@techreport{hansbury-sacm-oval-info-model-mapping-03,
    number =    {draft-hansbury-sacm-oval-info-model-mapping-03},
    type =      {Internet-Draft},
    institution =   {Internet Engineering Task Force},
    publisher = {Internet Engineering Task Force},
    note =      {Work in Progress},
    url =       {https://datatracker.ietf.org/doc/draft-hansbury-sacm-oval-info-model-mapping/03/},
    author =    {mhansbury@mitre.org and Daniel Haynes and Juan Gonzalez},
    title =     {{OVAL and the SACM Information Model}},
    pagetotal = 26,
    year =      2016,
    month =     sep,
    day =       7,
    abstract =  {The OVAL community has spent more than ten years developing and employing the OVAL Language. During this time, the community has made a number of design decisions and learned a number of lessons that should be leveraged as the next-generation endpoint posture assessment standards are formulated. There are also a number of places where portions of the OVAL Language align with the SACM Information Model and could serve as a starting point for related work. Another output of the work executed under the OVAL project is a number of lessons that are applicable to the SACM work. These lessons include a clear separation of data collection and evaluation; a call to focus on ensuring both primary source vendors and third party security experts feel invited to the discussion and are empowered to leverage their unique domain knowledge; and to strive for simplicity and flexibility, where possible. In addition, the OVAL community has a set of clear recommendations with respect to which parts of OVAL should be used by SACM as a means to make best use of the efforts of those that have worked on and supported OVAL over the past ten years. Those recommendations are: o Use the OVAL System Characteristics Model to inform the development of a data model for representing endpoint posture attributes. o Use the OVAL Definitions Model to inform the development of data models for representing evaluation and collection guidance. o Do not use the OVAL Results Model to inform the development of a data model for representing evaluation results. Lastly, this document will discuss the OVAL submission, how it is expected to be used, and how it aligns with the SACM Vulnerability Assessment Scenario.},
}