Benchmark Development: Standards and Tools

Standards & Tools

MITRE has developed extensive experience and expertise working with information security standards and security content management tools to create and manage security guidance. These are listed on the Recommended Standards and Recommended Tools sections below.

In addition, for the benefit of the community we have collected a list of freely available Security Guidance Documents and have developed a comprehensive list of available standards, tools, documentation, Web sites, and other items used in the creation and management of security guidance on our All Resources page.

Recommended Standards

MITRE recommends the following software standards for creating and managing benchmarks:

Extensible Configuration Checklist Description Format (XCCDF) — a specification language for uniform expression of security checklists, benchmarks, and other configuration guidance.
Security Content Automation Protocol (SCAP) — a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation.
Common Configuration Enumeration (CCE™) — common security configuration identifiers.
Common Platform Enumeration (CPE™) — common platform identifiers.
Common Vulnerability Scoring System (CVSS) — an open standard that conveys vulnerability severity and helps determine urgency and priority of response.
Open Vulnerability and Assessment Language (OVAL®) — language used to encode system details for compliance tests.
Open Checklist Interactive Language (OCIL) — framework for expressing a set of questions to be presented to a user and procedures to interpret responses to these questions for the purpose of developing security checklists.

Recommended Tools

MITRE recommends the following software tools for creating and managing benchmarks:

Recommendation Tracker™ — MITRE’s free tool facilitates consistent guidance authoring by leading the user through an established standardized format for creating, developing, and tracking all information pertinent to security guide and benchmark generation.
Benchmark Editor™ — MITRE’s free tool enhances and simplifies the creation and editing of benchmark documents written in XCCDF and OVAL.
Windows Investigator Tool (WIT) — Assists you in locating configuration data required to produce OVAL and XCCDF documents. It has the ability to monitor multiple underlying repositories on Windows, specifically the WMI and Active Directory and report in real-time all modified properties.
OVAL Interpreter — MITRE’s freely available reference implementation of the OVAL Language was created to show how information can be collected from a computer for testing, to evaluate and carry out the OVAL Definitions for that platform, and to report the results of the tests.
XCCDF Content Automation Tool (XCAT) — A compliance management tool prototype to be used by system administrators who are running the checks defined in benchmark documents and tracking their compliance over time.

For hands-on instruction in how to use these standards and tools, please sign-up for our free Benchmark Development Course. Additional information about how the standards are used is also available in the course downloads.

Page Last Updated: August 11, 2009