Open Vulnerability and Assessment Language (OVAL)
Contact Us Downloads News May 15, 2008 Search
link to OVAL home page
 Compatibility > About > OVAL Compatibility Program

OVAL Compatibility Program

Introduction

For a product or service to gain official OVAL Compatibility, it must complete the OVAL Compatibility Program. The program involves three phases, each of which must be completed before proceeding to the next phase. The first phase, called the Declaration Phase, consists of registering an organization's declaration of intent to make its product(s) and/or service(s) OVAL-Compatible. The second phase, called the Implementation Phase, requires the completion of a questionnaire that specifically looks at the details of how the organization has satisfied the "Requirements and Recommendations for OVAL Compatibility." The third phase, called the Evaluation Phase, involves correctness testing where the product or service is put through a rigorous set of tests to prove conformance to the standard.

Organizations that successfully complete all three phases will be included in a branding program that offers an official OVAL-Compatible Product/Service logo to indicate compatibility. The logo is authorized for use on Web sites, product packaging, publicity and marketing materials, trade show and other signage, etc.

Program Summary

Phase 1 Declaration of OVAL Compatibility

  1. Review the "Requirements and Recommendations for OVAL Compatibility" document posted on the OVAL Web site.
  2. Email oval@mitre.org and request the "OVAL Compatibility Declaration Form."
  3. Review Authority emails you the declaration form.
  4. Complete the form and return it to oval@mitre.org.
  5. The form is reviewed by the Review Authority and the product or service is added to the list of Declarations to be OVAL-Compatible on the OVAL Web site.

Phase 2 Implementation of OVAL Compatibility

  1. Complete the integration of OVAL into the product or service.
  2. Email oval@mitre.org and request the "OVAL Compatibility Questionnaire Form."
  3. Review Authority emails you the compatibility questionnaire.
  4. Complete the questionnaire and email it to oval@mitre.org.
  5. The completed questionnaire is reviewed by the Review Authority and posted on the OVAL Web site.

Phase 3 Evaluation of OVAL Compatibility

  1. Send an email to oval@mitre.org requesting the "Procedures for OVAL Compatibility Correctness Testing" document and review it.
  2. Send an email to oval@mitre.org requesting correctness testing for your product or service.
  3. Review Authority responds with a date and location for correctness testing.
  4. You assist the Review Authority with the correctness testing when necessary (this may involve travel).
  5. After testing is complete, the product or service is listed as "Officially OVAL-Compatible" on the Compatible Products and Services page and the organization receives a compatibility certificate and is included in the branding program.

Phase 1 - Declaration

The first phase of the OVAL Compatibility Program consists of an organization reviewing the "Requirements and Recommendations for OVAL Compatibility," and then making a declaration stating that their product or service fulfills, or will fulfill, those requirements.

Phase 1 of the compatibility program is initiated by requesting the "OVAL Compatibility Declaration Form" from oval@mitre.org. This form is filled out and then sent back to oval@mitre.org. Once the declaration is reviewed, the following information will be listed on the OVAL Web site (Note: Declarations will only be posted for products or services that are commercially available.):

  • Organization name
  • Web site address
  • Quote: a brief paragraph of how and why the organization is participating in the OVAL effort
  • Product/Service name with URL link to organization's product page
  • Product/Service Type: category of information security product or service
  • Capability: the specific OVAL capability of the product or service
  • Status: the compatibility is listed as Available or Planned

At this time you will also receive a "Compatible Product/Service Organization Welcome Kit" with items for your Web site including:

  • OVAL link button that can be used on their Web site to link to the OVAL main site.
  • OVAL Compatibility FAQ questions and answers.
  • OVAL Compatibility glossary terms and definitions.
  • A brief HTML document describing OVAL.

Phase 2 - Implementation

The second phase of the compatibility program involves the integration of OVAL into an organization's product(s) and the completion of the "OVAL Compatibility Questionnaire Form." Please note that only those organizations that completed the declaration phase can move on to the implementation phase.

Once a declaration of OVAL Compatibility is made, an organization should work with their development team to integrate the language into their products and services. After the integration is complete, the "OVAL Compatibility Questionnaire Form" can be requested by sending an email to oval@mitre.org. This questionnaire requires that the organization state specific and verifiable details about how it has satisfied the compatibility requirements. Upon completion, the form is submitted to MITRE by sending it back to oval@mitre.org.

At this time, MITRE will review the responses to the questionnaire and notify the organization of any potential areas of concern. Once both MITRE and the organization are satisfied with the questionnaire, MITRE will update the compatible products/services page on the OVAL Web site. Please note that this includes posting the questionnaire and its answers. The publication of the organization's questionnaire on the OVAL Web site allows end users and prospective customers to compare how different products satisfy the requirements and decide which are best.

Phase 3 - Evaluation

The third phase of the compatibility program involves an evaluation process. To begin this phase, organizations must have completed their declaration(s), and must have submitted a satisfactory questionnaire. Once this has been accomplished, an organization can start phase 3 by reviewing the "Procedures for OVAL Compatibility Correctness Testing" document that outlines the plan and expectations surrounding correctness testing.

Correctness testing allows MITRE to verify that the organization's implementation of OVAL meets the compatibility requirements, as stated in the "Requirements and Recommendations for OVAL Compatibility" document. It usually involves a face-to-face meeting where MITRE exercises the organizations product and verifies the claims made in the questionnaire. To request correctness testing, send an email to oval@mitre.org. The organization will then be contacted by MITRE and the details necessary for scheduling a testing session will be worked out.

Once correctness testing has been completed, MITRE will complete its review of evaluation and then notify the organization of the results of the correctness test. If no issues were raised during this test and MITRE has deemed it a success, then the product or service will officially gain OVAL-Compatible status.

At this time, the organization will receive an official OVAL-Compatible logo to indicate compatibility. Logo use recommendations and restrictions will be supplied at that time. In addition, the organization's product will be listed on the Compatible Products and Services page on the OVAL Web site.

Page Last Updated: September 14, 2006

 

OVAL is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

The OVAL Web site is hosted by The MITRE Corporation.

Copyright 2002-2008, The MITRE Corporation. All rights reserved. OVAL and the OVAL logo are registered trademarks of The MITRE Corporation.

Contact oval@mitre.org for more information.
Privacy policy
Terms of use