Security Content Automation Protocol
Encyclopedia
The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance). The National Vulnerability Database
(NVD) is the U.S. government content repository for SCAP.
Starting with SCAP version 1.1
Starting with SCAP version 1.2
focus on working with government and industry to establish more secure systems and networks by developing, managing and promoting security assessment tools, techniques, services, and supporting programs for testing, evaluation and validation; and addresses such areas as: development and maintenance of security metrics, security evaluation criteria and evaluation methodologies, tests and test methods; security-specific criteria for laboratory accreditation; guidance on the use of evaluated and tested products; research to address assurance methods and system-wide security and assessment methodologies; security protocol validation activities; and appropriate coordination with assessment-related activities of voluntary industry standards bodies and other assessment regimes.
Independent third party testing assures the customer/user that the product meets the NIST specifications. The SCAP standards can be complex and several configurations must be tested for each component and capability to ensure that the product meets the requirements. A third-party lab (accredited by National Voluntary Laboratory Accreditation Program
(NVLAP)) provides assurance that the product has been thoroughly tested and has been found to meet all of the requirements. A vendor seeking validation of a product should contact an NVLAP accredited SCAP validation laboratory for assistance in the validation process.
A customer who is subject to the FISMA
requirements, or wants to use security products that have been tested and validated to the SCAP standard by an independent third party laboratory should visit the SCAP validated products web page to verify the status of the product(s) being considered.
National Vulnerability Database
The National Vulnerability Database is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol . This data enables automation of vulnerability management, security measurement, and compliance...
(NVD) is the U.S. government content repository for SCAP.
Purpose
The Security Content Automation Protocol (SCAP), pronounced “S-Cap”, combines a number of open standards that are used to enumerate software flaws and configuration issues related to security. They measure systems to find vulnerabilities and offer methods to score those findings in order to evaluate the possible impact. It is a method for using those open standards for automated vulnerability management, measurement, and policy compliance evaluation. SCAP defines how the following standards (referred to as SCAP 'Components') are combined:SCAP Components
- Common Vulnerabilities and ExposuresCommon Vulnerabilities and ExposuresThe Common Vulnerabilities and Exposures or CVE system provides a reference-method for publicly-known information-security vulnerabilities and exposures. MITRE Corporation maintains the system, with funding from the National Cyber Security Division of the United States Department of Homeland...
(CVE) - Common Configuration Enumeration (CCE)
- Common Platform Enumeration (CPE)
- Common Vulnerability Scoring System (CVSS)
- Extensible Configuration Checklist Description FormatExtensible Configuration Checklist Description FormatThe Extensible Configuration Checklist Description Format is an XML format specifying security checklists, benchmarks and configuration documentation. XCCDF development is being pursued by NIST, the NSA, The MITRE Corporation, and the US Department of Homeland Security...
(XCCDF) - Open Vulnerability and Assessment LanguageOpen Vulnerability and Assessment LanguageOpen Vulnerability and Assessment Language is an international, information security, community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services...
(OVAL)
Starting with SCAP version 1.1
Starting with SCAP version 1.2
- Asset Identification
- Asset Reporting Format (ARF)
- Common Configuration Scoring System (CCSS)
- Trust Model for Security Automation Data (TMSAD)
SCAP Checklists
Security Content Automation Protocol (SCAP) checklists standardize and enable automation of the linkage between computer security configurations and the NIST Special Publication 800-53 (SP 800-53) controls framework. The current version of SCAP is meant to perform initial measurement and continuous monitoring of security settings and corresponding SP 800-53 controls. Future versions will likely standardize and enable automation for implementing and changing security settings of corresponding SP 800-53 controls. In this way, SCAP contributes to the implementation, assessment, and monitoring steps of the NIST Risk Management Framework. Accordingly, SCAP is an integral part of the NIST FISMA implementation project.SCAP Validation Program
Security programs overseen by NISTNational Institute of Standards and Technology
The National Institute of Standards and Technology , known between 1901 and 1988 as the National Bureau of Standards , is a measurement standards laboratory, otherwise known as a National Metrological Institute , which is a non-regulatory agency of the United States Department of Commerce...
focus on working with government and industry to establish more secure systems and networks by developing, managing and promoting security assessment tools, techniques, services, and supporting programs for testing, evaluation and validation; and addresses such areas as: development and maintenance of security metrics, security evaluation criteria and evaluation methodologies, tests and test methods; security-specific criteria for laboratory accreditation; guidance on the use of evaluated and tested products; research to address assurance methods and system-wide security and assessment methodologies; security protocol validation activities; and appropriate coordination with assessment-related activities of voluntary industry standards bodies and other assessment regimes.
Independent third party testing assures the customer/user that the product meets the NIST specifications. The SCAP standards can be complex and several configurations must be tested for each component and capability to ensure that the product meets the requirements. A third-party lab (accredited by National Voluntary Laboratory Accreditation Program
National Voluntary Laboratory Accreditation Program
National Voluntary Laboratory Accreditation Program is a National Institute of Standards and Technology program which provides an unbiased third-party test and evaluation program to accredit laboratories in their respective fields to the ISO 17025 standard...
(NVLAP)) provides assurance that the product has been thoroughly tested and has been found to meet all of the requirements. A vendor seeking validation of a product should contact an NVLAP accredited SCAP validation laboratory for assistance in the validation process.
A customer who is subject to the FISMA
Federal Information Security Management Act of 2002
The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002 . The act recognized the importance of information security to the economic and national security interests of the United States...
requirements, or wants to use security products that have been tested and validated to the SCAP standard by an independent third party laboratory should visit the SCAP validated products web page to verify the status of the product(s) being considered.