NIST revises specs for automating security

New version of SCAP to help agencies with continuous monitoring of systems

This article was updated Jan. 12 to correct the version of OVAL included in SCAP.

The National Institute of Standards and Technology has revised specifications for the latest version of the Security Content Automation Protocol .

SCAP is a suite of specifications that standardize the ways in which security software products identify and share information about software configuration and flaws. NIST’s Special Publication 800-126 Rev. 1, “The Technical Specification for the Security Content Automation Protocol Version 1.1,” provides an overview of the protocol, focusing on how software developers can integrate SCAP technology into their product offerings and interfaces. NIST has released the third draft version of this publication for public comment.

Major changes from SCAP version 1.0 to 1.1 include the addition of Open Checklist Interactive Language (OCIL) and an upgrade to Open Vulnerability and Assessment Language (OVAL) Version 5.8.

An emphasis on continuous monitoring and real-time awareness of the security status of federal IT systems makes the automation of security activities imperative, and SCAP is intended to enable that automation. The use of SCAP-enabled security products when available is required for agencies, and the protocol also is being adopted by the private sector.


Related stories:

NIST releases guide to security automation protocol

Cybersecurity gets faster with blending of two protocols


“SCAP is achieving widespread adoption by major software and hardware manufacturers and has become a significant component of large information security management and governance programs,” the publication states.

The protocol is evolving to automate vulnerability and patch checking, compliance with required and recommended technical controls, and security measurement. The goal of the protocols is to standardize information system security management, promote interoperability of security products, and foster the use of standard expressions of security content.

SCAP v1.1 includes seven specifications — eXtensible Configuration Checklist Description Format (XCCDF), OVAL, OCIL, Common Platform Enumeration (CPE), Common Configuration Enumeration (CCE), Common Vulnerabilities and Exposures (CVE), and Common Vulnerability Scoring System (CVSS). These specifications are grouped into three categories:

  • Languages, providing standard vocabularies and conventions for expressing security policy, technical check mechanisms, and assessment results.
  • Enumerations, defining a standard nomenclature and an official dictionary or list of items expressed in that nomenclature.
  • Measurement and scoring systems for the evaluation of specific characteristics of a vulnerability and, based on those characteristics, generating a score that reflects the vulnerability’s severity.

SCAP utilizes standardized software flaw and security configuration data, provided by the National Vulnerability Database, which is managed by NIST and sponsored by the Homeland Security Department.

Users or developers of content and tools using SCAP should make sure that their use of the protocol complies with the requirements laid out in NIST recommendations. Use of SCAP should help administrators in complying with existing government guidelines and requirements, including NIST SP 800-53, “Recommended Security Controls for Federal Information Systems and Organizations,” Defense Department Instruction 8500.2, and the Payment Card Industry security framework.

Comments on the third public draft SP 800-126 Revision 1 should be sent by January 28 to 800-126comments@nist.gov with “Comments SP 800-126” in the subject line.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above