iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
ISO

ISO/IEC 18180:2013

(Main)

Information technology — Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.2

Information technology — Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.2

ISO/IEC 18180:2013 specifies the data model and Extensible Markup Language (XML) representation for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.2. An XCCDF document is a structured collection of security configuration rules for some set of target systems. The XCCDF specification is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and scoring. ISO/IEC 18180:2013 also defines a data model and format for storing results of security guidance or checklist testing. The intent of XCCDF is to provide a uniform foundation for expression of security checklists and other configuration guidance, and thereby foster more widespread application of good security practices.

Technologies de l'information — Spécification de XCCDF (Extensible Configuration Checklist Description Format) version 1.2

General Information

Status
Published
Publication Date
09-Jun-2013
ICS
35.030 - IT Security
35.040 - Information coding
35.040.50 - Automatic identification and data capture techniques
Technical Committee
ISO/IEC JTC 1 - Information technology
Drafting Committee
ISO/IEC JTC 1 - Information technology
Current Stage
9093 - International Standard confirmed
Due Date
21-Feb-2025
Completion Date
21-Feb-2025
Ref Project

Buy Standard

ISO/IEC 18180:2013 - Information technology -- Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.2ISO/IEC 18180:2013 - Information technology -- Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.2
PreviousNext
Standard
ISO/IEC 18180:2013 - Information technology -- Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.2
English language
73 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)


INTERNATIONAL ISO/IEC
STANDARD 18180
First edition
2013-06-15
Information technology — Specification
for the Extensible Configuration Checklist
Description Format (XCCDF) Version 1.2
Technologies de l'information — Spécification de XCCDF (Extensible
Configuration Checklist Description Format) version 1.2

Reference number
©
ISO/IEC 2013
©  ISO/IEC 2013
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any
means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission.
Permission can be requested from either ISO at the address below or ISO’s member body in the country of the requester.
ISO copyright office
Case postale 56  CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2013 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 18180 was prepared by the U.S. National Institute of Standards and Technology (as NIST IR 7275,
Revision 4) and was adopted, under a special “fast-track procedure”, by Joint Technical Committee
ISO/IEC JTC 1, Information technology, in parallel with its approval by the national bodies of ISO and IEC.
© ISO/IEC 2013 – All rights reserved iii

NIST Interagency Report 7275
Revision 4
Specification for the
Extensible Configuration
Checklist Description Format
(XCCDF) Version 1.2
David Waltermire
Charles Schmidt
Karen Scarfone
Neal Ziring
© ISO/IEC 2013 – All rights reserved

NIST Interagency Report 7275
Revision 4
Specification for the Extensible
Configuration Checklist Description

Format (XCCDF) Version 1.2
David Waltermire
Charles Schmidt
Karen Scarfone
Neal Ziring
C O M P U T E R   S E C U R I T Y

Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Gaithersburg, MD 20899-8930
September 2011
U.S. Department of Commerce
Rebecca M. Blank, Acting Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Under Secretary for
Standards and Technology and Director
© ISO/IEC 2013 – All rights reserved

SPECIFICATION FOR THE EXTENSIBLE CONFIGURATION CHECKLIST DESCRIPTION FORMAT (XCCDF) VERSION 1.2

Reports on Computer Systems Technology

The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology
(NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s
measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of
concept implementations, and technical analysis to advance the development and productive use of
information technology. ITL’s responsibilities include the development of technical, physical,
administrative, and management standards and guidelines for the cost-effective security and privacy of
sensitive unclassified information in Federal computer systems. This Interagency Report discusses ITL’s
research, guidance, and outreach efforts in computer security and its collaborative activities with industry,
government, and academic organizations.

National Institute of Standards and Technology Interagency Report 7275 Revision 4

80 pages (Sep. 2011)
Certain commercial entities, equipment, or materials may be identified in this

document in order to describe an experimental procedure or concept adequately.

Such identification is not intended to imply recommendation or endorsement by the

National Institute of Standards and Technology, nor is it intended to imply that the

entities, materials, or equipment are necessarily the best available for the purpose.

ii i
© ISO/IEC 2013 – All rights reserved

SPECIFICATION FOR THE EXTENSIBLE CONFIGURATION CHECKLIST DESCRIPTION FORMAT (XCCDF) VERSION 1.2

Acknowledgments
The authors of this report, David Waltermire of the National Institute of Standards and Technology
(NIST), Charles Schmidt of The MITRE Corporation, Karen Scarfone of Scarfone Cybersecurity, and
Neal Ziring of the National Security Agency (NSA), wish to thank all contributors to this revision of the
publication, particularly Adam Halbardier of Booz Allen Hamilton, Vladimir Giszpenc, Kent Landfield
and Richard Whitehurst of McAfee, Lisa Nordman of The MITRE Corporation, Joe Wolfkiel of DISA,
and Shane Shaffer and Matt Kerr of G2, Inc.
The authors would also like to acknowledge the following individuals who contributed to the initial
definition and development of the Extensible Configuration Checklist Description Format (XCCDF):
David Proulx, Mike Michnikov, Andrew Buttner, Todd Wittbold, Adam Compton, George Jones, Chris
Calabrese, John Banghart, Murugiah Souppaya, John Wack, Trent Pitsenbarger, and Robert Stafford.
Stephen D. Quinn, Peter Mell, and Matthew Wojcik contributed to Revisions 1, 2, and 3 of this report.
Ryan Wilson of Georgia Institute of Technology also made substantial contributions. Thanks also go to
the Defense Information Systems Agency (DISA) Field Security Office (FSO) Vulnerability Management
System (VMS)/Gold Disk team for extensive review and many suggestions.

Abstract
This report specifies the data model and Extensible Markup Language (XML) representation for the
Extensible Configuration Checklist Description Format (XCCDF) Version 1.2. An XCCDF document is a
structured collection of security configuration rules for some set of target systems. The XCCDF
specification is designed to support information interchange, document generation, organizational and
situational tailoring, automated compliance testing, and scoring. The specification also defines a data
model and format for storing results of security guidance or checklist testing. The intent of XCCDF is to
provide a uniform foundation for expression of security checklists and other configuration guidance, and
thereby foster more widespread application of good security practices.

Audience
The primary audience of the XCCDF specification is government and industry security analysts, and
security management product developers.

Trademark Information
All names are registered trademarks or trademarks of their respective companies.
iv
© ISO/IEC 2013 – All rights reserved

SPECIFICATION FOR THE EXTENSIBLE CONFIGURATION CHECKLIST DESCRIPTION FORMAT (XCCDF) VERSION 1.2

Contents
1. INTRODUCTION . 1
1.1 PURPOSE AND SCOPE . 1
1.2 DOCUMENT STRUCTURE . 1
1.3 DOCUMENT CONVENTIONS . 1
2. NORMATIVE REFERENCES . 2
3. TERMS, DEFINITIONS, AND ABBREVIATIONS . 3
3.1 XCCDF TERMINOLOGY . 3
3.2 ACRONYMS AND ABBREVIATIONS . 3
4. CONFORMANCE . 4
4.1 PRODUCT CONFORMANCE . 4
4.2 BENCHMARK DOCUMENT CONFORMANCE . 4
5. XCCDF OVERVIEW. 5
5.1 INTRODUCTION . 5
5.2 CHECKLIST STRUCTURE AND TAILORING . 6
5.3 TEST RESULTS . 7
6. XCCDF DATA MODEL . 8
6.1 INTRODUCTION . 8
6.2 GENERAL XML INFORMATION . 9
6.2.1 XCCDF Namespace and XML Schema . 9
6.2.2 Element and Attribute Formatting . 9
6.2.3 Element Identifiers . 10
6.2.4 Element . 10
6.2.5 Platform Names . 11
6.2.6 Element . 12
6.2.7 Element . 13
6.2.8 Status Tracking . 13
6.2.9 Text Substitution . 13
6.2.10 @xml:lang Attribute . 14
6.3 . 15
6.3.1 Basics . 15
6.3.2 Properties . 16
6.4 ITEM ELEMENTS . 18
6.4.1 Properties . 18
6.4.2 Element. 20
6.4.3 Element . 21
6.4.4 Element . 21
6.4.5 Element . 30
6.5 ELEMENT . 34
6.5.1 Basics . 34
6.5.2 Properties . 34
6.5.3 Selectors .
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO 18935:2025(Main)
Imaging materials — Colour images — Determination of water resistance of printed colour images

This document specifies tests to determine the relative water resistance of printed colour images. This document is applicable to both digital and analogue prints.

  • Standard
    8 pages
    English language
    sale 15% off
ISO
ISO 24631-1:2025(Main)
Radiofrequency identification of animals — Part 1: Evaluation of conformance of RFID transponders with ISO 11784 and ISO 11785 (including granting and use of a manufacturer code)

This document provides the means of evaluating the conformance with ISO 11784 and ISO 11785 of radiofrequency identification (RFID) transponders used in the individual identification of animals. It sets forth the conditions for the granting and use of the manufacturer code related to a transponder and the associated rights and obligations of the parties involved in the issuance of the code.

  • Standard
    12 pages
    English language
    sale 15% off
  • Standard
    12 pages
    French language
    sale 15% off
ISO
ISO 8611-1:2025(Main)
Pallets for materials handling — Flat pallets — Part 1: Test methods

This document specifies the test methods available for evaluating new flat pallets for materials handling. The test methods are split into groups for — nominal load testing, — maximum working load testing, and — durability comparison testing. This document does not apply to pallets with a fixed superstructure or a rigid, self-supporting container that can be mechanically attached to the pallet and which contributes to the strength of the pallet. NOTE Specific tests for determining load capacity do not replace the value of conducting field tests on specific pallet designs.

