Kathleen, There are a number of operational business processes that SACM is working to support to include: software asset management, vulnerability management, configuration management, and others. Considering the totality of these use cases is too big to tackle all at once. The current SACM use cases help to inform some of the operations that need to be supported, but they are very abstract and don't help as much in making clear what protocols and data models are needed. Definitely not the specifics of these specifications. The discussion around the vulnerability draft has been about focusing work by iterating on concrete operational scenarios (such as that draft) that will enable SACM to produce useful solutions more quickly in a way that can build on previous iterations. I believe the vulnerability scenario draft is being proposed as the first iteration of many.
IMHO, without such a focus, we will continue to stagnate and make intermittent progress. This draft has stimulated a good amount of feedback and discussion, which makes me think it is accomplishing its intended goal. As you mentioned, the next steps should be to clarify the vulnerability scenario and align extensible solutions that will address the scenario. In doing so this work can provide the foundations for the next scenario in the next iteration since many of the operational processes have common information needs. Does this help to clear up how the draft may be used? Regards, Dave > -----Original Message----- > From: sacm [mailto:[email protected]] On Behalf Of Kathleen Moriarty > Sent: Wednesday, December 02, 2015 9:31 AM > To: Wolfkiel, Joseph L CIV DISA ID (US) <[email protected]> > Cc: Haynes, Dan <[email protected]>; [email protected]; Linda Dunbar > <[email protected]>; Romascanu, Dan (Dan) > <[email protected]>; [email protected]; [email protected] > Subject: Re: [sacm] [OPSAWG] Feedback on the SACM Vulnerability > Assessment Scenario > > Hello, > > I also took the time to read the draft and it currently reads like a scenario > or > an expanded use case draft, not a solution draft. Does SACM need this or is > there plans to merge it with solution work into one draft? I could see the > value in the latter, but I don't see how a scenario draft on it's own will > help > speed up progress for the WG. > > Thanks, > Kathleen > > On Wed, Dec 2, 2015 at 8:53 AM, Wolfkiel, Joseph L CIV DISA ID (US) > <[email protected]> wrote: > > I think the disappointment may have been headed off if the document was > more explicit, right at the beginning, about what a "vulnerability report" > is. I > got 2/3 of the way through the document before I understood that > "vulnerability report" and "vulnerability definition" are effectively the same > construct. A vulnerability report apparently is an announcement that a > vulnerability has been discovered and defined to the point where endpoint > managers can run assessments on their endpoints to determine if their > endpoints have the vulnerability or not. > > > > This concept is confusing because generally, with existing vulnerability > scanners, new vulnerability "reports" are a subset of updated vulnerability > definitions that automatically propagated to the tools and aren't delivered as > stand-alone "reports". So a vulnerability "report" would look something like > the report at https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015- > 8395 (I think). > > > > Joseph L. Wolfkiel > > SCM Engineering Lead > > DISA ID52 > > Fort Meade DISA Acquisiton Bldg Cube A4A58E > > Work: (301) 225-8820 > > Gov Cell: (571) 814-8231 > > [email protected] > > > > > > > > -----Original Message----- > > From: sacm [mailto:[email protected]] On Behalf Of Haynes, Dan > > Sent: Wednesday, December 02, 2015 8:36 AM > > To: Romascanu, Dan (Dan); Linda Dunbar; [email protected]; > > [email protected] > > Cc: [email protected] > > Subject: Re: [sacm] [OPSAWG] Feedback on the SACM Vulnerability > > Assessment Scenario > > > > > > Hi Linda, > > > > > > Please let us know if there are any specific questions that we can answer > for you, to help clarify the document, after considering it