In our last discussion, we aspired for automated provisioning and continuous monitoring of Network Security Management. The National Institute of Standards and Technology (NIST) has spearheaded Security Content Automation Protocol (SCAP) efforts for the last ten years. NIST, an agency of the U.S. Department of Commerce, was founded in 1901 as the nation's first federal physical science research laboratory. In essence, SCAP is a NIST-sponsored effort for both pieces (automated provisioning and continuous monitoring).
As a refresher: SCAP, pronounced “S-Cap”, combines a number of open standards that are used to enumerate software flaws and configuration issues related to security. They measure systems to find vulnerabilities and offer methods to score those findings in order to evaluate the possible impact. It is a method for using those open standards for automated vulnerability management, measurement and policy compliance evaluation and was the next logical step in the evolution of our compliance automation tools for Federal Agencies. SCAP defines how the following standards (referred to as SCAP 'Components') are combined and allows results to be easily shared for Federal Information Security Management Act (FISMA), Office of Management and Budget (OMB), Department of Homeland Security (DHS) and others.