davidkazuhiro/sacm-charter-proposal

## sacm-charter-proposal
SACM Charter Proposal
2017-09-12

Securing information and the systems that store, process, and transmit that information is a challenging task for organizations of all sizes, and many security practitioners spend much of their time on manual processes. Standardized protocols and models aiding collection and evaluation of endpoint attributes enable automation, thus freeing practitioners to focus on high priority tasks .

At its core, posture assessment  consists of five basic steps, which the working group desires to fulfill  in an innovative, automated manner capable of avoiding ad hoc or scheduled assessments:

1. Describe target endpoints
2. Determine specific endpoint elements  to assess
3. Collect and make available specified elements' actual values
4. Compare actual element values to expected element values
5. Make results available

This working group will focus on collection, evaluation, and orchestration and communication, as described herein.

A. Collection. The WG will define a standardized way to provide two types of imperative guidance to collectors over varying collection mechanisms:

1) Which target endpoints to collect from, and
2) What to collect from these target endpoints.

When classified , a set of instructions (such as vulnerability description data, YANG filter expressions, Windows Management Instrumentation classes, etc.) can be brokered to the appropriate collectors using the control plane functions  defined by "C. Orchestration and Communication" (below). Detecting and classifying desired attributes beforehand may require orchestrating functions that go beyond the set of capabilities a collector can provide, and will inform the requirements and characteristics for "C. Orchestration and Communication". The working group recognizes that manual configuration of targets and corresponding collection profiles will not scale and does not seem to be a viable option.

B. Evaluation. The working group will standardize a criteria language enabling evaluation of actual endpoint posture information against desired endpoint posture information to produce a standardized result. This extensible language will support complex Boolean statements, comparison operators, logical flow statements, and functions for string manipulation. Additionally, the working group will seek to discover an approach that allows data from any posture collection mechanism to be generically evaluated.

C. Orchestration and Communication. The working group will define a set of control plane functions to enable the discovery and orchestration between devices that can provide the requisite information  sought by posture collectors, posture evaluators, data repositories, and other SACM architectural components.

Due to the breadth of this work, the working group will address enterprise use cases pertaining to the assessment of endpoint posture (using the definitions of Endpoint and Posture from RFC 5209). The working group will, whenever reasonable and possible, reuse existing work.

Specific work items will include the following:

-  The WG will define a way to provide two types of imperative guidance to the correct SACM collectors: 1) Which target endpoints to collect from and 2) what to collect from these target endpoints. When classified, a set of instructions, such as vulnerability description data or YANG filter expressions, can be brokered to the appropriate collectors. Detecting and classifying beforehand might require orchestrating functions that go beyond the set of capabilities a SACM collector can provide.

-  The WG will describe a criteria language capable of being evaluated against endpoint posture information to produce a standardized result. The language will support complex Boolean statements, comparison operators, and functions for string manipulation; and will be extensible enough to be applicable to the full range of collected posture attributes. Additionally, this document will describe an approach that allows data from any posture collection mechanism to be evaluated.

- The WG will define a control plane function to enable the discovery and orchestration between devices that can provide the requisite information sought by posture collectors, posture evaluators or both. As an example, a document that describes an instance of such a control plane and transfer protocol for data, is through the use of XMPP and extensions as needed to demonstrate XMPP’s applicability to SACM.

- A method of expressing software metadata is needed that is suitable for use by constrained devices. The WG will create a standards track document that defines a CBOR-based format that represents software metadata to include software identification, file hashes, and other descriptive information. This format will be derived from the ISO/IEC 19770-2 Software Identification (SWID) tag standard.

- To support collection of posture information from traditional computing devices (e.g., servers, laptops, etc.), the WG will create standards track documents describing mechanisms for the collection and delivery of information about installed software on an endpoint by extending IETF NEA.

- To provide for the integration of multiple standards to support posture information collection, the WG will define best practices  for the collection of posture information from endpoints and its delivery to a collector, from which it can be distributed using the SACM messaging standards.

-The WG will define standards track documents describing extensions to the Resource-Oriented Lightweight Information Exchange (ROLIE) that provide IANA registrations and requirements to support the sharing of software, configuration information, and other forms of imperative guidance.

