SCAP Frequently Asked Questions

Last month, we began addressing some frequently asked Security Content Automation Protocol (SCAP) questions. Now that we have clarified what SCAP is, what it consists of, and how it helps with compliance issues, let’s look at FAQs about how validation and independent testing factor in. What is validation? The SCAP Program is responsible for maintaining established standards and ensuring that validated products comply. Validation is achieved through proving that the testing performed by the laboratory has been carried out correctly. Who does independent testing? Test results for validation are accepted from laboratories that are accredited by the National Voluntary Laboratory Accreditation Program (NVLAP). This accreditation is earned after full review of the laboratories’ Quality Management System (QMS) and passing of the technical proficiency tests. Who needs to validate their products under SCAP? Validation is required for vendors of security configuration management, vulnerability testing, and other security auditing tools who wish to sell products in the U.S. Government market under the Federal Information Security Management Act (FISMA) requirements or to commercial customers who have adopted the standard’s requirements. Why do vendors need independent testing? Independent, third-party testing assures the agency that the product meets the NIST specifications.  The SCAP standards can be complex and several configurations must be tested for each component and capability to ensure that the product meets the requirements.  An accredited, third-party lab provides assurance that the product has been thoroughly tested and found to meet all of the requirements.  In essence, a third party confirms a vendor’s claims of SCAP-compliance, providing the vendor credibility in an agency’s opinion. Are there any fees or licensing restrictions associated with SCAP checklists and Test Procedures? There are no licensing fees or restrictions associated with the SCAP content hosted through the National Vulnerability Database (NVD). Vendors, government agencies, and other organizations are encouraged to use this SCAP content for whatever purposes they envision, including as a source for SCAP-capable tools. Note that SCAP enumeration data is derived from open standards. Have all vendors who advertise “SCAP-compliant” for their product implemented the SCAP standard in an identical manner? Buyers are encouraged to research “SCAP compatible” products and services thoroughly before investing in them. NOTE: not all products have fully implemented every SCAP standard. NVD provides a list of SCAP validated products. Now that the standard is in force, neither SCAP-Compliant nor SCAP-Compatible will meet FISMA requirements. Instead, the product must be NIST validated for the components and capabilities that you need. How long does it take to get an SCAP-compliant product validated? The time it takes to complete testing and validation depends on several factors. Assuming there is a completed product that conforms to the specifications, laboratory testing time can still vary from as little as two weeks up to several months (or more). Once all testing is complete and the report is submitted to NIST, the validation can be issued in a few weeks. What are the requirements for validation from the vendor’s side? Typically, independent SCAP validation laboratories need all of the following to complete the mandatory tests given in the derived test requirements:
  • A contract and Non-disclosure Agreement
  • A list of the SCAP test requirements given in the Derived Test Requirements of the SCAP standard.
  • Access to the product to be tested, and its documentation
How much does it cost? The cost of conformance testing and validation varies with the readiness of the product, the nature of the product, previous analysis, evaluation of versions of the product, and the requested timeline. As a NIST-sponsored effort for both automated provisioning and continuous monitoring, SCAP implementation can save time and money by measuring and automating detection using open standards, finding vulnerabilities, and then offering methods to score those findings. Next month, we will review the six underlying standards of SCAP.