Security Automation and Continuous Monitoring WG D.W. Waltermire
Internet-Draft NIST
Intended status: Informational A.W.M. Montville
Expires: July 21, 2014 CIS
D.B.H. Harrington
Effective Software
January 17, 2014

Terminology for Security Assessment


This memo documents terminology used in the documents produced by the SACM WG (Security Automation and Continuous Monitoring).

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on July 21, 2014.

Copyright Notice

Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents ( in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

Table of Contents

1. Introduction

Our goal with this document is to improve our agreement on the terminology used in documents produced by the IETF Working Group for Security Automation and Continuous Monitoring. Agreeing on terminology should help reach consensus on which problems we're trying to solve, and propose solutions and decide which ones to use.

This document is expected to be temorary work product, and will probably be incorporated into the architecture or other document.

2. Terms and Definitions

2.1. Terms Extracted from UC -05 Draft

The following terms were extracted from:

acquisition method


actual endpoint state

ad hoc collection task

ad hoc evaluation task

applicable data collection content


appropriate actor

appropriate application

appropriate operator

approved configuration

approved endpoint configuration

approved hardware list

approved software list


artifact age

assessment criteria

assessment cycle

assessment planning

assessment subset

assessment trigger

asset characteristics

asset management

asset management data

asset management system

asynchronous compliance assessment

asynchronous vulnerability assessment

attack condition


automatable configuration guide

automatable configuration guide definition

automatable configuration guide publication

automated checklist verification

automated endpoint compliance monitoring


baseline compliance

building block

business logic

candidate endpoint target


change detection

change event

change event monitoring

change filter

change management

change management program


checklist identification

checklist verification

client endpoint

collected posture attribute value

collection content acquisition

collection process

collection request

collection task

complete assessment cycle


compliance level

compliance monitoring

computing platform endpoint

configuration baseline

configuration data

configuration item

configuration item change

configuration management


content change detection

content data store

content definition

content instance

content publication

content query

content repository

content retrieval


critical vulnerability

current sign of malware infection

data analysis

data collection

data collection content

data collection path

data store query

database mining

define content

desired state

desired state identification

detection timeliness

deviation notification



endpoint attribute

endpoint compliance monitoring

endpoint component inventory

endpoint discovery

endpoint event

endpoint identification

endpoint information analysis and reporting

endpoint metadata

endpoint posture

endpoint posture assessment

endpoint posture attribute

endpoint posture attribute value

endpoint posture attribute value collection

endpoint posture change monitoring

endpoint posture compliance

endpoint posture deviation

endpoint posture deviation detection

endpoint posture monitoring

endpoint state

endpoint target

endpoint target identification

endpoint type


enterprise function

enterprise function definition

enterprise policy

enterprise standards

evaluating data

evaluation content acquisition

evaluation task

evaulation result

event-driven notification

expected function

expected state

expected state criteria


functional capability

immediate detection

indicator of compromise

industry group

information expression

information model

malicious activity

malicious configuration item

malicious hardware

malicious software

malware infection

manual endpoint compliance monitoring

mobile endpoint


network access control

network access control decision

network event

network infrastructure endpoint

network location

network-connection-driven data collection

new vulnerability

on-demand detection

ongoing change-event monitoring

ongoing-event-driven endpoint-posture-change monitoring

ongoing-event-driven monitoring

operational data


organizational policy

organizational policy compliance

organizational security posture


patch change

patch management

performance condition

periodic collection request

periodic data collection


posture aspect

posture aspect change

posture attribute

posture attribute evaluation

posture attribute identification

posture attribute value

posture attribute value collection

posture attribute value query

posture change

posture deviation

posture deviation detection

posture evaluation

previously collected information

previously collected posture attribute value

previously collected posture attribute value analysis


public content repository

publication metadata

publication operations

publish content


regulatory authority


repository content identification

repository content retrieval


result set

retrieve content


risk management

risk management program

scheduled task

search criteria

secure configuration baseline

security administrator

security automation

security posture

security process

server endpoint

significant endpoint event

significant event

signs of infection

state criteria

supporting content


target endpoint



unauthorized configuration item

unauthorized hardware

unauthorized software


vulnerability artifact

vulnerability artifact age

vulnerability condition

vulnerability exposure

vulnerability management

vulnerability mitigation

vulnerability remediation

whole assessment

workflow trigger

2.2. Terms from -01 Terminology Draft



asset characterization

asset targeting






posture attributes


software flaw

system resource


Vulnerability Management

2.3. Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].

3. IANA Considerations

This memo includes no request to IANA.

4. Security Considerations

This memo documents terminology for security automation. While it is about security, it does not affect security.

5. Acknowledgements

6. Change Log

6.1. ietf-sacm-terminology-01- to -02-

Added simple list of terms extracted from UC draft -05. It is expected that comments will be received on this list of terms as to whether they should be kept in this document. Those that are kept will be appropriately defined or cited.

6.2. ietf-sacm-terminology-01- to -02-

Added Vulnerability, Vulnerability Management, xposure, Misconfiguration, and Software flaw.

6.3. -00- draft

7. References

7.1. Normative References

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

7.2. Informative References

[RFC4949] Shirey, R., "Internet Security Glossary, Version 2", RFC 4949, August 2007.
[RFC5209] Sangster, P., Khosravi, H., Mani, M., Narayan, K. and J. Tardo, "Network Endpoint Assessment (NEA): Overview and Requirements", RFC 5209, June 2008.

Authors' Addresses

David Waltermire National Institute of Standards and Technology 100 Bureau Drive Gaithersburg, Maryland 20877 USA EMail:
Adam W. Montville Center for Internet Security 31 Tech Valley Drive East Greenbush, New York 12061 USA EMail:
David Harrington Effective Software 50 Harding Rd Portsmouth, NH 03801 USA EMail: