Skip to main content

OVAL and the SACM Information Model

Document Type Expired Internet-Draft (individual)
Expired & archived
Authors, Daniel Haynes , Juan Gonzalez
Last updated 2017-03-11 (Latest revision 2016-09-07)
RFC stream (None)
Intended RFC status (None)
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


The OVAL community has spent more than ten years developing and employing the OVAL Language. During this time, the community has made a number of design decisions and learned a number of lessons that should be leveraged as the next-generation endpoint posture assessment standards are formulated. There are also a number of places where portions of the OVAL Language align with the SACM Information Model and could serve as a starting point for related work. Another output of the work executed under the OVAL project is a number of lessons that are applicable to the SACM work. These lessons include a clear separation of data collection and evaluation; a call to focus on ensuring both primary source vendors and third party security experts feel invited to the discussion and are empowered to leverage their unique domain knowledge; and to strive for simplicity and flexibility, where possible. In addition, the OVAL community has a set of clear recommendations with respect to which parts of OVAL should be used by SACM as a means to make best use of the efforts of those that have worked on and supported OVAL over the past ten years. Those recommendations are: o Use the OVAL System Characteristics Model to inform the development of a data model for representing endpoint posture attributes. o Use the OVAL Definitions Model to inform the development of data models for representing evaluation and collection guidance. o Do not use the OVAL Results Model to inform the development of a data model for representing evaluation results. Lastly, this document will discuss the OVAL submission, how it is expected to be used, and how it aligns with the SACM Vulnerability Assessment Scenario.

Daniel Haynes
Juan Gonzalez

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)