NOTE: A similar information security community effort is under active development at the U.S. Institute of Standards and Technology (NIST).

Visit http://scap.nist.gov/emerging-specs/listing.html for additional information.

Feedback Requested

We encourage members of the information security community to participate by offering feedback on the current draft of the PLARR Specification.

Private feedback on PLARR may be sent to plarr@mitre.org, while general discussion on PLARR or enterprise security automation may be sent to the ARF mailing list at arf-discussion-list@mitre.org

Downloads

PLARR Whitepaper (PDF, 84 KB)

PLARR Schemas and Documentation (PDF, 73 KB)


The Policy Language for Assessment Results Reporting (PLARR™) is an open specification that provides a structured language for requesting IT asset assessment results from an assessment tool, asset database, or other tool that can produce security assessment results. It is intended to be used by tools that request detailed configuration data about IT assets, especially products that leverage specifications contained in the National Institute for Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP).

PLARR is the request language specification in a suite of specifications that enables the reporting of assessments of IT assets in an enterprise environment, known collectively as security automation interfaces. Assessment Results Format (ARF) is the per-device assessment results format and Assessment Summary Results (ASR) is the multi-device assessment results format in the suite. The security automation interfaces specifications describe an end-to-end process for delivering assessment content to data stores, requesting assessments against that content, reporting on the results of those assessments, and aggregating assessment results to an enterprise level.

PLARR is being developed for MITRE’s sponsors with the intent of submitting it for adoption, alongside ARF, to NIST as a full SCAP specification. Together, ARF, ASR, and PLARR will facilitate the automated exchange of assessment results among enterprise systems by providing a common set of languages for SCAP-compliant assessment producers and consumers.