Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains (DRAFT ) David Waltermire , Adam Halbardier, Adam Humenansky , and Peter Mell NIST Interagency Report 7800 (Draft) Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains (DRAFT) David Waltermire, Adam Halbardier, Adam Humenansky, and Peter Mell C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Labor atory National Institute of Standards and Technology Gaithersburg, MD 20899 -8930 January 2012 U.S. Department of Commerce Secretary John E. Bryson National Institute of Standards and Technology Patrick D. Gallagher, Under Secretary for Standards and Technology and Director NIST Interagency Report 7800 (Draft) APPLYING THE CONTINUOUS MONITORING TECHNICAL REFERENCE MODEL TO THE ASSET, CONFIGURATION , AND VULNERABILITY MANAGEMENT DOMAINS ii Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy a nd public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and product ive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost -effective security and privacy of sensitive unclassified information in Federal c omputer systems. This Interagency Report discusses ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations. Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. National Institute of Standards and Technology Interagency Report 7800 29 pages (Jan. 2012) APPLYING THE CONTINUOUS MONITORING TECHNICAL REFERENCE MODEL TO THE ASSET, CONFIGURATION , AND VULNERABILITY MANAGEMENT DOMAINS iii Acknowledg ments The authors would like to recognize the following individuals for their participation on the continuous monitoring (CM1) research team, insightful ideas, and review of this work: Stephen York and Peter Sell from the National Security Agency , as well as Larry Feldman and Zach Ragland from Booz Allen Hamilton. The authors would also like to thank the United States Chief Information Officer Council’s Information Security and Identity Management Subcommittee (ISIMC) on Continuous Security Monitoring for its leadership and direction as we created this publication. In particular , we would like to thank the current co -chairs:2 John Streufert from the Department of State, Kevin Dulany from the Office of the Secretary of Defense, and Timothy McBride from the D epartment of Homeland Security. Trademark Information OVAL and CVE are registere d trademarks, and CCE and CPE are trademarks, of The MITRE Corporation. All other registered trademarks or trademarks belong to their respective organizations. Abstract This publication binds together the CM workflows and capabilities described in NIST IR 7799 to specific data domains. It focuses on the Asset Management, Configuration , and Vulnerability data domains. It leverages the Security Content Automation Protoc