CVSS provides a universal open and standardized method for rating IT vulnerabilities. Compliance with this standard, CVSSv2 (Version 2.0), is now required as part of the NIST Security Content Automation Protocol (SCAP) as well as the Payment Card Industry (PCI) Data Security Standard.
To be considered compliant with the PCI Data Security Standard, a component must not contain any vulnerability that has been assigned a CVSS base score equal to or higher than 4.0 on a scale of 0 to 10. For FISMA compliance, NIST has published the NIST Interagency Report 7435 which provides guidance on the applicability of CVSS to Federal Agency Systems. Additionally, this report identifies the relationship to FIPS 199 Security Categories and its use with NIST SCAP data streams for automation of IT control auditing and measurement.
Secure Elements is the leading enterprise provider of SCAP-compliant tools designed to help agencies meet the OMB mandate for secure desktop configuration in addition to overall FISMA compliance. Use of SCAP-compliant tools to monitor systems for vulnerability and compliance management is currently projected to be used in standardizing and automating vulnerability management for many millions of computers, eventually rising to hundreds of millions.
âThe scoring provided by CVSS plays a huge role in measuring compliance with the Federal Desktop Core Configuration for both software flaws and mis-configurations,â commented Scott Carpenter. âWe are excited to play a role in the further development of the standard and contributing our knowledge to the community regarding the use of CVSS in enterprise environments with SCAP-based solutions.â
Secure Elementsâ C5 Compliance Platform helps agencies automate the process of auditing, measuring, and reporting compliance of IT systems against the best practices embodied in the NIST SCAP XML content for OMB and FISMA compliance.