Standards-Based Automated Remediation: A Remediation Manager Reference Implementation, 2011 Update
CARNEGIE-MELLON UNIV PITTSBURGH PA SOFTWARE ENGINEERING INST
Pagination or Media Count:
This report describes the Software Engineering Institutes SEIs 2011 work for the National Security Agency NSA to develop standards for automated remediation of vulnerabilities and compliance issues on Department of Defense DoD networked systems. The SEI developed a remediation manager reference implementation that demonstrates how evolving standards can communicate and process information on vulnerabilities, compliance issues, remediation policy, and remediation actions. An earlier report, Standards-Based Automated Remediation A Remediation Manager Reference Implementation CMUSEI-11-SR-007, described the projects concept, vision, scope, requirements, and the remediation manager implementation as of December 30, 2010. Since then, the SEI has analyzed additional user scenarios, continued remediation standards development, and added new capabilities to the reference implementation. The remediation manager can employ standards throughout the compliance issue remediation cycle. Using common formats and languages, the reference implementation ingests scan findings, extracts host compliance issues and vulnerabilities, maps them to remediation actions, builds remediation tasks, transmits remediation tasks to a Remediation Tool on a host system, and receives remediation task execution status from the Remediation Tool. In 2011 the SEI added a standards-based remediation policy management capability, enabling users to examine, tailor, and apply standard DoD policy to meet local needs.
- Computer Systems Management and Standards