Field Data
Metric ID Metric 6
Metric % of Windows Platforms providing approved application CPEs
Type Implementation / Informational
Status Draft (v1)
Purpose The purpose of this metric is to understand what applications are deployed on the DHS network, and to ensure that those applications are approved on the Enterprise Architecture Technical Reference Model (EA TRM) and remediate unapproved applications.
Description In FY14, Whitelisting will remain on the Scorecard as an informational metric. Whitelisting will leverage the information we collect each month for Metric 5: Software Asset Management. Each application CPE collected from Windows Platforms will be compared against the EA TRM.
Version Numbers will not be scored at this time (manufacturer and product only).
REQUIREMENTS:
• This is a pass/fail metric per asset that provides application CPEs
• All application CPEs provided for an asset must be on the TRM in order for the asset to pass
• Reports will be provided to Components for those assets that have non-approved applications in order to remediate.
This metric ONLY applies to unclassified operational Systems
Weight 0%
Metric Calculation Total number of Windows Platforms that have all application CPEs on the TRM / Total number of Windows Platforms providing application CPEs
Frequency Monthly
Responsible Parties ISSO, Data Centers, Scanning Teams, Compliance Teams
Special Conditions Scoring is confined to Assets scanned for the current month that provide application CPEs
Data Source Data Feeds
Data Quality • Scans must be credentialed
• Hardware Managed requirements must be met first
• See Section 3.2 Asset Inventory for more information on asset definitions or the Asset Classification White Paper on FISMA Reporting SharePoint
Metric 7: Configuration Management
Field Data
Metric ID Metric 7
Metric % of workstations and applicable servers providing one or more CCEs via a credentialed scan
Type Implementation
Status Final (v1)
Purpose This metric will ensure that Components are monitoring the configuration of their assets Description In FY14 Components will be scored on the percentage of Windows workstations and applicable
servers meeting the standards according to DHS Policy. To reduce the burden of reporting, Components should feel free to provide only those CCEs outlined in Appendix H of this document.
FY14 Configuration baselines are only required for those platforms supported by the Department.
As platform specific baseline audit profiles are defined, tested, and provided to the Components for use, they will be added to the list of supported platforms and be scored for Configuration Management however, there will be a 2 month grace period prior to scoring. Upcoming platforms include Windows 8, Linux, RedHat, and Solaris 10. The supported platforms match the DHS Hardening Guidance published on DHS Connect. The matching Automated Audit Profiles for the supported platforms can be found on the CMWG SharePoint Site.
SUPPORTED PLATFORMS:
• MUST be a Managed and Identified Assets
• Identified Assets that are NOT windows workstations or applicable servers will not be considered for this metric
• IPs will NOT be accepted for use as a hostname for Windows Platforms and will be deemed as Unidentified, thus failing all CM metrics
DATA ELEMENTS:
• FISMA ID
• Hostname
• CPE (OS)
• Configuration Version/Name (platform version)
• CCE Identifier Number – “CCE-2715-1”
• Configuration Status (e.g. passed, failed, waiver, or exception) This metric ONLY applies to unclassified operational Systems
Weight 20%
Metric Calculation Total number of applicable assets providing CCE / (applicable assets + Unidentified Assets)
Frequency Monthly
Responsible Parties ISSO, Data Centers, Scanning Teams, Compliance Teams Special Conditions Scoring is confined to Assets scanned for the current month
Data Source Data Feeds
Data Quality • Scans must be Credentialed
• Hardware Managed requirements must be met first
• See section 3.2 Asset Inventory for more information on asset definitions or the Asset Classification White Paper on FISMA Reporting SharePoint
• See section 4.5.3 Configuration Management for more information
• Linux (will not be scored until April)
• Unix (will not be scored until April)
• Cisco Router (will not be scored until April)
Metric 8: Vulnerability Management
Field Data
Metric ID Metric 8
Metric % of assets with a vulnerability scan and meet the CVE threshold
Type Effectiveness
Status Final (v1)
Purpose Components should ensure that all managed assets have a monthly vulnerability scan. In addition, Components should be able to identify and address those assets with the most critical and high vulnerabilities.
Description This is a two part metric in FY14.
6. Components will be required to submit all CVEs (regardless of CVSS) for each Managed Asset.
7. The total number of critical and high vulnerabilities for each asset will be compared to a threshold of 100 (subject to change each FY Quarter). Critical and high vulnerabilities are designated by a CVSS score of 7.0 or greater.
Any vulnerability reported without an associated CVE or CVSS will be considered invalid and will not be included for reporting purposes. These CVEs will be returned to the Components as part of the “Exceptions List.”
REQUIREMENTS:
• MUST be a Managed and Identified Asset
• IPs will NOT be accepted for use as a hostname for Windows Platforms and will be deemed as Unidentified, thus failing all CM metrics
DATA ELEMENTS:
This metric ONLY applies to unclassified operational Systems
Weight 15%
Metric Calculation (% of Identified Assets submitting a CVE (regardless of CVSS)) * 25%
+
(% of Identified Assets below the Vulnerability Threshold of 100 (CVSS >= 7 only)) * 75%
Frequency Monthly
Responsible Parties ISSO, Data Centers, Scanning Teams, Compliance Teams
Special Conditions Scoring is confined to Assets scanned for the current month and does not include communication devices, printers/faxes, and network devices such as routers and switches.
Data Source Data Feeds
Data Quality • Scans must be Credentialed
• Hardware Managed requirements must be met first
• See section 3.2 Asset Inventory for more information on asset definitions or the Asset Classification White Paper on FISMA Reporting SharePoint
• See section 4.5.2 Vulnerability Management for more information