`
`
`ITL BULLETIN FOR DECEMBER 2013
`
`THE NATIONAL VULNERABILITY DATABASE (NVD): OVERVIEW
`
`
`
`Harold Booth, Doug Rike and Greg Witte, Editors
`Computer Security Division
`Information Technology Laboratory
`National Institute of Standards and Technology
`U.S. Department of Commerce
`
`
`The National Vulnerability Database (NVD) and its companion, the National Checklist Program (NCP)
`repository, provide a valuable and flexible set of services to users around the world. The NVD was
`established in 2005 to provide a U.S. government repository of data about software vulnerabilities and
`configuration settings, while leveraging open standards to provide reliable and interoperable
`information about vulnerability impact metrics, technical assessment methods, IT product identification
`data, and references to remediation assistance.
`
`The NVD is a product of the NIST Information Technology Laboratory’s (ITL) Computer Security Division
`(CSD) and is sponsored by the Department of Homeland Security's (DHS) U.S. Computer Emergency
`Readiness Team (US-CERT) to provide timely vulnerability management information. The NVD provides a
`searchable interface and data feeds to help inform the public about the nature and severity of the
`hundreds of new vulnerabilities and variants discovered every month. IT administrators can use the NVD
`to prioritize the vulnerabilities to address in order to protect important systems. The NVD data feed
`information is used by both public and private sector consumers. For example, US-CERT’s weekly
`bulletins are generated directly from the NVD data feeds; Payment Card Industry Security Standards
`Council Data Security Standards (PCI SSC DSS) compliant systems must remediate vulnerabilities above a
`particular threshold; and some vulnerability management product vendors use NVD information as a
`starting reference source for their scanners and feeds.
`
`Vulnerability Analysis
`
`NIST provides ongoing analysis of Common Vulnerabilities and Exposures (CVEs) and assigns Common
`Vulnerability Scoring System (CVSS) base metrics for each vulnerability, and will update a score if more
`information becomes available. Ongoing analysis and scoring helps NVD users to understand the
`potential severity of each issue, and helps users to prioritize vulnerability management activities. NIST
`works directly with vendors and researchers to improve the quality of the published data and to provide
`the public with accurate scoring data.
`
`NIST partners with other national organizations to extend the international reach of the NVD.
`Organizations such as the Japan Vulnerability Network (JVN) and Spain’s National Institute of
`Communications Technologies (INTECO) cooperate regarding the data that is analyzed and published by
`NIST through the NVD. International cooperation enables global consumers to continually monitor
`security posture, prioritize risk management, and coordinate effective response using a shared
`understanding of the possible vulnerabilities.
`
`
`
`
`
`Ntsr National Institute of Standards and Technology / U.S. Department of Commerce
`
`WIZ, Inc. EXHIBIT - 1031
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`
`
`
`Use of Open Data Exchange Formats
`
`To improve data interoperability, the NVD publishes data based upon the specifications in the Security
`Content Automation Protocol (SCAP) described in NIST Special Publication 800-126 Revision 2. SCAP is a
`multipurpose protocol that provides an automated means to collect and assess the state of devices.
`SCAP supports automated vulnerability checking, patch installation verification, security configuration
`checking, and assessment for indicators of compromise. SCAP content can be used by any tool that is
`conformant to the specifications.
`
`The following selected SCAP specifications and complementary models support the work of the NVD and
`NCP:
`
`• Common Vulnerabilities and Exposures (CVE) - a common identifier assigned to a vulnerability to
`facilitate the sharing of relevant information about that flaw;
`• Common Vulnerability Scoring System (CVSS) – a set of metrics for communicating the
`characteristics and impacts of IT vulnerabilities. NVD analysts provide a baseline analysis of the
`potential severity of a given vulnerability, based on publicly available information from
`researchers and vendors;
`• Common Platform Enumeration (CPE) – a software enumeration that assists in communicating
`the hardware and software platforms that may be affected by a given vulnerability. Use of CPE
`enables users (and automated tools) to quickly identify vulnerabilities that may affect systems
`under their purview;
`• Common Configuration Enumeration (CCE) – a set of unique platform-based identifiers
`associated with security configuration statements. CCE supports evaluation of configuration
`compliance with a given security configuration baseline; and
`• Common Weakness Enumeration (CWE) – a taxonomy for identifying the common sources of
`software flaws (e.g., buffer overflows, failure to check input data). Where practical, NVD
`associates a given CVE vulnerability to the underlying CWE weakness.
`
`National Checklist Program (NCP)
`
`In addition to the NVD, NIST maintains the National Checklist Program Repository, a publicly available
`repository that contains information on a variety of security configuration checklists for specific IT
`products or categories of IT products. The site is an important component of the National Checklist
`Program (NCP) that was established to facilitate development of security configuration checklists and to
`meet the requirements of the Cyber Security Research and Development Act of 2002. By providing a
`central location for well-written, standardized checklists, NCP supports increased quality, usability, and
`availability of documents such as security configuration checklists, hardening guides, and benchmark
`configurations. Such checklists can reduce the vulnerability exposure of IT products and be particularly
`helpful to small organizations and individuals in securing their systems.
`
`The NCP is described in detail in NIST Special Publication 800-70 Revision 2, National Checklist Program
`for IT Products—Guidelines for Checklist Users and Developers. This publication describes the process for
`submitting and maintaining checklists, and it points out that “checklists can be developed, not only by IT
`vendors, but also by other organizations with technical competence in IT product security. A security
`configuration checklist might include any of the following:
`
`
`
`
`Ntsr National Institute of Standards and Technology / U.S. Department of Commerce
`
`