in the context of > the SACM charter as Dan mentioned. > > > > > > > > Thanks, > > > > Danny > > > > > > > > From: OPSEC [Caution-mailto:[email protected]] On Behalf > > OfRomascanu, Dan (Dan) > > Sent: Sunday, November 22, 2015 9:48 AM > > To: Linda Dunbar <[email protected]>; [email protected]; > > [email protected] > > Cc: [email protected] > > Subject: Re: [OPSEC] [sacm] [OPSAWG] Feedback on the SACM > > Vulnerability Assessment Scenario > > > > > > > > Hi Linda, > > > > > > > > Thanks for answering the call for review and having a look at this work. > > > > > > > > Concerning your 'little disappointment': This I-D needs to be read in the > context of the current charter of the SACM WG. The WG charter focus for > this phase is on the 'endpoint posture' and on the 'enterprise use case'. > Maybe this makes things somehow more clear. > > > > > > > > Regards, > > > > > > > > Dan > > > > > > > > > > > > From: sacm [Caution-mailto:[email protected] < > > Caution-mailto:[email protected] > ]On Behalf Of Linda Dunbar > > Sent: Thursday, November 19, 2015 10:36 PM > > To: Romascanu, Dan (Dan); [email protected] < > > Caution-mailto:[email protected] > ;[email protected] < > > Caution-mailto:[email protected] > > > Cc: [email protected] < Caution-mailto:[email protected] > > > Subject: Re: [sacm] [OPSAWG] Feedback on the SACM Vulnerability > > Assessment Scenario > > > > > > > > Reading through the document has made me feel that the Title of the draft > is misleading. > > > > Based on the title I was expecting to see the Vulnerability Assessment of > various network scenarios, which will be very useful information for > enterprise and service provider network administrators to put in adequate > tools to protect those vulnerability. > > > > > > > > But the document only describes the procedure in authenticating a end > user/points and states that you need to compare with the Vulnerability > report (almost like a common sense ) without saying how and what. I guess I > had too high the expectation, but a little disappointed of not finding the > information I was looking for. > > > > > > > > Linda Dunbar > > > > > > > > > > > > > > > > From: OPSAWG [Caution-mailto:[email protected] < > > Caution-mailto:[email protected] > ]On Behalf Of Romascanu, Dan > > (Dan) > > Sent: Thursday, November 19, 2015 7:51 AM > > To: [email protected] < Caution-mailto:[email protected] > ; [email protected] > > < Caution-mailto:[email protected] > > > Cc: [email protected] < Caution-mailto:[email protected] > > > Subject: [OPSAWG] Feedback on the SACM Vulnerability Assessment > > Scenario > > > > > > > > Hi, > > > > > > > > I am reiterating a request that I made at IETF 94 in the OPSAWG > > meeting, and also sent to the mail lists of opsec and opsawg. The SACM > > WG is considering a > > documentCaution-https://datatracker.ietf.org/doc/draft-coffin-sacm-vul > > n-scenario/ < > > Caution-https://urldefense.proofpoint.com/v2/url?u=https-3A__datatrack > > er.ietf.org_doc_draft-2Dcoffin-2Dsacm-2Dvuln- > 2Dscenario_&d=BQMFAg&c=BF > > > pWQw8bsuKpl1SgiZH64Q&r=I4dzGxR31OcNXCJfQzvlsiLQfucBXRucPvdrphpBs > FA&m=D > > XOABUhWgQkWYGVviFzuEvwgbivmgrBaeyHQ3_W- > Hyg&s=S_CieVlne2x4XqE2cNL0Y_mb0 > > dcPAGm4cN6hKa5k-6Q&e= > that describes the operational practice of > > vulnerability reports, which we believe is an important use case in > > the security assessment life cycle. We are requiring feedback from > > operators about the scenario describe in this document - does it make > > sense? Is it similar with what you do in operational real life? Are > > you using similar or different methods for vulnerability assessment in > > your networks? A quick reading and short feedback would be greatl > y > > appreciated. > > > > > > > > Thanks and Regards, > > > > > > > > Dan > > > > > > > > > > _______________________________________________ > > sacm mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/sacm > > > > > > -- > > Best regards, > Kathleen > > _______________________________________________ > sacm mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/sacm _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
