SCAP Frequently Asked Questions

SCAP Frequently Asked Questions

Introduction

What is the Security Content Automation Protocol (SCAP)?

SCAP is a suite of specifications for exchanging security automation content used to assess configuration compliance and to detect the presence of vulnerable versions of software. The same SCAP content can be used by multiple tools to perform a given assessment described by the content.

How will SCAP v2 improve SCAP v1 capabilities?

SCAP v2 will allow software installation and configuration posture to be monitored and reported as changes to that posture occur. Event-driven reporting will be used in SCAP to support software inventory and vulnerability management. SCAP will also be expanded to include transport protocols that enable the secure, interoperable communication of security automation information. Where possible, SCAP v2 will adopt international standards to address issues and gaps in SCAP v1.

How will SCAP v2 help organizations to secure their networks?

With SCAP v2, timeliness of collection and evaluation will be improved through the monitoring and reporting of posture changes as they occur. This will improve on the currency of collected posture as compared to the periodic scanning approach supported by SCAP v1. SCAP v2 will also allow for more active responses to posture changes as they occur.

Joining the Community

How do I help develop SCAP v2?

Contribute to SCAP v2 to by engaging in discussion on the SCAP Dev list, attending SCAP v2 related events, and contributing text to SCAP v2 specifications and component standards. Information on subscribing to the SCAP Dev list is available at SCAP v2 Community.

How do I contribute text to the SCAP v2 specifications and component standards?

Participation in the appropriate standards bodies and as part of the SCAP community is the most effective way to contribute to the development of SCAP v2 specifications and component standards. Soon, the SCAP specifications will be hosted on a GitHub repository, which will facilitate community contribution.

How do I learn more about what is happening in SCAP v2 development?

Resources related to SCAP v2 (slides, papers, specifications, etc.) can be found at Presentation Archives and at Teleconferences Minutes and Archives.

Current Status and Activities

How do SCAP v1 data models fit into SCAP v2?

SCAP v2 intends to update existing SCAP v1 data models and to leverage new data models and protocols produced by international standards organizations to address new and evolving capabilities. Existing SCAP v1 data models need to be reviewed, and individual data models will need to be updated or replaced to address current trends in technology. The SCAP community is actively developing transition plans to ensure that existing SCAP solutions can operate alongside SCAP v2.

What are the plans for developing the data models and protocols for SCAP v2?

SCAP v2 intends to update existing SCAP v1 data models and to leverage new data models and protocols produced by international standards organizations to support evolving capabilities. SCAP v1 data models need to be reviewed, and individual data models will need to be updated or replaced to address current trends in technology. Similarly, protocols need to be selected for interfaces that are identified as part of the development of the SCAP v2 architecture. Both of these will be done through engagement with the SCAP community. Where existing standards or protocols need to be updated, the SCAP v2 community is encouraged to get involved in the associated standard organizations to drive standards development to support SCAP v2 requirements. Furthermore, if a data model or protocol doesn't exist, it should be developed by the community and brought to most appropriate international standards organization for standardization.

I’ve heard people say that the only real user of SCAP is the US government; is this true?

SCAP v1 is used across multiple industry sectors today, including significant use in the public, financial and healthcare sectors internationally. To improve on the utility and adoption of SCAP, engagement with members of a diverse set of sectors is needed. The best way to do that is to get members of those and other groups involved through community outreach by all its members.

When will SCAP v2 provide support for <InsertUseCaseHere>?

To support broad use, SCAP v2 is intended to cover many security automation use cases. Use case support priorities are identified from the SCAP community consensus and these drive the focus of development efforts. If you are interested in a particular use case for SCAP, join the SCAP community and let your voice be heard.

When will SCAP v2 support <InsertEndpointTypeHere>?

SCAP can be used wherever there are compatible tools and relevant content. Right now, most focus has been on traditional endpoint systems (workstations, servers, and laptops), but a few SCAP tools and associated content have been written for IoT, mobile, and other platforms. Further development of tools and content will expand the set of supported devices.

Component Standards

How do SWID Tags fit into SCAP v2?

SWID tags are very important in SCAP v2. Common Platform Enumeration (CPE) doesn’t scale well, doesn't support patch information, and was intended to be a software identifier rather than a software inventory standard. SWID tags can be produced by the software provider and are managed with the software on an endpoint, which is much more scalable and supports software inventory use cases.

The use of SWID tags provides the vulnerability management community with an approach to software identification and characterization that scales well as compared to CPE. Developing tools that facilitate the integration of SWID tags into the software development and release process is the only sustainable path to support software identification in a scalable way.

Will SCAP v2 include any support for CPE?

CPE is being deprecated and will not be supported as it was in SCAP v1. Transitioning from CPE to use of SWID tags needs to be managed to help organizations relying on CPE today to transition. NIST will work with the SCAP/CPE community to develop a plan for transitioning from CPE to SWID, and we will work with the community on how this can be best supported.

How are data models and protocols selected for SCAP v2?

SCAP v2 is a community-driven effort that adopts standard data models and protocols that support hardware inventory, software inventory, vulnerability management, and configuration setting management use cases. Standards will be considered by the community on a case-by-case basis to determine their ability to satisfy these use cases as well as the community’s willingness to implement them. The long-term viability, extensibility, and scalability of a data model or protocol must be a consideration for selection. Ideally, the data models and protocols adopted for SCAP v2 will provide a stable base that can be extended to support additional endpoint information and capabilities over time.

Will SCAP v2 provide support for <InsertStandardHere>?

The list of standards SCAP v2 supports is still evolving and is open for community discussion. NIST is committed to discuss with the community the benefits of applicable standards and how they can support SCAP v2 use cases.

Implementation

Is a separate device needed for each component in the SCAP v2 architecture?

The SCAP v2 supports a wide variety of potential implementations and the design is intended to provide flexibility in how components are deployed. Given the modular design of the SCAP v2 architecture, many of the architectural components can be combined on a single device or a single component might be deployed across multiple devices.

Is the SCAP v2 architecture usable in both small and large enterprises?

Yes, SCAP v2 is intended to be used by enterprises of all sizes. The modular nature of the SCAP v2 architecture is intended to flexibility in deployments.

Will stand-alone machines and closed-LAN systems be covered by SCAP v2?

Yes, SCAP v2 components can be provisioned on closed LAN networks.