NIST lists SCAP-validated tools

A new Web page hosted by the National Institute of Standards and Technology lists products that have been validated to scan the security configurations of Windows operating systems on federal desktop PCs.

The scanners use the Security Content Automation Protocol to check for compliance with the Federal Desktop Core Configuration (FDCC) standards. So far, three products have been validated by independent laboratories under NIST's National Voluntary Laboratory Accreditation Program.

The Office of Management and Budget required agencies that use Windows XP and Vista to comply with the FDCC by Feb. 1. OMB also required agencies to use SCAP scanning tools to ensure that configurations were not being altered.

'Your agency can now acquire information technology products that are self-asserted by information technology providers as compliant with the Windows XP & Vista FDCC, and use NIST's Security Content Automation Protocol to help evaluate providers' self-assertions,' OMB wrote in a July 31 memo to federal chief information officers. However, 'information technology providers must use SCAP-validated tools, as they become available, to certify their products do not alter these configurations, and agencies must use these tools when monitoring use of these configurations.'

NIST developed SCAP in cooperation with the Defense and Homeland Security departments and Mitre Corp. to provide technical specifications for identifying, enumerating, assigning and sharing security-related data. Vendors have developed tools using the protocol to help automate IT security operations, but as with any protocol, proper implementation must be validated.

NIST established a SCAP validation program last summer, accrediting three laboratories, and the first FDCC scanners have recently been evaluated. The new page is hosted in NIST's National Vulnerability Database Web site. Currently validated products all scan only Windows XP Professional SP 2. They are:
  • SecureFusion v3.501 from Gideon Technologies Inc. of Duluth, Ga.
  • C5 Compliance Platform v. 3.3.1 from Secure Elements Inc. of Herndon, Va.
  • Secutor Prime v2.0.4 from ThreatGuard Inc. of San Antonio.

Meanwhile, a number of other products are in the process of being evaluated.

Currently accredited laboratories are EWA-Canada, of Ottawa; SAIC Accredited Testing and Evaluation Laboratories, of Columbia, Md.; and ICSA Labs of Mechanicsburg, Pa.

About the Author

William Jackson is a Maryland-based freelance writer.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected