Press Release

SignaCert Receives NIST Security Content Automation Protocol (SCAP) Validation

January 27, 2010

NIST validates SCAP solution with reference image management and known-provenance whitelist capabilities

Portland, OR – Continuing its leadership position in providing next-generation IT image management solutions based on known-provenance software whitelisting, SignaCert, Inc. today announced Enterprise Trust Server version 3.6 received SCAP certification. The SCAP program is a U.S. government initiative to enable automation and standardization of technical security operations.

SignaCert's datacenter-ready implementation of the SCAP method enables "continuous monitoring" and affirmation of any IT platform regardless of vendor. It also fully leverages the SCAP protocols to enable standardized sharing of software integrity state, configuration and risk/vulnerability information. Continuous monitoring with SignaCert's SCAP implementation dramatically enhances change detection resolution while closing the IT compliance exposure window.

With SignaCert Enterprise Trust Server version 3.6, customers can now operationally manage IT systems against SCAP vulnerability and configuration checklists (including FDCC). When assessing system security, vulnerability, and configuration posture, the Enterprise Trust Server utilizes information from XCCDF (Extensible Configuration Checklist Description Format), OVAL (Open Vulnerability Assessment Language), CVE (Common Vulnerability Enumeration), CCE (Common Configuration Enumeration), CPE (Common Platform Enumeration), and CVSS (Common Vulnerability Scoring System).

"Over the past year, we have been partnering with the DoD and federal IT security community to strengthen our nation's defenses against the adversary." said Wyatt Starnes, SignaCert founder and CEO. "Our innovative whitelisting approach uses government standards and protocols to help agency and private industry system administrators focus on prioritizing risk and vulnerabilities so they can better protect their networks against both internal and external threats."

SignaCert extends SCAP's traditional compliance-centric capabilities by providing robust reference image management validation supplemented by rich known-provenance whitelist content. This combination greatly enhances software supply chain confidence on all IT platforms, increasing the security and efficacy of managed systems.

"We see the SCAP method for Continuous Monitoring of IT systems used by DoD and the Federal IT community as a major step to enhance both security and operational compliance." said Starnes, "Version 3.6 of our next-generation compliance, vulnerability assessment, and configuration control solution, combined with our unique application of known-provenance whitelisting data, solidifies SignaCert as the preeminent whitelist operational assurance and compliance solution provider for both government and industry."

SCAP Background:

SCAP is rapidly emerging as the de facto government standard method for IT systems management and security. SCAP encompasses NIST 800-53, CAG (Consensus Audit Guidelines) and DoD (Department of Defense) best practices as well as market experience from the initial FDCC (Federal Desktop Core Configuration) implementation for FISMA.

Presently, most IT audit and C&A (Certification & Accreditation) regulations require IT system conformance checks every few weeks or even months, creating a significant exposure window for these systems. Further, many regulations and standards are narrowly focused primarily on configuration, vulnerability and risk issues.

With the 3.6 release of SignaCert's Enterprise Trust Server customers can ensure that all systems maintain compliance against file system, registry, database, and system/security configuration policies, whether internally derived or government and industry mandated.

About SignaCert

SignaCert is the leading provider of end-to-end and partner-based IT compliance solutions based on known-provenance whitelist technology. These methods allow SignaCert's direct customers to rapidly achieve and prove continuous compliance for the systems that deliver critical business services. The SignaCert architecture is designed to seamlessly integrate with existing change processes and continuously monitor critical business services without disruption.

Additionally, SignaCert's OEM and ISV Partners can supply to, or license content from, the SignaCert Global Trust Repository (GTR), adding new and important capabilities to their product offerings. All use cases are supported by a rich repository of vendor-independent software measurements. These "white" or "allow" list methods enable SignaCert's patented technology to be quickly deployed and provide immediate visibility into the actual state of IT infrastructure.

Founded in 2004 by 34-year IT security and compliance industry veteran Wyatt Starnes, SignaCert has assembled a world class team of industry leaders with hands-on IT experience for its executive team, board of directors, and advisory board.

SignaCert's end-customers span a wide variety of industries, including financial services, government, and healthcare.