NIST updates specs for the latest version of SCAP

Agency also revising its glossary of key IT security terms

A revised version of specifications for Version 1.1 of the Security Content Automation Protocol has been released for comment by the National Institute of Standards and Technology.

SCAP comprises specifications for the standard organization and expression of security-related information. NIST’s Special Publication 800-126 Rev. 1, “The Technical Specification for the Security Content Automation Protocol Version 1.1,” provides an overview of the protocol, focusing on how software developers can integrate SCAP technology into their product offerings and interfaces. Major changes from SCAP version 1.0 to 1.1 include the addition of Open Checklist Interactive Language (OCIL) and an upgrade to Open Vulnerability and Assessment Language (OVAL) version 5.6.

“The U.S. federal government, in cooperation with academia and private industry, is adopting SCAP and encourages its use in support of security automation activities and initiatives,” the publication states. “SCAP is achieving widespread adoption by major software and hardware manufacturers and has become a significant component of large information security management and governance programs.”

Related story:

NIST out to ensure security products comply with vulnerability testing language


The SCAP protocols support automated vulnerability and patch checking, compliance with required and recommended technical control, and security measurement. The goal of the protocols is to standardize information system security management, promote interoperability of security products, and foster the use of standard expressions of security content.

SCAP v1.1 includes seven specifications: eXtensible Configuration Checklist Description Format (XCCDF), OVAL, OCIL, Common Platform Enumeration (CPE), Common Configuration Enumeration (CCE), Common Vulnerabilities and Exposures (CVE), and Common Vulnerability Scoring System (CVSS). These specifications are grouped into three categories:

  • Languages, providing standard vocabularies and conventions for expressing security policy, technical check mechanisms, and assessment results.
  • Enumerations, defining a standard nomenclature and an official dictionary or list of items expressed in that nomenclature.
  • Measurement and scoring systems for the evaluation of specific characteristics of a vulnerability and, based on those characteristics, generating a score that reflects the vulnerability’s severity.

Users or developers of content and tools using SCAP should make sure that their use of the protocol complies with the requirements laid out in NIST recommendations. Use of SCAP should help administrators in complying with existing government guidelines and requirements, including NIST SP 800-53, “Recommended Security Controls for Federal Information Systems and Organizations”; Defense Department Instruction 8500.2; and the Payment Card Industry security framework.

Comments on draft SP 800-126 Rev. 1 should be sent by June 28 to with “Comments SP 800-126” in the subject line.

NIST also is revising its Glossary of Key Information Security Terms (Interagency Report 7298). The document contains more than 200 pages of definitions, from “access” to “zone of control.” The latter is defined as the "three dimensional space surrounding equipment that processes classified and/or sensitive information within which TEMPEST exploitation is not considered practical or where legal authority to identify and remove a potential TEMPEST exploitation exists."

A draft of the revised glossary has been released for comment. The glossary has been extracted from NIST's Federal Information Processing Standards, the Special Publication 800 series of security guidance, NIST Interagency Reports, and from the Committee for National Security Systems Instruction 4009 (CNSSI-4009). The glossary does not include all terms found in the NIST publications, but does contain all of the terms and definitions from CNSSI-4009.

NIST intends to keep the glossary current by providing updates online. New definitions will be added to the glossary and updated versions will be posted to the Computer Security Resource Center Web site.

Comments on the draft should be sent to by June 30. The source documents for the terms and definitions are considered authoritative. Better definitions for a given term may be suggested, but definitions will not change in the glossary until they have been changed in the source document.

About the Author

William Jackson is a Maryland-based freelance writer.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.