SCAP Frequently Asked Questions

In our last discussion, we aspired for automated provisioning and continuous monitoring of Network Security Management.  The National Institute of Standards and Technology (NIST) has spearheaded Security Content Automation Protocol (SCAP) efforts for the last ten years. NIST, an agency of the U.S. Department of Commerce, was founded in 1901 as the nation's first federal physical science research laboratory.  In essence, SCAP is a NIST-sponsored effort for both pieces (automated provisioning and continuous monitoring). As a refresher: SCAP, pronounced “S-Cap”, combines a number of open standards that are used to enumerate software flaws and configuration issues related to security. They measure systems to find vulnerabilities and offer methods to score those findings in order to evaluate the possible impact. It is a method for using those open standards for automated vulnerability management, measurement and policy compliance evaluation and was the next logical step in the evolution of our compliance automation tools for Federal Agencies. SCAP defines how the following standards (referred to as SCAP 'Components') are combined and allows results to be easily shared for Federal Information Security Management Act (FISMA), Office of Management and Budget (OMB), Department of Homeland Security (DHS) and others. Let’s take a deeper dive into SCAP in a two-part “Frequently Asked Questions” format.

Part 1

Q: What is the Security Content Automation Protocol in a nutshell? A: SCAP is a method for using the open standards for automated vulnerability management, measurement and policy compliance evaluation. SCAP defines how the following standards are combined:
  • Common Vulnerabilities and Exposures (CVE®)
  • Common Configuration Enumeration (CCE™)
  • Common Platform Enumeration (CPE™)
  • Common Vulnerability Scoring System (CVSS)
  • Extensible Configuration Checklist Description Format (XCCDF)
  • Open Vulnerability and Assessment Language (OVAL™)
Q: What is SCAP content? A: SCAP content consists of:
  • security checklist data
  • vulnerability and product name related enumerations
  • mappings between the enumerations
Security checklist data is written in machine readable languages (XCCDF or OVAL). SCAP checklists have been submitted to, and accepted by, the NIST National Checklist Program. They also conform to an SCAP template and style guide to ensure compatibility with SCAP products and services. The SCAP enumerations are a list of all known security-related software flaws, a list of known software configuration issues and a list of standard vendor and product names. The SCAP mappings map the enumerations and provide standards-based impact measurements for software flaws and configuration issues. The National Vulnerability Database (NVD) provides the official SCAP mappings. The mappings allow for determination of the affected standard product names and the standard impact score for any given software flaw. Q: How does an Agency obtain SCAP content? A: The U.S. government data repository for SCAP content is the National Vulnerability Database (NVD). NVD contains data feeds for each standard that can be used, license free, by the security community. SCAP content repositories for security checklists may become available directly from software vendors or checklist organizations. In such cases, NVD will provide links to the non-NVD SCAP resources. Q: How can an Agency get a copy of the standards? A: The main SCAP standard can be found here. The six underlying SCAP standards can be found at: Q: Who authors SCAP checklists and test procedures? A: SCAP checklists and test procedures are authored, tested and approved according to the National Checklist Program.  More specifically, SCAP checklists and test procedures can be authored by almost any entity, including vendors of the actual products. SCAP checklists and test procedures are then processed through the eight-step NIST Special Publication 800-70 IT Product Checklist Lifecycle.  Subsequently, SCAP checklists and test procedures become officially acknowledged and published.  All SCAP checklists are either published within, or referenced by, the National Vulnerability Database (NVD) web site. SCAP checklists conform to the SCAP XCCDF style guide and template. Q: How does SCAP help with FISMA compliance and with compliance with other mandates? A: SCAP checklists standardize and enable automation of the linkage between computer security configurations and the NIST Special Publication 800-53 Revision 1 (SP 800-53 Rev1) controls framework.  The current version of SCAP is meant to perform initial measurement and continuous monitoring of security settings and corresponding SP 800-53 Rev1 controls.  Future versions will likely standardize and enable automation for implementing and changing security settings of corresponding SP 800-53 Rev1 controls.  In this way, SCAP contributes to the implementation, assessment and monitoring steps of the NIST Risk Management Framework.  Accordingly, SCAP is an integral part of the NIST FISMA implementation project. Check in next month for part two of SCAP-FAQs where we will cover validation, independent testing and more!