Definition

XCCDF (Extensible Configuration Checklist Description Format)

Part of the Compliance glossary:

XCCDF (Extensible Configuration Checklist Description Format) is a specification language for writing security checklists, benchmarks and related types of documents. XCCDF is supported by the US National Security Agency’s Information Assurance Directorate, the Center for Internet Security and MITRE.

The specification is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing and compliance scoring. It also defines a data model and format for storing results of benchmark compliance testing. XCCDF documents are expressed in XML and can be validated with an XML validating parser.

According to Chris Calabrese from the Center for Internet Security:

Every system administrator has local policies and standards that their systems are supposed to comply with, and there are many security-audit tools to check compliance. However, many of these tools don’t allow easy customization to local policy, or to drop in new third-party policy definitions. XCCDF is an XML-based format that addresses these problems by providing a unified way to describe:

- System configuration policies/benchmarks/standards such those from the Center for Internet Security or the NSA’s Security Configuration Guides.

- How software can evaluate systems for policy compliance using Mitre’s Open Vulnerability Assessment Language or similar schemes.

- How people and/or software can fix systems that don’t comply.

- How well a particular system conforms to a policy for reporting purposes.

 

Learn more:

NIST provides the lastest XCCDF specifications and related resources.

Benchmark Editor is a Java-based tool for XCCDF benchmark documents.

This was last updated in February 2012
Posted by: Margaret Rouse

Related Terms

Definitions

  • contingency plan

    - In business continuity and risk management, a contingency plan is a process that prepares an organization to respond coherently to an unplanned event. (WhatIs.com)

  • opt-out

    - Opt-out communications are messages sent for marketing, promotion or fundraising that include an option for the recipient to be removed from any future messages. The term was originally applied mos... (WhatIs.com)

  • commercial electronic message (CEM)

    - A commercial electronic message (CEM) is a communication soliciting business, funding or support for something that is sent through any electronic channel, including email, social media, voicemail,... (WhatIs.com)

Glossaries

  • Compliance

    - Terms related to compliance, including regulatory definitions and words and phrases about governance and mitigating IT risk.

  • Internet applications

    - This WhatIs.com glossary contains terms related to Internet applications, including definitions about Software as a Service (SaaS) delivery models and words and phrases about web sites, e-commerce ...

Ask a Question About XCCDF (Extensible Configuration Checklist Description Format)Powered by ITKnowledgeExchange.com

Get answers from your peers on your most technical challenges

Tech TalkComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.