Security Content Automation Protocol

The Security Content Automation Protocol ( SCAP ) is a method for using specific standards for automated vulnerability management, measurement, and policy compliance evaluation ( eg, FISMA compliance). The National Vulnerability Database ( NVD ) is the content repository of the U.S. government for SCAP.

Purpose

The Security Content Automation Protocol ( SCAP ) pronounced " ess- kap ", combines a number of open standards, which are used to represent software errors and configuration issues related to security. They measure systems to find vulnerabilities, and provide methods to evaluate potential impacts. It is a method of use of open standards for the automated analysis of vulnerability management, data collection and compliance with the rules. SCAP defined as the following standards ( called SCAP components ) are combined:

SCAP components

  • Common Vulnerabilities and Exposures (CVE)
  • Common Configuration Enumeration (CCE )
  • Common Platform Enumeration (CPE )
  • Common Vulnerability Scoring System ( CVSS )
  • Extensible Configuration Checklist Description Format ( XCCDF )
  • Open Vulnerability and Assessment Language ( OVAL )

Starting with SCAP version 1.1

  • Open Checklist Interactive Language ( OCIL ) Version 2.0

Starting with version 1.2 SCAP

  • Asset Identification
  • Asset Reporting Format (ARF )
  • Common Configuration Scoring System ( CCSS )
  • Trust Model for Security Automation Data ( TMSAD )

SCAP checklists

Normalize SCAP checklists and automate the mapping of security measures such as NIST Special Publication 800-53 (SP 800-53 ) on the configuration of systems. The current version of SCAP is to carry out the initial assessment and ongoing monitoring of security settings and the corresponding security measures. Future versions will likely standardize the automated implementation and modification of security settings of security measures. In this way, SCAP contributes to the implementation, evaluation and monitoring steps of the NIST Risk Management Framework. Accordingly, SCAP is an integral part of the NIST FISMA project.

SCAP Validation Program

Safety programs that are overseen by NIST, have their focus on cooperation with the government and the industry in delivering secure systems and networks. For promoting security assessment tools, techniques, services and support programs for testing, evaluation and validation. The following areas are addressed:

  • Development and maintenance of metrics
  • Evaluation criteria and evaluation methods for IT security
  • Tests and test methods
  • Criteria for the accreditation of verifiers
  • Guidelines for the use of the products tested
  • Research on quality assurance and system- wide security policies
  • Verification of security protocols
  • Coordination with standardization bodies and industry organizations in assessment methods

Independent testing laboratories ensure the user that the product conforms to NIST specifications. The SCAP standards can be very complex, and several configurations need to be tested for each component and function to ensure that the product meets the requirements. Through the National Voluntary Laboratory Accreditation Program ( NVLAP ) accredited testing institutions provide the assurance that products have been thoroughly tested and meet the requirements.

A customer who is subject to the requirements of FISMA or want to use products that have been tested and validated according to the SCAP standard by an independent test should visit the website of the SCAP - validated products to check the status of the product.

720753
de