Being a Friend of SCAP and the Continuing Emergence of Security Standards

I had the privilege last Thursday to attend an informal session on the Security Content Automation Protocol (SCAP) at the Information Assurance Expo held last week in Nashville.  Attendees included representatives from the NSA, the DoD and other federal agencies, and the vendor community.  It was a positive, productive session, and I am pleased that Triumfant is actively involved in the SCAP movement, because I believe strongly in the need for standards for security. 

When I first entered the security market in early 2005, I had just come from the integration space where standards were a crucial part of doing business.  I had teamed with others at webMethods to get staff onto such groups such as the World Wide Web Consortium (W3C) effective ensuring that webMethods was in the thick of the standards process.  When I arrived at Cybertrust and built my marketing plan, I looked to identify security standards groups and was shocked to find a lack of standards activity in the market. 

While Cybertrust was diverse and global, we did not do a lot of business with the federal government, so SCAP never caught my attention.  That changed when I joined Triumfant, who had already taken steps to be SCAP compliant and was one of the very early companies (third, I believe) to obtain FDCC validation.  I quickly ramped up on FDCC, but soon realized that the broader notion of SCAP as a common language for sharing and integrating security processes was a significant subject.

SCAP is critical to Triumfant, because beyond the what we do of enforcing security configurations and detecting and remediating malicious attacks, what we are is the most comprehensive sensor grid for endpoint machines coupled with some very innovative (and patented) analytics.  So the ability to share the content we create with other consumers of security data dramatically expands our reach and value.  And clearly the only real way to predictably and practically share that data is through content standards. 

The people who have been carrying the SCAP flag the longest have done so with remarkable patience and resolve, as standards are something people clamor for right until the moment they are asked to comply.  Their patience and resolve is especially important as I am not altogether sure the security market is all that eager for interoperability because it upsets the well established ecosystem of selling product layers to address specific needs.  Of course, maybe that is another reason I like SCAP because I do love being part of something constructively disruptive.

So the SCAP faithful have soldiered on and continue to make sure and steady progress.  You could see it on the faces of those persevering souls at the NIST Security Automation Conference in Baltimore last October, when they recalled that early meetings were held in NIST conference rooms and hallways and now they were filling large halls at the Baltimore Convention Center.  They also saw representatives from private industry pick up SCAP, bridging the standard from the federal space into the commercial world.

These folks have my admiration because they are forwarding these standards not for selfish reasons or monetary gain – they are doing it because it is the right thing to do, and in the long run it will help make sensitive data for our country more secure.  The forward looking early supporters of SCAP picked up a difficult rope and have pulled tirelessly.  We at Triumfant are excited about grabbing that rope and pulling where and when we can.  I hope others take the opportunity to do the same.