What is XCCDF (Extensible Configuration Checklist Description Format)? - Definition from WhatIs.com

Definition

XCCDF (Extensible Configuration Checklist Description Format)

Part of the Compliance glossary:

XCCDF (Extensible Configuration Checklist Description Format) is a specification language for writing security checklists, benchmarks and related types of documents. XCCDF is supported by the US National Security Agency’s Information Assurance Directorate, the Center for Internet Security and MITRE.

The specification is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing and compliance scoring. It also defines a data model and format for storing results of benchmark compliance testing. XCCDF documents are expressed in XML and can be validated with an XML validating parser.

According to Chris Calabrese from the Center for Internet Security:

Every system administrator has local policies and standards that their systems are supposed to comply with, and there are many security-audit tools to check compliance. However, many of these tools don’t allow easy customization to local policy, or to drop in new third-party policy definitions. XCCDF is an XML-based format that addresses these problems by providing a unified way to describe:

- System configuration policies/benchmarks/standards such those from the Center for Internet Security or the NSA’s Security Configuration Guides.

- How software can evaluate systems for policy compliance using Mitre’s Open Vulnerability Assessment Language or similar schemes.

- How people and/or software can fix systems that don’t comply.

- How well a particular system conforms to a policy for reporting purposes.

 

Learn more:

NIST provides the lastest XCCDF specifications and related resources.

Benchmark Editor is a Java-based tool for XCCDF benchmark documents.

This was last updated in February 2012
Posted by: Margaret Rouse

Related Terms

Definitions

  • compliance

    - Compliance is the act of being in alignment with guidelines, regulations and/or legislation. Organizations must ensure that they are in compliance with software licensing terms set by vendors, for ... (SearchDataManagement.com)

  • public sector

    - The public sector is the segment of an economic system that is controlled by government; it contrasts with the private sector, which is run by private citizens. (WhatIs.com)

  • private cloud (internal cloud or corporate cloud)

    - Private cloud (also called internal cloud) is a marketing term for an enterprise computing architecture that's protected by a firewall. Promotion of the private cloud model is designed to appeal to... (searchCloudComputing.com)

Glossaries

  • Compliance

    - Terms related to compliance, including regulatory definitions and words and phrases about governance and mitigating IT risk.

  • Internet applications

    - This WhatIs.com glossary contains terms related to Internet applications, including definitions about Software as a Service (SaaS) delivery models and words and phrases about web sites, e-commerce ...

Ask a Question About XCCDF (Extensible Configuration Checklist Description Format)Powered by ITKnowledgeExchange.com

Get answers from your peers on your most technical challenges

Tech TalkComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.