NIST releases specs for automated IT security protocol
- By William Jackson
- Nov 06, 2009
A set of definitive technical specifications explaining Version 1.0 of the Security Content Protocol has been released, to help content authors and software developers in using and complying with the security protocol.
SCAP comprises specifications for the standard organization and expression of security-related information. The National Institute of Technology’s Special Publication 800-126, “The Technical Specification for the SCAP,” provides an overview of the protocol and on ways software developers can integrate SCAP technology into their product offerings and interfaces.
“SCAP is achieving widespread adoption by major software and hardware manufacturers and has become a significant component of large information security management and governance programs,” the publication says. “The protocol is expected to evolve and expand in support of the growing needs to define and measure effective security controls, assess and monitor ongoing aspects of that information security, and successfully manage systems in accordance with risk management frameworks.”
SP 800-126 defines and explains the basics of the SCAP component specifications and their interrelationships, the characteristics of SCAP content, and requirements not defined in the individual component specifications. It is intended to facilitate development of interoperable tools and content with requirements and conventions to ensure consistent and accurate exchange of SCAP content and its use on SCAP validated tools. It is technically oriented, and assumes a basic understanding of system security.
SCAP is a suite of specifications that use the eXtensible Markup Language to standardize how software products exchange information about software flaws and security configurations. It includes software flaw and security configuration standard reference data provided by the National Vulnerability Database, which is managed by NIST and sponsored by the Homeland Security Department. SCAP supports automated vulnerability checking, technical control compliance activities and security measurement. Government, in cooperation with academia and private industry, is adopting SCAP to automate security activities.
“NIST encourages the creation of reliable and pervasive SCAP content and the development of a wide array of tools that leverage SCAP capabilities,” the publication says.
SCAP 1.0 contains six specifications grouped into three categories:
- Languages. The SCAP languages provide standard vocabularies and conventions for expressing security policy, technical check mechanisms and assessment results.
- Enumerations. Each SCAP enumeration defines a standard nomenclature or naming format and an official dictionary or list of items expressed using that nomenclature.
- Vulnerability measurement and scoring systems. In SCAP, this refers to evaluating specific characteristics of a vulnerability and generating a score for the vulnerability’s severity.
Users or developers of content and tools using SCAP should make sure that their use of the protocol complies with the requirements laid out in SP 100-26. The publication includes clarification for cases in which requirements for different component specifications conflict with each other. “If a component specification is in conflict with this document, the requirements in this document take precedence,” it says.
Use of SCAP should help administrators in complying with existing government guidelines and requirements, including NIST SP 800-53, “Recommended Security Controls for Federal Information Systems and Organizations,” the third version of which has recently been released; Defense Department Instruction 8500.2, and the Payment Card Industry security framework.
William Jackson is a Maryland-based freelance writer.