Security Content Automation Protocol
The Security Content Automation Protocol ( SCAP ) is a method for using certain standards for automated vulnerability management, measurement and policy compliance evaluation (e.g. FISMA compliance). The National Vulnerability Database (NVD) is the US government's content repository for SCAP.
purpose
The Security Content Automation Protocol (SCAP), pronounced "ess-kap", combines a number of open standards that are used to represent software errors and configuration problems related to security. They measure systems to find weak points and offer methods to assess possible effects. It is a method of using open standards for the automated evaluation of vulnerability management, data acquisition and compliance with the rules. SCAP defines how the following standards (referred to as SCAP components) are combined:
SCAP components
- Common Vulnerabilities and Exposures (CVE)
- Common Configuration Enumeration (CCE)
- Common Platform Enumeration (CPE)
- Common Vulnerability Scoring System (CVSS)
- Extensible Configuration Checklist Description Format (XCCDF)
- Open Vulnerability and Assessment Language (OVAL)
From SCAP version 1.1
From SCAP version 1.2
- Asset Identification
- Asset Reporting Format (ARF)
- Common Configuration Scoring System (CCSS)
- Trust Model for Security Automation Data (TMSAD)
SCAP checklists
SCAP checklists standardize and automate the mapping of security measures such as NIST Special Publication 800-53 (SP 800-53) to the configuration of systems. The current version of SCAP is intended to carry out the initial assessment and continuous monitoring of security settings and the corresponding security measures. Future versions are likely to standardize the automated implementation and modification of security settings of security measures. In this way, SCAP contributes to the implementation, assessment and monitoring steps of the NIST Risk Management Framework. Accordingly, SCAP is an integral part of the NIST-FISMA project.
SCAP Validation Program
Security programs overseen by NIST focus on working with government and industry on secure systems and networks. To this end, security assessment tools, techniques, services and support for programs for testing, evaluation and validation are promoted. The following areas are addressed:
- Development and maintenance of the metrics
- Evaluation criteria and evaluation methods for IT security
- Tests and test procedures
- Criteria for the accreditation of test centers
- Guidelines for the use of the tested products
- Research on quality assurance and system-wide safety and assessment methods
- Review of security logs
- Coordinate with standardization bodies and industry organizations on assessment methods
Independent test centers ensure the user that the product complies with the NIST specifications. The SCAP standards can be very complex, and multiple configurations must be tested for each component and function to ensure that the product meets the requirements. Test centers accredited by the National Voluntary Laboratory Accreditation Program (NVLAP) ensure that products have been thoroughly tested and meet the requirements.
A customer who is subject to the requirements of FISMA or who wants to use products that have been tested and validated according to the SCAP standard by an independent testing agency should visit the website of the SCAP-validated products to check the status of the product.
Web links
- Security Content Automation Protocol website
- SCAP Validated Tools Comparison Table
- National Vulnerability Database website
- Miter "Making Security Measurable" website