SBIR-STTR Award

G2 proposes to develop an intuitive, interactive SCAP content creation and editing utility that will provide a user-friendly operating environment. The promise of security automation offers the opportunity for great advances in software assurance, security governance/reporting, and ongoing monitoring activities. Hindering that promise is the fact that current data exchange protocols are cumbersome and complex, based on effective but difficult XML checklists, complicated definitions calling intricate tests from multiple repositories through evolving languages. The proposed product will include a local application supported by a database repository housing existing SCAP content, supporting a web-based interface where practical. Commercial Applications: Previous research has demonstrated that providing the ability to create SCAP content results in significant commercial benefits. Commercial organizations and government customers will utilize the editor to task workers with creation of effective checklists, will increase the use of validated products that consume SCAP and will identify new security automation use cases that become possible with dynamic content creation. Commercial organizations will utilize the tool to create dynamic content on demand for a reasonable price and will help security auditors measure against broad frameworks (e.g. FISMA, PCI, SAS 70) efficiently

NIST and G2 have been on the forefront of security automation with the development of the Security Content Automation Protocol (SCAP). However, the barrier to entry for SCAP content creation is the requirement to have in depth knowledge of the underlying specifications. This project aims to allow security experts to create SCAP content without the need to be an expert in the specification. By leveraging the experience of our SCAP team, G2 will build on the concepts and lessons learned from our Phase 1 work to provide such a content creation tool. Commercial applications: This research will result in the commercial creation of a comprehensive and intuitive content editor to create, change and manage information security automation instructions. Based upon G2’s expertise in similar research and engineering, our understanding of the community through collaboration with NIST leadership, and market observations, we have identified a unique need for such a product. Since 2005, the security automation community has developed numerous languages to enable interoperability among security products, but there is an inherent complexity to achieve the software assurance and governance goals envisioned. The SCAP Editor product will enable lower the barrier to entry for users to harness the capability of security automation technology.