Vendor Provided Validation Details - NetChk Compliance v3.1.0, SCAP Edition
The following text was provided by the vendor during testing to describe how the product implements the specific capabilities.

Statement of FDCC Compliance:
Not applicable for the validated capabilities.

Statement of SCAP Implementation:
Not applicable for the validated capabilities.

Statement of CVE Implementation:
Not applicable for the validated capabilities.

Statement of CCE Implementation:
The CCE data specification provides a commonly understood identifier for specific configuration items on various technology platforms (e.g., Windows XP or Internet Explorer). The Shavlik NetChk Compliance SCAP Edition is the commercial off-the-shelf version of NetChk Compliance plus a licensable module called the NetChk SCAP Processor. The NetChk SCAP Processor uses the SCAP benchmark CCE identifiers to specifically map to existing compliance checks that are part of Shavlik NetChk Compliance which then can assess or enforce these items. Other CCE items included in benchmarks required within SCAP data feeds can be assessed or remediated using one or more "custom" checks built specific to the requirements of the individual CCE item.

Using this combination of built-in and custom checks in Shavlik NetChk Compliance, the full range of CCE items in an SCAP data feed (XCCDF benchmark) can be assessed or enforced. The Shavlik NetChk SCAP Processor then uses the reported results from the Shavlik NetChk Compliance target scan to provide in or out of compliance results reported against each CCE item in the SCAP benchmark.

Statement of CPE Implementation:
The CPE data specification provides a commonly understood identifier for specific technology platforms (e.g., Windows XP or Internet Explorer). The Shavlik NetChk SCAP Processor uses the SCAP data feed and the included CPE identifiers to map to specific technology platforms. The platforms and their associated CPE identifiers are specifically referenced within the SCAP data feeds and these identifiers are then used within the Shavlik NetChk SCAP Processor as the means to specifically identify the platforms within assessment results and any SCAP-required reporting details.

Using the platform CPE values from within the SCAP data feeds with the Shavlik NetChk Compliance SCAP Edition provides the means to assess platforms correctly and then present proper results for these various platforms as assessed or remediated. CPE values for assessed or remediated platforms are then included in the reporting results. Benchmark requirements for specific assessed or remediated items can then be associated with the target, the platform, and specific item within the reported results.

Statement of CVSS Implementation:
The CVSS (Common Vulnerability Scoring System) provides a commonly understood open framework to determine the impact and characteristics of vulnerabilities within information technology. Scores using this methodology are currently only implemented and available for CVE (Common Vulnerability Enumeration) items. The scores for these specific items can be located at the associated location on the National Vulnerability Database website using the naming scheme for each item such as for the vulnerability with CVE identifier CVE-2008-1436 at http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1436. Using CVE's common identifiers along with the scoring mechanisms for the impact of the vulnerability provides a powerful combination for assessing risks due to the vulnerability. Even with the CVSS-related values presented for CVE items, other areas of impact including environmental or temporal (time-related) scoring also can be added using the CVSS calculators discussed below.

CVSS is currently undergoing development to incorporate scoring for CCE (Common Configuration Enumeration) items. These are currently not available on the CVSS website, and cannot be searched or looked up similar to the CVE database. Nonetheless, using similar scoring characteristics to the CVE items, a user can currently compute a CVSS score for a CCE item using one of two calculators available for this purpose at:

http://nvd.nist.gov/cvss.cfm?calculator&version=2 or a more advanced version at:
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

The calculation requires inputs for a number of metrics tied to three areas: base score, temporal score and environmental score. These three areas create the final score that is associated with the vulnerability. This is the scoring approach recommended for CVSS scores required for use with the Shavlik product.

Statement of XCCDF Implementation:
The XCCDF data specification provides the means to represent security checklists or benchmarks in a format that is well-structured and machine readable. Using this XML data format, the Shavlik NetChk SCAP Processor digests an XCCDF file and creates a scannable policy usable in Shavlik NetChk Compliance based on a benchmark within the XCCDF file. The Shavlik NetChk SCAP Processor uses the configuration identifiers found in the XCCDF benchmarks to specifically map to existing built-in compliance checks that are part of the commercial product Shavlik NetChk Compliance that can assess or enforce these items. Other configuration items included in benchmarks required within the SCAP data feeds can be assessed or remediated using one or more custom checks built specific to the requirements of the individual CCE item. Generally, the built-in checks use only the XCCDF content for configuration into the policy file; the custom checks typically require further configuration details needed in associated OVAL files with the XCCDF file.

Using this combination of built-in and custom checks in Shavlik NetChk Compliance and related to the XCCDF benchmark, the full range of configuration items in the XCCDF file can be assessed or remediated. The Shavlik NetChk SCAP Processor then uses the reported results from the Shavlik NetChk Compliance target scan to provide in or out of compliance results reported against each configuration item in the SCAP benchmark.

Statement of OVAL Implementation:
The OVAL data specification provides the how-to information needed to determine compliance to its specific defined tests. OVAL data is also closely inter-related with the XCCDF data specification. The XCCDF data specification represents security checklists or benchmarks in a format that is well-structured and machine readable. The OVAL data specification then provides the details or tests to assess the items required within the XCCDF format. Using these two combined XML data specifications, the Shavlik NetChk Compliance SCAP Edition digests an XCCDF file combined with the OVAL tests, allows selections of an XCCDF benchmark and creates a scannable policy usable within Shavlik NetChk Compliance. The Shavlik NetChk SCAP Processor uses the configuration identifiers defined within the XCCDF benchmarks combined with the OVAL data as a mapping to existing compliance checks in Shavlik NetChk Compliance that can assess or enforce these items. Other configuration items included in benchmarks required within the SCAP data feeds can be assessed or remediated using one or more custom checks built specific to the requirements of the individual CCE item using the OVAL content as further guidance.

Using this combination of built-in and custom checks scanned by Shavlik NetChk Compliance as related to the XCCDF benchmark and as configured based on OVAL content, the full range of configuration items in the XCCDF file can be assessed or remediated. The Shavlik NetChk SCAP Processor then uses the reported results from the Shavlik NetChk Compliance target scan to provide in or out of compliance results reported against each configuration item in the SCAP benchmark.