There are at least five basic use cases for the UCF_AD_List in either XML or Excel format. As we think of more, we'll list them here. Or if you, in reading this, think of more, then e-mail us at UCF_AD_List@unifiedcompliance.com.

Naming standardization

The first and foremost use for the UCF_AD_List is to standardize the way the names for all authority documents are tracked. When most of us look at an authority document, we see the cover, and maybe fully read the title and publication date. However, from there, most of us begin calling the document something much easier to remember than its official title. For instance, NIST 800-53 Recommended Security Controls for Federal Information Systems is generally known by its NIST number, "NIST 800-53" and not referred by its full title. Within the UCF we take both naming conventions into account. Our naming scheme has two name fields; one for the official published name and one for the common use version.

Historical catalog of authority documents

Because the Unified Compliance Framework™ team is, and will continue to, catalog each authority document we come across, the UCF_AD_List will act as a repository reference to all known (if they are known to us) authority documents we come across. And because each authority document is assigned a unique and persistent ID the reference to the authority document will always be available whether or not the document has been redacted, updated, etc.

Taxonomic ontology

A taxonomy is more or less a hierarchical relationship of words, categories, and concepts. Before we delve any further into this definition, let's talk for a second about what we do naturally. It is in our nature to classify what we encounter, if only to help make sense of our surroundings. We look at a chair and think "wooden chair", or "comfortable chair", both of which are subordinate terms to the category of "chair". We all categorize that which we encounter.

Within the UCF_AD_List, we have created a hierarchical order of authority documents that track their genealogy from either the point of view of the issuer (which can either be the publisher, or the promulgator for laws and regulations) or the standard UCF™ view. Therefore, each authority document will be hierarchically ordered by its category, issuer, the document itself, and then its versions and supplements.

Cross referencing authority documents with CPE names

MITRE maintains a full specification, language, and dictionary of Common Platform Enumerator (CPE™) elements useful for naming IT platforms subject to vulnerability and configuration guidance, patching and remediation, asset management, and other security related tasks. We are fortunate enough to be able to work with this group and leverage their work on CPE™ and other related compliance XML data.

When an issuer releases an authority document that specifically addresses configuration or other information regarding IT platforms, we will create and maintain cross-reference between the authority document's entry in the UCF_AD_List and the pertinent CPE™ produce name that the document references. Our intention is to make it much simpler to relate compliance information to product information by doing so.

Organizational awareness

Last and most surely the most important use case for the UCF_AD_List is that it presents a list of authority documents that organizations should at least be aware of if they are to be compliant. There isn't a country on this planet that allows the defense of "you can't find me guilty because I didn't know about the rule because I never read the authority document in question." And because ignorance is not bliss in this case, being aware of the various authority documents is where compliance begins. Organizations can use this list, with its direct link to each document, as a kick-off point to understand which documents are there and how to get them for further examination.