Security Content Automation Protocol (SCAP)

SCAP

Security Content Automation Protocol (SCAP, pronounced “ess-cap”) is an overarching suite of the aforementioned standards that include CVE, CVSS, CPE, XCCDF, and OVAL. The NIST maintains the SCAP content, which defines how all of these protocols work together in an automated fashion. It also contains the content of all of these standards in the NVD.

SCAP also has a product validation program to assist in evaluating products for compatibility with the various open standards. NIST provides detailed descriptions of the validation areas, abbreviated here to give you a sense of the possible areas of validation:

• Federal Desktop Core Configuration (FDCC) scanner: A product with the ability to audit and assess a target system in order to determine its compliance with the FDCC requirements, which were the result of the U.S. government OMB Memo M-07-18. That memo states that the provider of information technology shall certify applications are fully functional and operate correctly as intended on systems using the FDCC.
• Authenticated configuration scanner: A product with the ability to audit and assess a target system to determine its compliance with a defined set of configuration requirements using target system log-on privileges.
• Authenticated vulnerability and patch scanner: A product with the ability to scan a target system to locate and identify the presence of known software flaws and evaluate the software patch status to determine compliance with a defined patch policy using target system log-on privileges.
• Unauthenticated vulnerability scanner: A product with the ability to determine the presence of known software flaws by evaluating the target system over the network.
• Intrusion detection and prevention systems: Products that monitor systems or networks for unauthorized or malicious activities. An IPS actively protects the target system or network against these activities.
• Patch remediation: The ability to install patches on a target system in compliance with a defined patching policy.
• Misconfiguration remediation: The ability to alter the configuration of a target system in order to bring it into compliance with a defined set of configuration recommendations.
• Asset management: The ability to actively discover, audit, and assess asset characteristics, including installed and licensed products; location within the world, a network, or an enterprise; ownership; and other related information on IT assets such as workstations, servers, and routers.
• Asset database: The ability to passively store and report on asset characteristics, including installed and licensed products; location within the world, a network, or an enterprise; ownership; and other related information on IT assets such as workstations, servers, and routers.
• Vulnerability database: A product that contains a catalog of security-related software flaw issues labeled with CVEs where applicable. This data is made accessible to users through a search capability or data feed and contains descriptions of software flaws, references to additional information (e.g., links to patches or vulnerability advisories), and impact scores.
• Misconfiguration database: A product that contains a catalog of security-related configuration issues labeled with CVEs where applicable.
• Malware tool: The ability to identify and report on the presence of viruses, Trojan horses, spyware, or other malware on a target system.

When a product is assessed and validated, it is for one or more of these areas. The status of validation of products is posted on the NIST’s public Web site. Being validated does not assure quality or reliability of the product; only that it meets the criteria set forth by the SCAP program.