Currently, automation for vulnerability management, compliance management, and related software is sparse and typically functional only within one vendors product line. Due to competitive pressures, any commercial vendors attempting automation have done so in a very proprietary way, often lacking transparency and greatly hindering interoperability and repeatability Lacking automation, security operations teams across the U.S. Federal government and in private sector 1) have become overwhelmed by an increasing compliance workload and increasing number of vulnerabilities and 2) are spending a considerable amount of resources trying to keep pace through both manual methods and point solutions (i.e., very specific, non-reusable mechanism to connect proprietary solutions). Without leadership from a nonbiased entity, solutions to this problem have seen slow or limited functionality and adoption.
By standardizing communication by and between security and related software, NIST will significantly increase an organizationals ability to share, aggregate, measure, and report security information. Efficiencies gained through interoperability, repeatability, and automation thereof will result in very significant cost savings for organizations utilizing this technology.