SCAP Resources

SCAP Resources

SCAP has been in existence for over 11 years. Since its inception, many valuable resources have been created for public reference and use.

NIST and Other Government Resources

1. Security Content Automation Protocol (SCAP) Overview, https://csrc.nist.gov/projects/security-content-automation-protocol/ Updated March 3, 2020

   • This information resource provides an overview of NIST’s overall strategy for SCAP. It is updated regularly as the program continues to evolve.

1. The Security Content Automation program (SCAP): Automating Compliance Checking, Vulnerability Management, and Security Measurement, https://nvd.nist.gov/scap/docs/SCAP-NISTIR-7343.pdf, Oct. 2006

   • This document describes the SCAP program with a focus on how XCCDF and OVAL files can be used as part of security content automation. The information on the SCAP program dates to 2006, but the checklist development guidance and the description of the use of XCCDF and OVAL for security automation provide valuable information.

2. A New SCAP Information Model and Data Model for Content Authors, https://www.nist.gov/publications/new-scap-information-model-and-data-model-content-authors, Dec. 18, 2018

   • This NIST publication describes an authoring data model that facilitates the implementation of SCAP content development software applications. The paper also covers an application that implements the data model, enabling SCAP content authors to create resource data stream collections.

3. Security Content Automation Protocol Validation program – NIST, https://csrc.nist.gov/Projects/scap-validation-program, Oct. 22, 2019

   • This information resource provides guidance on the SCAP protocol validation program, which tests the ability of products to use the features and functionality available through SCAP and its component standards. It includes SCAP 1.3 validation, SCAP 1.22 validation, SCAP validated products and modules, SCAP validation resources, and SCAP accredited libraries.

4. Security Content Automation Protocol (SCAP Compliance Checker (SCC), https://www.public.navy.mil/navwar/Atlantic/Technology/Pages/SCAP.aspx, Naval Information Warfare Center, August 29, 2019

   • The SCAP Compliance Checker (SCC), now funded by the US Defense Information Systems Agency (DISA), is a tool that can perform compliance verification using SCAP content and can perform authenticated vulnerability scanning using OVAL content.

Articles

These news articles provide high-level descriptions of SCAP, its uses and benefits.

• NIST updates Security Content Automation Protocol to monitor computer science, CHIPS (Dept. of Navy’s Information Technology Magazine), https://www.doncio.navy.mil/CHIPS/ArticleDetails.aspx?ID=10281, April 24, 2018

• Secure Configurations and the Power of SCAP, https://www.cisecurity.org/blog/secure-configurations-and-the-power-of-scap/, by Tony Sager, no date

• What is Security Content Automation Protocol (SCAP)?, https://www.lifewire.com/what-is-scap-2487459, May 17, 2019

• How To Create An SCAP Scan, https://community.tenable.com/s/article/How-to-create-a-SCAP-scan, Tenable Community, September 23, 2019

• Security Content Automation Protocol (SCAP) Tools, https://www.lifewire.com/scap-security-content-automation-protocol-scap-tools-and-resources-2487944, Lifewire, November 19, 2019

Wikipedia

• Security Content Automation Protocol, https://en.wikipedia.org/wiki/Security_Content_Automation_Protocol, Updated December 22, 2019