some set of target systems. The specification is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance scoring. The specification also defines a data model and format for storing results of benchmark compliance testing. The intent of XCCDF is to provide a uniform foundation for expression of security checklists, benchmarks, and other configuration guidance, and thereby foster more widespread application of good security practices.

XCCDF documents are expressed in XML, and may be validated with an XML Schema-validating parser.

Development of the XCCDF specification is being led by NSA, with contributions from other agencies and organizations. The current public draft of the specification document and related files can be downloaded below.  Email to the XCCDF development team can be sent here.

XCCDF 1.1.4 Resources
Documents:
XCCDF Specification 1.1.4 (PDF) - January 2008
Changes to XCCDF Specification since 1.1.3 (DOC)
XML Schema Files:  [what is a schema?]
XCCDF 1.1.4 Schema (XSD 1.0)
Complete 1.1.4 Schema Bundle (Zip)
Other Resources:
Interactive Schema and Interpreter

XCCDF 1.1.3 Resources
Documents:
XCCDF Specification 1.1.3 draft (PDF)
XML Schema Files:  [what is a schema?]
XCCDF 1.1.3 Schema (XSD 1.0)
Complete 1.1.3 Schema Bundle (Zip)
Samples:
Example XCCDF 1.1.3 Benchmark (XCCDF, raw XML)
[note: sample XCCDF file complies with the 1.1.3 schema.]

XCCDF 1.1.2 Resources
Documents:
XCCDF Specification 1.1.2 (PDF)
XML Schema Files:  [what is a schema?]
XCCDF 1.1.2 Schema (XSD 1.0)
Complete 1.1.2 Schema Bundle (Zip)

XCCDF 1.1 Resources
Documents:
XCCDF Specification 1.1 (PDF)
XML Schema Files:  [what is a schema?]
XCCDF 1.1 Schema (XSD 1.0)
XCCDF-P 1.1 Schema (XSD 1.0)
Complete 1.1 Schema Bundle (Zip)
Samples:
Example XCCDF 1.1 Benchmark (XCCDF, raw XML)
[note: sample uses XCCDF-P 1.0 specification which will be subsumed by XCCDF-P 1.1]
Coming soon:
XCCDF 1.1 Sample XSLT Stylesheet
XCCDF-P Platform Specification 1.1

XCCDF 1.0 Resources
Documents:
XCCDF Specification 1.0 (PDF)
XML Schema Files:  [what is a schema?]
XCCDF 1.0 Schema (XSD 1.0)
CIS Platform Schema (XSD 1.0)
Complete 1.0 Schema Bundle (Zip)   
Samples:
Example XCCDF 1.0 Benchmark (XCCDF, raw XML)
Example XCCDF->XHTML stylesheet (XSLT)


Stylesheet output samples:
XHTML (pre-transformed)
XML (transform at browser)
Additional Notes:
XCCDF was designed to support integration with multiple underlying configuration checking 'engines'.  The expected or default checking technology is MITRE's OVAL(tm).  More information about OVAL maybe found at The MITRE Corporation OVAL web site.

For document and reference metadata, XCCDF uses the Dublin Core Metadata element set.  For more information about Dublin Core Metadata, visit the DCMI web site.

Validating an XCCDF document against the XCCDF schema requires several supplementary schema and DTD files.  To download all of the required files, select 'Complete Schema Bundle' above.



Disclaimer Notice & Privacy Statement / Security Notice

Send comments or suggestions to nvd@nist.gov

NIST Computer Security Resource Center (CSRC)

NIST is an Agency of the U.S. Commerce Department

Full vulnerability listing