Documents

About the OVAL Language

A one-page resource list for information about the Language on the following topics:

About the OVAL Repository

A one-page resource list for information about the Repository on the following topics:

Statement of CVE Compatibility

The Open Vulnerability and Assessment Language (OVAL) Web site is "CVE-compatible." This document includes detailed descriptions of the CVE (Common Vulnerabilities and Exposures) Initiative, CVE compatibility, and how the OVAL Web site is CVE-compatible. April 13, 2006

OVAL Use Cases

Details eight use cases for OVAL that are intended to define the best practice usage of the standard. Each use case — Security Advisory Distribution, Vulnerability Assessment, Patch Management, Configuration Management, Auditing and Centralized Audit Validation, Security Information Management Systems (SIMS), System Inventory, and Malware and Threat Indicator Sharing — also includes a list of their relevant OVAL Capabilities (i.e., Authoring Tool, Definition Evaluator, Definition Repository, Results Consumer, and System Characteristics Producer).

Requirements and Recommendations for OVAL Adoption

Provides the detailed requirements against which an information product or service may become an Official OVAL Adopter. January 20, 2010

HTML | PDF (183K)

Key Concepts of the OVAL Adoption Program

Defines terms used in the OVAL Adoption Program, provides an overview of the typical flow through the program for a participating organization, and provides an overview of the role and responsibility of the OVAL Moderator in the adoption program.

OVAL Adoption Program Process

Describes the four phases of the OVAL Adoption Program: Declaration, Implementation, Questionnaire, and Recognition. Organizations that successfully complete all four phases have their products listed as Official OVAL Adopters on the OVAL Web site.

Benefits of Adopting OVAL

Describes how deploying products and services that have adopted OVAL benefit organizations working to secure their enterprises, and how providing products that implement OVAL benefits the vendors that help them do it.

Official OVAL Adopters

Includes all products currently listed as "Official" OVAL Adopters. Other listings in the OVAL Adoption Program section includes those products with declarations that they will adopt OVAL; listings of all products in the program by OVAL capability, product name, product type, and country; and a list of all organizations currently participating in the program.

OVAL Introductory Brochure

A brief two-page introduction to the OVAL effort. February 2013.

PDF (142 K)

---

Example Procurement Documents for Requiring OVAL:

OVAL-Relevant Software Supplier Requirements (SWSupplier)

This document is an extract of the statement of objectives used by the Department of Defense to explain the security relevant requirements they wanted met by software suppliers. Several areas of security issues are addressed as well as the use of OVAL definitions for indicating how to identify the vulnerability and its remediation (workarounds and patches) in security notifications.

Word (76K)

OVAL-Relevant Vulnerability Assessment Tool Requirements (IAVMtool)

This document is an extract of the statement of work used by the Department of Defense to explain the security relevant requirements they wanted met by an enterprise-wide vulnerability assessment and reporting tool. Several areas of security issues are addressed as well as the use of OVAL definitions for checking for vulnerabilities and reporting results.

Word (60K)

OVAL-Relevant Remediation Tool Requirements (IAremedtool)

This document is an extract of the statement of work used by the Department of Defense to explain the security relevant requirements they wanted met by an enterprise-wide remediation tool. Several areas of security issues are addressed as well as the use of OVAL for importing assessment results that list items to be remediated and reporting remediation status.

Word (76K)

Page Last Updated: September 11, 2015