NIST releases FISMA security control tools

The National Institute of Standards and Technology has released a suite of tools to help automate vulnerability management and evaluate compliance with federal IT security requirements.

The Security Content Automation Protocol is an expansion of the National Vulnerability Database. It is an automated checklist that using a collection of recognized standards for naming software flaws and configuration problems in specific products. It can help test for the presence of vulnerabilities and rank them according to severity of impact. The checklist files are mapped to NIST specifications for compliance with the Federal Information Security Management Act, so that the output can be used to document FISMA compliance.

'FISMA is a very thorough and comprehensive framework for security computers,' said Peter Mell, NVD program manager. 'But it doesn't deal with diving down at low level configurations and settings where vulnerabilities are exploited. It's been difficult to go from the high level framework to actually flipping bits on computers to secure them.'

SCAP is intended to help make the step from FISMA compliance to operational IT security.

Because much of government is standardized on Microsoft products, the initial SCAP release checks for vulnerabilities in Windows Vista, XP and Server 2003 operating systems as well as Office 2007 and Internet Explorer 7.0. It 'is being rapidly expanded to encompass additional vendors and products,' Mell said.

SCAP currently uses six open standards for enumerating, evaluating and measuring the impact of software problems and reporting the results:
  • Common Vulnerabilities and Exposures, CVE, from MITRE Corp.; standard identifiers and dictionary for security vulnerabilities related to software flaws.
  • Common Configuration Enumeration, CCE, from MITRE; standard identifiers and dictionary for system security configuration issues.
  • Common Platform Enumeration, CPE, from MITRE; standard identifiers and dictionary for platform and product naming.
  • eXtensible Configuration Checklist Description Format, XCCDF, from the National Security Agency and NIST; a standard XML for specifying checklists and reporting results.
  • Open Vulnerability and Assessment Language, OVAL, from MITRE; a standard XML for security testing procedures and reporting.
  • Common Vulnerability Scoring System, CVSS, from the Forum of Incident Response and Security Teams; a standard for conveying and scoring the impact of vulnerabilities.

About the Author

William Jackson is a Maryland-based freelance writer.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected