About Benchmark Development

About

Improving Security Guidance | Additional Information | Join the Effort

In the past, computer security guidance documents were verbose and descriptive, and contained architectural, contextual, and tutorial type information. Since 2001, security guidance has evolved into a more concise style of documentation focusing on application controls. The next steps are standardization and automated benchmarks.

A standards-based approach to creating benchmarks will ensure content that it is far more structured than was previously available to guidance users, and provide the ability for automated benchmarks that can also check for compliance.

The purpose of MITRE’s Benchmark Development effort is to foster best practices and encourage the security guidance community to create guidance that is standards-based, structured, and automatable. This Web site is intended to serve as a community gathering place for that effort by providing a variety of resources for the benchmark development community including access to Standards and Tools for benchmark development, an email list Discussion Forum for community participation, a Free Class designed to teach attendees how to create good benchmarks more efficiently, and Other Helpful Resources.

Improving Security Guidance

System administrators must have security guidance that is easy to understand, manage, and apply in time for the planning, installation, configuration, and operation of their systems. It must be unambiguous, clear and concise, written as a directive, and if possible, measurable. The most effective way to achieve these goals is by creating guidance using a standard-based approach.

Benefits of benchmarks that use standards:

Clear communication without ambiguity — readers of the benchmark have more than just text to rely on, so errors of interpretation are reduced
Reduced effort to implement or check — precisely what is recommended can be tested
Guidance can be tailored — users can easily customize the benchmark for their environment
Usable by wide range of compatible tools — assessment changes from a largely manual to a largely automated process

MITRE’S ROLE

Through our work supporting the National Security Agency-sponsored System Security Analysis project by producing XCCDF benchmarks, MITRE Corporation has developed experiential knowledge and expertise in:

creating and managing standards-based security content
a suite of security content management tools that can help anyone attempting to develop security guidance

Our goal is to share our knowledge, experience, and tools with vendors, security content developers, and others in order to encourage standardization and automation of security guidance across the information security community.

Page Last Updated: March 31, 2009