The Department of Defense's new enterprise licenses for vulnerability assessment and remediation tools call for use of capabilities that conform to both CVE and OVAL.
Transformational Vulnerability Management Through Standards
Download Resources
PDF Accessibility
One or more of the PDF files on this page fall under E202.2 Legacy Exceptions and may not be completely accessible. You may request an accessible version of a PDF using the form on the Contact Us page.
The Department of Defense's new enterprise licenses for vulnerability assessment and remediation tools [1,2] call for use of capabilities that conform to both the Common Vulnerabilities and Exposures (CVE) [3] and Open Vulnerability and Assessment Language (OVAL) [4] standards efforts, as does a new Air Force enterprise-wide software agreement with Microsoft [5]. These contracting activities are part of a larger transformation of the Department of Defense's (DoD's) management and measurement of the information assurance posture of their network-enabled systems with respect to vulnerabilities, configuration settings, and policy compliance. In combination with procedural changes, the adoption of these [6] and other standards, such as the National Security Agency's (NSA's) Extensible Markup Language (XML) Configuration Checklist Data Format (XCCDF) [7], are making it possible to radically improve the accuracy and timeliness of the DoD's remediation and measurement activities which are critical to ensuring the network and systems integrity of their network-centric warfare capabilities.