  • Standard
    29 pages
    English language
    sale 15% off
  • Standard
    29 pages
    French language
    sale 15% off
ISO
ISO 16187:2025(Main)
Footwear and footwear components — Test method to assess antibacterial activity

This document specifies quantitative test methods to evaluate the antibacterial activity of footwear and footwear components. This document is applicable to all types of footwear and footwear components employing non-diffusing antibacterial treatments.

  • Standard
    14 pages
    English language
    sale 15% off
  • Standard
    15 pages
    French language
    sale 15% off
ISO
ISO/IEC TR 19583-24:2025(Main)
Information technology — Concepts and usage of metadata — Part 24: 11179-3:2013 Metamodel in RDF

This document specifies the structure of ISO/IEC 11179-3:2013. It defines a mapping of the ISO/IEC 11179-3:2013 conceptual model to a formal schema representation based on the W3C Resource Description Framework (RDF). The schema is available as a separate artefact. This document specifies the principles and conventions that were followed to map classes, attributes, and associations of the conceptual model to a formal RDF schema. This document does not provide detailed explanatory details about the ISO/IEC 11179 series or RDF. For more information, refer to References [7] to [9].

  • Technical report
    26 pages
    English language
    sale 15% off
ISO
ISO 16399:2023/Amd 1:2025(Amendment)
Agricultural irrigation equipment — Meters for irrigation water — Amendment 1
  • Standard
    3 pages
    English language
    sale 15% off
ISO
ISO/IEC 20153:2025(Main)
Information technology — OASIS Common Security Advisory Framework (CSAF) v2.0 Specification
  • Standard
    115 pages
    English language
    sale 15% off
ISO
ISO 8407:2021/Amd 1:2025(Amendment)
Corrosion of metals and alloys — Removal of corrosion products from corrosion test specimens — Amendment 1
  • Standard
    1 page
    English language
    sale 15% off
  • Standard
    1 page
    French language
    sale 15% off
ISO
ISO 16089:2025(Main)
Machine tools — Safety — Stationary grinding machines

This document specifies the requirements and/or measures to eliminate the hazards or reduce the risks in the following groups of stationary grinding machines which are designed primarily to shape metal by grinding: — Group 1: manually controlled grinding machines without power operated axes and without numerical control; — Group 2: manually controlled grinding machines with power operated axes and limited numerically controlled capability, if applicable; — Group 3: numerically controlled grinding machines. NOTE 1 For detailed information on the groups of grinding machines, see 3.1 and 3.2. NOTE 2 Requirements in this document are, in general, applicable to all groups of grinding machines. If requirements are applicable to some special group(s) of grinding machines only, then the special group(s) of grinding machine(s) is/are specified. This document covers the significant hazards listed in Clause 4 and applies to ancillary devices (e.g. for workpieces, tools, workpiece holding devices and handling devices), which are integral to the machine. This document also applies to machines which are integrated into an automatic production line or grinding cell in as much as the hazards and risks arising are comparable to those of machines working separately. This document also includes in Clause 7 a minimum list of safety-relevant information which the manufacturer has to provide to the user. See also ISO 12100:2010, Figure 2, which illustrates the interaction of the manufacturer’s and user’s responsibility for the operational safety. The user's responsibility to identify specific hazards (e.g. fire and explosion) and reduce the associated risks can be critical (e.g. whether the central extraction system is working correctly). Where additional metalworking processes (e.g. milling, turning, laser processing) are involved, this document can be taken as a basis for safety requirements. Specific information on hazards arising from other metalworking processes are covered by other International Standards. This document applies to machines that are manufactured after the date of issue of this document. This document does not apply to stationary honing, polishing and belt grinding machines. This document does not apply to transportable motor-operated electric tools in accordance with IEC 61029-2-4 and IEC 61029-2-10.

  • Standard
    131 pages
    English language
    sale 15% off
  • Standard
    137 pages
    French language
    sale 15% off
ISO
ISO 9038:2025(Main)
Determination of sustained combustibility of liquids

This document specifies a procedure, at temperatures up to 100 °C, to determine whether a liquid product, that would be classified as “flammable” by virtue of its flash point, sustains combustion at the temperature(s) specified, for example, in regulations. NOTE Many national and international regulations classify liquids as presenting a flammable hazard based on their flash point, as determined by a recognized method. Some of these regulations allow a derogation if the substance cannot “sustain combustion” at some specified temperature(s). The procedure is applicable to paints (including water-borne paints), varnishes, paint binders, solvents, petroleum or related products and adhesives, that have a flash point. It is not applicable to painted surfaces in respect of assessing their potential fire hazards. This test method is applicable, in addition to test methods for flash point, for assessing the fire hazard of a product.

  • Standard
    11 pages
    English language
    sale 15% off