NIST updates SCAP validation requirements

The National Institute of Standards and Technology (NIST) has revised its testing requirements for security products that use the Security Content Automation Protocol (SCAP).

SCAP is a NIST specification for expressing and manipulating security data in standardized ways. It can enumerate product names and vulnerabilities, including software flaws and configuration problems, identify the presence of vulnerabilities and assign severity scores to software flaws.

Draft NIST Interagency Report 7511, titled “Security Content Automation Protocol Validation Program Test Requirements, Revision 1,” is an updated version of draft test requirements released in August 2008. It describes the requirements that products must meet to achieve SCAP validation. Independent laboratories accredited for SCAP testing by the NIST National Voluntary Laboratory Accreditation Program conduct the validations.

“Adoption of SCAP makes it easier for organizations to automate ongoing security monitoring, vulnerability management and security policy compliance evaluation reporting,” the NIST document says. SCAP can be used to quickly find known vulnerabilities and to automate activities such as ongoing security monitoring, vulnerability management and security policy compliance evaluation reporting.

The specifications that make up SCAP are:

  • Common Vulnerabilities and Exposures, a dictionary of names for publicly known security-related software flaws.
  • Common Configuration Enumeration, a dictionary of names for software security configuration issues, such as access control settings and password policy settings.
  • Common Platform Enumeration, a naming convention for hardware, operating systems and software.
  • Extensible Configuration Checklist Description Format, an Extensible Markup Language specification for structured collections of security configuration rules used by operating systems and applications.
  • Open Vulnerability and Assessment Language, an XML specification for exchanging technical details on how to check systems for security-related software flaws, configuration issues and patches.
  • Common Vulnerability Scoring System, a method for classifying characteristics of software flaws and assigning severity scores.

Several organizations created and maintain the SCAP components, including Mitre Corp., the National Security Agency, and the Forum for Incident Response and Security Teams. NIST provides SCAP content such as vulnerability and product enumeration identifiers via the National Vulnerability Database. All database content and the high-level SCAP specification are freely available from NIST. Nongovernment organizations also create and make SCAP content available.

The NIST report was written primarily for laboratories that are accredited to do SCAP product testing, vendors interested in receiving SCAP validation for their products, and agencies and integrators that deploy SCAP tools. Laboratories can use the report to guide their testing. Vendors may use the information to understand the features products must have to receive any of the SCAP validations. Agencies and integrators can use it for insight into the criteria that products being considered for procurement must meet to be validated. End users might also find it valuable to review test requirements to better understand product capabilities and SCAP validation.

Comments on this report should be sent to John Banghart, one of the authors of the report, at john.banghart@nist.gov.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above