Mission and Overview
NVD is the U.S. government repository of standards based
vulnerability management data. This data enables automation of vulnerability management,
security measurement, and compliance (e.g. FISMA).
Resource Status
NVD contains:
Last updated: 01/15/09
CVE Publication rate:
14
vulnerabilities / day
Email List
NVD provides four mailing lists to the public. For information and subscription instructions please visit
NVD Mailing Lists
Workload Index
Vulnerability
Workload Index:
7.71
About Us
NVD is a product of the NIST Computer Security Division
and is sponsored by the Department of Homeland Security’s
National Cyber Security Division. It supports the U.S. government
multi-agency (OSD, DHS,
NSA, DISA,
and NIST) Information Security Automation Program. It is the U.S. government content
repository for the Security Content Automation Protocol (SCAP).
XCCDF - The Extensible Configuration Checklist Description Format
XCCDF is a specification language for writing security
checklists, benchmarks, and related kinds of documents. An XCCDF
document represents a structured collection of security configuration
rules for some set of target systems. The specification is designed to
support information interchange, document generation, organizational
and situational tailoring, automated compliance testing, and compliance
scoring. The specification also defines a data model and format for
storing results of benchmark compliance testing. The intent of XCCDF is
to provide a uniform foundation for expression of security checklists,
benchmarks, and other configuration guidance, and thereby foster more
widespread application of good security practices.
XCCDF documents are expressed in XML, and may be validated with an XML
Schema-validating parser.
Development of the XCCDF specification is being led by NSA, with contributions from
other agencies and organizations. The current public draft of the
specification document and related files can be downloaded below.
A mailing list for XCCDF developers is available, please subscribe to this list through the
NVD Mailing List page.
A
publicly available archive of the XCCDF mailing list is also available.
XCCDF 1.1.4 Resources
- Documents:
- XCCDF Specification 1.1.4 (PDF) - January 2008
- Changes to XCCDF Specification since 1.1.3 (DOC)
- XML Schema Files: [what
is a schema?]
- XCCDF 1.1.4 Schema (XSD 1.0)
- Complete 1.1.4 Schema Bundle (Zip)
- Other Resources:
- Interactive Schema and Interpreter
XCCDF 1.1.3 Resources
- Documents:
- XCCDF Specification 1.1.3 draft (PDF)
- XML Schema Files: [what
is a schema?]
- XCCDF 1.1.3 Schema (XSD 1.0)
- Complete 1.1.3 Schema Bundle (Zip)
- Samples:
- Example XCCDF 1.1.3 Benchmark (XCCDF, raw XML)
[note: sample XCCDF file complies with the 1.1.3 schema.]
XCCDF 1.1.2 Resources
- Documents:
- XCCDF Specification 1.1.2 (PDF)
- XML Schema Files: [what
is a schema?]
- XCCDF 1.1.2 Schema (XSD 1.0)
- Complete 1.1.2 Schema Bundle (Zip)
XCCDF 1.1 Resources
- Documents:
- XCCDF Specification 1.1 (PDF)
- XML Schema Files: [what
is a schema?]
- XCCDF 1.1 Schema (XSD 1.0)
- XCCDF-P 1.1 Schema (XSD 1.0)
- Complete 1.1 Schema Bundle (Zip)
- Samples:
- Example XCCDF 1.1 Benchmark (XCCDF, raw XML)
[note: sample uses XCCDF-P 1.0 specification which will be subsumed by XCCDF-P 1.1]
- Coming soon:
- XCCDF 1.1 Sample XSLT Stylesheet
- XCCDF-P Platform Specification 1.1
XCCDF 1.0 Resources
- Documents:
- XCCDF Specification 1.0 (PDF)
- XML Schema Files: [what
is a schema?]
- XCCDF 1.0 Schema (XSD 1.0)
- CIS Platform Schema (XSD 1.0)
- Complete 1.0 Schema Bundle (Zip)
- Samples:
- Example XCCDF 1.0 Benchmark (XCCDF, raw XML)
- Example XCCDF->XHTML stylesheet (XSLT)
- Stylesheet output samples:
- XHTML (pre-transformed)
- XML (transform at browser)
Additional Notes:
XCCDF was designed to support integration with multiple underlying
configuration checking 'engines'. The expected or default
checking technology is MITRE's OVAL(tm). More information about
OVAL maybe found at The MITRE Corporation
OVAL web site.
For document and reference metadata, XCCDF uses the Dublin Core
Metadata element set. For more information about Dublin Core
Metadata, visit the
DCMI web site.
Validating an XCCDF document against the XCCDF schema requires several
supplementary schema and DTD files. To download all of the
required files, select 'Complete Schema Bundle' above.