Mission and Overview
NVD is the U.S. government repository of standards based
vulnerability management data. This data enables automation of vulnerability management,
security measurement, and compliance (e.g. FISMA).
Resource Status
NVD contains:
Last updated: 09/15/08
CVE Publication rate:
11
vulnerabilities / day
Email List
NVD provides four mailing lists to the public. For information and subscription instructions please visit
NVD Mailing Lists
Workload Index
Vulnerability
Workload Index:
6.66
About Us
NVD is a product of the NIST Computer Security Division
and is sponsored by the Department of Homeland Security’s
National Cyber Security Division. It supports the U.S. government
multi-agency (OSD, DHS,
NSA, DISA,
and NIST) Information Security Automation Program. It is the U.S. government content
repository for the Security Content Automation Protocol (SCAP).
Security Content Automation Protocol (SCAP) Validation Program
The SCAP Validation Program is designed to test the ability of products to use the features and functionality available through SCAP and its component standards. For information concerning SCAP, please see
http://scap.nist.gov.
Under the SCAP Validation Program, independent laboratories are accredited by the NIST National Voluntary Laboratory Accreditation Program (NVLAP). Accreditation requirements are defined in NIST Handbook 150, and NIST Handbook 150-17. Independent laboratories conduct the tests contained in the
SCAP Validation Program Derived Test Requirements Document, on information technology (IT) security products and deliver the results to NIST. Based on the independent laboratory test report, the SCAP Validation Program then validates the product under test based on the independent laboratory test report. The validations awarded to vendor products will be publicly posted on the NIST SCAP Validated Tools web page at
http://nvd.nist.gov/scapproducts..
SCAP validation will focus on evaluating specific versions of vendor products based on the platforms they support. Validations will be awarded on a platform-by-platform basis for the version of the product that was validated. Currently, US government SCAP content is primarily focused on Windows operating systems. Thus, vendors seeking validation will be evaluated based on the ability of the product to operate on the Windows target platform. Additional platforms will be available in the future.
Description of SCAP Capability validations:.
- FDCC Scanner: a product
with the ability to audit and assess a target system in order
to determine its compliance with the Federal Desktop Core
Configuration (FDCC) requirements. By default, any product validated as an FDCC Scanner is automatically awarded the Authenticated Configuration Scanner validation.
- Authenticated Configuration
Scanner: a product with the ability to audit and assess a target
system to determine its compliance with a defined set of
configuration requirements using target system logon privileges. The FDCC Scanner capability is an expanded use case of this capability. Therefore, any product awarded the FDCC Scanner validation is automatically awarded the Authenticated Configuration Scanner validation.
- Authenticated Vulnerability and Patch
Scanner: a product with the ability to scan a target system
to locate and identify the presence of known software flaws
and evaluate the software patch status to determine compliance with
a defined patch policy using target system logon privileges.
- Unauthenticated Vulnerability
Scanner: a product with the ability of determining the presence
of known software flaws by evaluating the target system
over the network.
- Intrusion Detection and
Prevention Systems (IDPS): a product that monitors a system or
network for unauthorized or malicious activities. An intrusion
prevention system actively protects the target system or network
against these activities.
- Patch Remediation: the
ability to install patches on a target system in compliance with a
defined patching policy.
- Mis-configuration Remediation:
the ability to alter the configuration of a target system in order
to bring it into compliance with a defined set of configuration
recommendations.
- Asset Management: the
ability to actively discover, audit, and assess asset
characteristics including: installed and licensed products; location
within the world, a network or enterprise; ownership; and other
related information on IT assets such as workstations, servers, and
routers.
- Asset Database: the
ability to passively store and report on asset characteristics
including: installed and licensed products; location within the
world, a network or enterprise; ownership; and other related
information on IT assets such as workstations, servers, and routers.
- Vulnerability Database: A SCAP vulnerability database is a product that contains a catalog of security related software flaw issues labeled with CVEs where applicable. This data is made accessible to users through a search capability or data feed and contains descriptions of software flaws, references to additional information (e.g., links to patches or vulnerability advisories), and impact scores. The user-to-database interaction is provided independent of any scans, intrusion detection, or reporting activities. Thus, a product that only scans to find vulnerabilities and then stores the results in a database does not meet the requirements for an SCAP vulnerability database (such a product would map to a different SCAP capability). A product that presents the user general knowledge about vulnerabilities, independent of a particular environment, would meet the definition of an SCAP vulnerability database.
- Mis-configuration Database:
A SCAP mis-configuration database is a product that contains a catalog of security related configuration issues labeled with CCEs where applicable. This data is made accessible to users through a search capability or data feed and contains descriptions of configuration issues and references to additional information (e.g., configuration guidance, mandates, or other advisories). The user-to-database interaction is provided independent of any configuration scans or intrusion detection activities. Thus, a product that only scans to find mis-configurations and then stores the results in a database does not meet the requirements for an SCAP mis-configuration database (such a product would map to a different SCAP capability). A product that presents the user general knowledge about security related configuration issues, independent of a particular environment, would meet the definition of an SCAP vulnerability database.
-
Malware Tool: the ability
to identify and report on the presence of viruses, Trojan horses,
spyware, or other malware on a target system.
The above information, along with details on all the test requirements products successfully met to achieve validation, can be found in the
SCAP Validation Program Derived Test Requirements (DTR) document.