Additionally, the working group will describe: 1) a SACM Architecture including protocol requirements and their associated use cases as well as a description of how SACM protocols fit together into a system, and 2) a SACM Information Model.
	SACM Charter Proposal
	2017-09-12

	Securing information and the systems that store, process, and transmit that information is a challenging task for organizations of all sizes, and many security practitioners spend much of their time on manual processes. Standardized protocols and models aiding collection and evaluation of endpoint attributes enable automation, thus freeing practitioners to focus on high priority tasks .

	At its core, posture assessment consists of five basic steps, which the working group desires to fulfill in an innovative, automated manner capable of avoiding ad hoc or scheduled assessments:

	1. Describe target endpoints
	2. Determine specific endpoint elements to assess
	3. Collect and make available specified elements' actual values
	4. Compare actual element values to expected element values
	5. Make results available

	This working group will focus on collection, evaluation, and orchestration and communication, as described herein.

	A. Collection. The WG will define a standardized way to provide two types of imperative guidance to collectors over varying collection mechanisms:

	1) Which target endpoints to collect from, and
	2) What to collect from these target endpoints.

	When classified , a set of instructions (such as vulnerability description data, YANG filter expressions, Windows Management Instrumentation classes, etc.) can be brokered to the appropriate collectors using the control plane functions defined by "C. Orchestration and Communication" (below). Detecting and classifying desired attributes beforehand may require orchestrating functions that go beyond the set of capabilities a collector can provide, and will inform the requirements and characteristics for "C. Orchestration and Communication". The working group recognizes that manual configuration of targets and corresponding collection profiles will not scale and does not seem to be a viable option.

	B. Evaluation. The working group will standardize a criteria language enabling evaluation of actual endpoint posture information against desired endpoint posture information to produce a standardized result. This extensible language will support complex Boolean statements, comparison operators, logical flow statements, and functions for string manipulation. Additionally, the working group will seek to discover an approach that allows data from any posture collection mechanism to be generically evaluated.

	C. Orchestration and Communication. The working group will define a set of control plane functions to enable the discovery and orchestration between devices that can provide the requisite information sought by posture collectors, posture evaluators, data repositories, and other SACM architectural components.

	Due to the breadth of this work, the working group will address enterprise use cases pertaining to the assessment of endpoint posture (using the definitions of Endpoint and Posture from RFC 5209). The working group will, whenever reasonable and possible, reuse existing work.

	Specific work items will include the following:

	- The WG will define a way to provide two types of imperative guidance to the correct SACM collectors: 1) Which target endpoints to collect from and 2) what to collect from these target endpoints. When classified, a set of instructions, such as vulnerability description data or YANG filter expressions, can be brokered to the appropriate collectors. Detecting and classifying beforehand might require orchestrating functions that go beyond the set of capabilities a SACM collector can provide.

	- The WG will describe a criteria language capable of being evaluated against endpoint posture information to produce a standardized result. The language will support complex Boolean statements, comparison operators, and functions for string manipulation; and will be extensible enough to be applicable to the full range of collected posture attributes. Additionally, this document will describe an approach that allows data from any posture collection mechanism to be evaluated.

	- The WG will define a control plane function to enable the discovery and orchestration between devices that can provide the requisite information sought by posture collectors, posture evaluators or both. As an example, a document that describes an instance of such a control plane and transfer protocol for data, is through the use of XMPP and extensions as needed to demonstrate XMPP’s applicability to SACM.

	- A method of expressing software metadata is needed that is suitable for use by constrained devices. The WG will create a standards track document that defines a CBOR-based format that represents software metadata to include software identification, file hashes, and other descriptive information. This format will be derived from the ISO/IEC 19770-2 Software Identification (SWID) tag standard.

	- To support collection of posture information from traditional computing devices (e.g., servers, laptops, etc.), the WG will create standards track documents describing mechanisms for the collection and delivery of information about installed software on an endpoint by extending IETF NEA.

	- To provide for the integration of multiple standards to support posture information collection, the WG will define best practices for the collection of posture information from endpoints and its delivery to a collector, from which it can be distributed using the SACM messaging standards.

	-The WG will define standards track documents describing extensions to the Resource-Oriented Lightweight Information Exchange (ROLIE) that provide IANA registrations and requirements to support the sharing of software, configuration information, and other forms of imperative guidance.

	Additionally, the working group will describe: 1) a SACM Architecture including protocol requirements and their associated use cases as well as a description of how SACM protocols fit together into a system, and 2) a SACM Information Model.