`

`
`
`
`• Configuration files that automatically set or verify various security settings;
`• Documentation that guides the checklist user to manually configure an IT product;
`• Documents that explain recommendations to securely install/configure a device; and,
`• Policy documents that set forth security guidelines.”
`
`SP 800-70 describes NIST’s tiers of checklists. Tier I checklists are prose-based, Tier II checklists
`document their recommended security settings in a machine-readable but nonstandard format, and Tier
`III checklists use SCAP to document their recommended security settings in machine-readable
`standardized SCAP formats. Tier IV checklists are SCAP files that have been validated to ensure
`interoperability with SCAP-validated products. Section 5 of SP 800-70 describes the methods for testing
`checklists to be submitted and for submitting them for NCP inclusion. For additional information about
`SCAP, including content validation tools (e.g., the SCAP Content Validation Utility, SCAPVAL), please visit
`this website.
`
`The NVD’s web services and associated data models help risk managers protect proprietary information
`and avoid potential disclosure of critically sensitive data by providing the following resources (as of
`October 2013):
`
`• Over 58,000 vulnerability advisories, of which almost three quarters have been translated into
`Spanish;
`• 52 SCAP-expressed checklists that can be used by SCAP-validated security products to perform
`automated evaluations of system state;
`• 173 non-SCAP checklists (e.g., English prose guidance and configuration scripts);
`• 248 US-CERT alerts and 2,771 US-CERT vulnerability summaries; and
`• Platform/product dictionary with over 79,000 operating system, application, and hardware
`name entries.
`
`E-mail Announcements and Communications
`The Vulnerability Management and SCAP communities are public/private partnerships consisting of
`interested parties from industry, research and educational institutions, and government working to
`advance automation and standardization of technical security operations. NIST participates in numerous
`discussion groups including the NVD Announcements List, the Checklist/SCAP Announcements List, the
`SCAP Discussion List, the XCCDF Discussion List, and the Emerging Specifications Discussion List.
`Information on joining these discussions, or obtaining automated NVD data, is available at the NVD
`website.
`
`Information about NIST’s information security programs, standards, guidelines, and related publications
`is available from the Computer Security Resource Center.
`
`ITL Bulletin Publisher: Elizabeth B. Lennon
`Information Technology Laboratory
`National Institute of Standards and Technology
`elizabeth.lennon@nist.gov
`
`
`Disclaimer Any mention of commercial products or reference to commercial organizations is for information only; it does not imply
`recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose.
`
`
`
`
`Ntsr National Institute of Standards and Technology / U.S. Department of Commerce
`
`

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.