Key Concepts of the OVAL Adoption Program

Introduction

The OVAL Adoption Program provides a channel to both educate organizations about OVAL and receive constructive technical feedback to evolve the OVAL Language. The OVAL Adoption Program was established to (a) educate vendors on best practices regarding the use and implementation of OVAL, (b) provide vendors with an opportunity to make formal self-assertions about how their products utilize OVAL, and (c) allow MITRE to gain deeper insights into how OVAL is, or could be, utilized so that OVAL can evolve in a way most useful to the community.

This document defines terms used in the program, provides an overview of the typical flow through the program for a participating organization, and provides an overview of the role and responsibility of the OVAL Moderator in the OVAL Adoption Program.

Back to top

Program Terminology

The following is a list of key concepts of the OVAL Adoption program:

Moderator

The organization that moderates the OVAL Community guidance process for OVAL and has editorial oversight of the OVAL Language schemas and OVAL Repository. Currently, the MITRE Corporation is the OVAL Moderator.

Declaration

In the first phase of the OVAL Adoption Program an organization publicly registers their intent to support and incorporate OVAL in their product or service. A Declaration does not involve any formalized testing of products, nor any detailed, structured self-assertions regarding implementation. In no way does a Declaration imply that the OVAL Language has been implemented yet, nor that it has been implemented correctly. Information from a completed Declaration is used in the initial posting of a product on the OVAL Web site.

Questionnaire

In the third phase of the OVAL Adoption Program an organization submits detailed answers to a structured Questionnaire that describes how their product implements and uses OVAL. A Questionnaire does not involve any formal product testing. Completed Questionnaires are posted on the OVAL Web site.

Technical Use Case

A Technical Use Case defines an intended best practice usage of the OVAL Language. Technical Use Cases are defined and documented by the Moderator based on the input and guidance of the OVAL Community. Technical Use Cases are expected to evolve as the OVAL Language matures based on the input and guidance of the OVAL Community.

Capability

The OVAL Adoption Program is based on several different OVAL Capabilities, each targeting a different usage of the OVAL Language. These capabilities enable members of the OVAL Community to easily understand how a given product is using the OVAL Language and how it might suit their needs and help vendors understand the ways in which a product or service might utilize OVAL. Capability definitions are derived from Technical Use Cases, where applicable and appropriate, as documented by the OVAL Adoption Program.

Requirement

Each Capability is defined by a collection of Requirements. A Requirement represents a granular item that defines a piece of functionality or information that must be present. Requirement definitions will be derived from Technical Use Cases, where applicable and appropriate, as documented by the OVAL Adoption Program.

Back to top

Flow from an Adopting Organization’s Perspective

This section describes the typical flow through the OVAL Adoption Program for an organization that is working to implement support for OVAL.

The process begins with the adopting organization requesting a Declaration of Intent to support OVAL. Once the Declaration of Intent is complete, it is submitted to the OVAL Moderator and posted on the OVAL Web site. Next, the adopting organization completes its implementation of the declared OVAL Capabilities. Once the implementation has been completed, the adopting organization requests a Questionnaire. Once the Questionnaire is completed, the adopting organization submits it to the OVAL Moderator for review. The reviewed Questionnaire is then posted on the OVAL Web site.

The posting of the Questionnaire marks an organization’s completion in the OVAL Adoption Program. Their product or service is now listed as an "Official OVAL Adopter" on the OVAL Adoption Program Participants page on the OVAL Web site.

Back to top

OVAL Moderator Responsibilities

The OVAL Moderator’s role in the process is largely focused on the advancement of OVAL based on feedback from the community while providing technical support to organizations that are considering the adoption of OVAL. The OVAL Moderator’s responsibilities include:

  • Educate organizations about the OVAL Adoption Program
  • Define intended Technical Use Cases for the OVAL Language
    • Define Technical Use Cases through collaboration with the OVAL Community
    • Publish Technical Use Cases on the OVAL Web site
    • Evolve Technical Use Cases in light of new developments
  • Provide technical support related to the adoption of OVAL
    • Help organizations understand and properly implement OVAL
    • Answer questions related to incorporating OVAL and how OVAL relates to the organization’s product
    • Create tutorials about how OVAL works
  • Encourage organizations to participate in the OVAL Adoption Program
    • Promote and advertise the OVAL Adoption Program through:
      • Conversations
      • Discussion lists
      • Booth interactions
      • Face-to-face meetings
      • Web site material
    • Seek out new organizations that would benefit from implementing OVAL Capabilities
    • Educate organizations about the OVAL Adoption Program and its benefits
  • Manage Declarations of Intent to use OVAL
    • Develop a Declaration of Intent form
    • Distribute form to interested organizations
    • Collect completed forms
    • Follow up with declared products to ensure successful adoption
    • Publish Declarations on Web site
  • Provide implementation support
    • Work with organizations as they implement OVAL Capabilities
    • Answer questions about possible design decisions
  • Administer Questionnaires
    • Develop Questionnaires
    • Distribute Questionnaires to interested organizations
    • Collect, review, and provide feedback on completed Questionnaires
    • Post final Questionnaires on the OVAL Web site

Conclusion

Comments and questions are welcome. Please email oval@mitre.org for assistance, or see the OVAL Adoption Program Process to review the four phases of the adoption program and to Make a Declaration.

Back to top

Page Last Updated: May 13, 2014