Comparing the PCI, CIS and FDCC Certification Standards
As a vendor, Tenable has to demonstrate compliance in many different types of categories. The Payment Card Industry, the Center for Internet Security and US government's FDCC program all have certification standards and procedures for vendors like Tenable. Since Tenable is certified in most of these these categories (we're in the process of becoming an ASV), I though it would be interesting for our blog readers to share some of our insights into the differences and misconceptions between them.
The biggest misconception about PCI is that you need to be an Authorized Scanning Vendor (ASV) to be relevant in the industry. This isn't true, otherwise you would not see the focus on PCI from other log management, intrusion detection or antivirus vendors.
Being an ASV means that you can perform a remote, un-credentialed vulnerability scan with minimal false positives and false negatives. Unlike CIS or FDCC, the ASV scanning test is a secret. There is no published list of vulnerabilities an ASV is required to find. It's also a small-scope test but does test the comprehensiveness of the scanner.
The ASV certification only tests the scanning service itself. It does not actually test the products a company sells.
The US government's FDCC (SCAP) program involves laboratory testing to ensure that vendors like Tenable can consume XCCDF content, perform an audit and generate a compliant OVAL report.
As a vendor, we select a lab that is certified by NIST to perform this testing. We then go into the lab, train the analysts performing the test, and then walk away. That is the coolest part. No other certification that Tenable does is as hands-off as that.
The largest misconception about the FDCC certification is that they are all the same. You can be an FDCC certified vendor just by demonstrating that you have CVE entries in your vulnerability scanner results. There are other more advanced FDCC standards, which means you can be certified that you can do the actual XCCDF based configuration auditing. FDCC only tests a product's ability to parse XCCDF content as it pertains to FDCC policies for Windows XP and Vista. It is not a generic XCCDF certification.
The last standard I'd like to talk about is being a certified CIS vendor. The CIS organization will certify specific vendor audits for technologies, but does not certify the actual product. In Tenable's case, we've been certified in performing an audit with Nessus for many different types of routers, operating systems and applications.
To get certified, we need to demonstrate that our audits can detect compliant and non-compliant settings. This data is prepared and sent to the CIS organization, where it is then reviewed.
They don't perform any actual testing and also don't dictate how the tests are supposed to be done. I like the fact that CIS does not mandate how a test is performed which means you can use scanning, a credentialed audit, an agent, a reference gold image or magic, ESP and UFOs. Compared to PCI or FDCC, these standards often dictate how to configure a scan or leverage credentials which limits a vendor's ability to innovate.
As security practitioners, it's important to know the major and minor differences between these standards, as they are often referenced in the marketing claims of vendors, in the media and perhaps even auditors who aren't all equally aware of the technical details. If you have feedback on this, feel free to message me on Twitter @RonGula.