OVAL Board Member Roles, Tasks, Qualifications, and Authority

Roles for OVAL Board Members

The OVAL Board consists of both "Active" and "Emeritus" members, from a variety of organizations across the community, who are responsible for providing input to the OVAL Moderator regarding the strategic direction of OVAL.

Active OVAL Board Members

Active members are directly engaged with the community and are expected to participate in a variety of technical, liaison, and advocate tasks that provide direction to the effort and increase awareness and adoption throughout the community. Active members are also expected to vote on various issues that influence the strategic direction of OVAL.

Minimum Expectations for Active OVAL Board Members

Active OVAL Board members must meet the minimum levels of effort consistent with the tasks that they undertake.

All active members are expected to commit a minimum of 2 hours per month to maintain high-level awareness of ongoing OVAL and OVAL Board activities. There may be additional requirements depending on additional tasks that the OVAL Board member takes on.

Participation should be consistent with respect to the specific task. Allowances can be made for extenuating circumstances that temporarily prevent a member from meeting the minimum level of participation. Furthermore, if an OVAL Board member cannot make a meeting, they can designate a proxy to sit in for them if they wish.

General Active Member Tasks

All members are expected to perform the following tasks:

  1. Consultation: This includes participating in OVAL Board meetings, discussion of ad-hoc issues related to OVAL, OVAL Board processes such as release activities (planning, review, and approval), OVAL Board membership, and how to improve OVAL adoption.
  2. Awareness: Reading posts on the OVAL mailing lists, OVAL Board meeting minutes, OVAL Developer Days minutes, and OVAL related news items.
  3. Voting: This includes casting a vote on all issues outlined in the Authority of OVAL Board Members section as well as any other issues where a vote is deemed necessary to make a decision.
  4. Outreach: This includes actively promoting OVAL and educating the public about OVAL as well as introducing various contacts to MITRE within the OVAL context.

Specific Active Member Tasks

In addition to the general tasks above, OVAL Board members are expected to participate in one or more of the following tasks.

Technical Tasks

  • Review and comment on changes to the OVAL Language as necessary and identify areas for improvement as well as emerging areas.
  • Review and comment on community contributed content, in the OVAL Repository, as necessary and identify issues, improvements, and best practices as well as share lessons learned from content development experiences.
  • Share lessons learned from the development of OVAL-capable tools to identify problem areas, best practices, and opportunities to improve interoperability.

Liaison Tasks

  • Educate the liaison's own community about OVAL, where appropriate.
  • Educate the OVAL Board about the needs and interests for OVAL of the liaison's community, where appropriate.
  • Participate regularly in ad hoc consultation tasks, if the liaison previously agreed to perform those tasks.

Advocate Tasks

  • Endorse OVAL to constituencies that will benefit from it.
  • Foster better communication between constituencies.
  • Look for new opportunities to advocate for OVAL within new and existing communities and promote the adoption of OVAL.

Expected Level of Effort for Active Board Members

The amount of effort for these tasks may vary widely. Each task may require 1 to 10 hours, or more. Such tasks may occur approximately once every 2 months.

Qualifications for Active OVAL Board Members

  1. Members should have significant, proven experience as a security professional. Exceptions may be made for members who have made noteworthy contributions to the security community.
  2. Members should be experts in the use or development of one or more of the following technical areas:
    • vulnerability assessment and related tools
    • incident response or forensics
    • security policy and configuration management
    • continuous monitoring
    • security automation standards and tool development
    • related areas
  3. Members should have strong knowledge about computer security issues in most of the following areas:

    • knowledge of application, system, and network vulnerabilities
    • knowledge of network and system configuration
    • security models in operating systems, protocols, applications, etc.
    • vulnerability information sources (e.g., advisories, mailing lists, etc.)
    • sources of secure configuration guidance (e.g., vendor security guidance, CIS Benchmarks, DISA STIGs, etc.)
    • extensive "real-world," operational experience in one or more of the areas described in (1)

    The member's knowledge may be broad (e.g., general knowledge of configuring various types of OSes) or deep (e.g., domain expert for a single OS).

  4. Members should be able to effectively identify and communicate technical issues that relate to OVAL and their particular area of expertise.
  5. Members should have a demonstrated commitment to sharing information to enhance research or education, or to improving overall enterprise security (e.g., by active participation in conferences or other forums).
  6. Members must be able to effectively communicate with all other relevant parts of their organization or constituency.
  7. Members should be a recognized leader in the security community, as approved by members of the Board.
Back to Top

Emeritus OVAL Board Members

Emeritus members were formerly active and influential in OVAL. As a result of significant contributions, they maintain an honorary position on the OVAL Board. Emeritus members are free to participate in the same technical, liaison, and advocate tasks as active members as they see fit. However, emeritus members are not permitted to participate in tasks that exercise the decisional authority granted to the OVAL Board, but, are free to share their thoughts and opinions when the OVAL Board is deciding on some matter.

Emeritus Member Tasks

Emeritus members may participate at their discretion in technical, liaison, or advisory tasks. This role recognizes the significant past contributions of a member to OVAL and allows them to provide valuable feedback in an ad-hoc manner although they may no longer serve in a position that warrants a direct role on the board. Since emeritus members are not required to participate in OVAL Board activities, they are not permitted to participate in tasks that exercise the decisional authority granted to the OVAL Board. However, they are encouraged to share their thoughts and opinions on matters that are being decided.

Expected Level of Effort for Emeritus Members

Emeritus members are not expected to participate regularly in OVAL, but they can participate as they see fit.

Qualifications for Emeritus Members

  • Emeritus members must have made significant contributions to OVAL as determined by the OVAL Moderator.

Recognition of Emeritus and Other Former Members

A person who has left the OVAL Board is recognized in one of the following ways:

  1. If the person has qualified for Emeritus status, then the member is identified as Emeritus.
  2. If the person did not qualify for Emeritus status but made clear contributions to OVAL as determined by the OVAL Moderator, then the member is identified as a former contributing member.
  3. The OVAL Board is responsible for voting on any other matters deemed necessary by the OVAL Moderator or OVAL Board members.
Back to Top

Authority of OVAL Board

The following roles are delegated to the OVAL Board as the advisory body responsible for the strategic direction of OVAL.

  1. The OVAL Board is responsible for determining the requirements for a new release (goals and timeline).
  2. The OVAL Board is responsible for approving a new release to become official.
  3. The OVAL Board is responsible for approving new OVAL Board members.
  4. The OVAL Board is responsible for voting on any other matters deemed necessary by the OVAL Moderator or OVAL Board members.
Back to Top

Roles for MITRE

The following roles are unique to MITRE as the OVAL Moderator.

  1. The OVAL Moderator is responsible for creating, publishing, and maintaining revisions of the OVAL Language.
  2. The OVAL Moderator is responsible for OVAL Board structure, recruitment, and activities.
  3. The OVAL Moderator is responsible for moderating the public mailing lists.
  4. The OVAL Moderator is responsible for promoting the growth and adoption of OVAL.
  5. The OVAL Moderator is responsible for one or more strategic tasks such as community outreach, web sites, OVAL Repository content, OVAL Interpreter development, future planning, and related work.
Back to Top

Authority of MITRE

The MITRE Corporation is a not-for-profit organization chartered to work in the public interest. In its role as the OVAL Moderator, the Office of Cybersecurity and Communications at the U.S. Department of Homeland Security has entrusted MITRE to act as an independent third-party balancing government and industry needs to develop OVAL.

Back to Top