NIST Requests Comments on the Security Content Automation Protocol (SCAP)
August 21, 2015

NIST requests comments on the design and development of the Security Content Automation Protocol (SCAP) version 1.3. This new version of SCAP will be documented in a future third revision draft release of Special Publication (SP) 800-126, The Technical Specification for the Security Content Automation Protocol: SCAP Version 1.3. Please send suggestions for potential changes from SCAP 1.2 (as documented in SP 800-126 Revision 2) and/or other ideas for SCAP 1.3 by September 28, 2015 to 800-126comments@nist.gov.

Background

SCAP is a suite of specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. SCAP is a multi-purpose framework of specifications that support automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement. Goals for the ongoing development of SCAP include standardizing system security management, promoting interoperability of security products, and fostering the use of standard expressions of security content.

The component specifications included in the current version of SCAP (1.2) are as follows.

Languages:

• Extensible Configuration Checklist Description Format (XCCDF) 1.2, a language for authoring security checklists/benchmarks and for reporting results of evaluating them
• Open Vulnerability and Assessment Language (OVAL) 5.10.1, a language for representing system configuration information, assessing machine state, and reporting assessment results
• Open Checklist Interactive Language (OCIL) 2.0, a language for representing checks that collect information from people or from existing data stores made by other data collection efforts

Reporting Formats:

• Asset Reporting Format (ARF) 1.1, a format for expressing the transport format of information about assets and the relationships between assets and reports
• Asset Identification 1.1, a format for uniquely identifying assets based on known identifiers and/or known information about the assets

Enumerations:

• Common Platform Enumeration (CPE) 2.3, a nomenclature and dictionary of hardware, operating systems, and applications
• Common Configuration Enumeration (CCE) 5, a nomenclature and dictionary of software security configurations
• Common Vulnerabilities and Exposures (CVE), a nomenclature and dictionary of security-related software flaws

Measurement and Scoring Systems:

• Common Vulnerability Scoring System (CVSS) 2.0, a system for measuring the relative severity of software flaw vulnerabilities
• Common Configuration Scoring System (CCSS) 1.0, a system for measuring the relative severity of system security configuration issues

Integrity:

• Trust Model for Security Automation Data (TMSAD) 1.0, a specification for using digital signatures in a common trust model applied to other security automation specifications

Because some of these component specifications have been updated since the release of SCAP 1.2, tentative plans are for the SCAP 1.3 revision to add support for the following specifications to take advantage of their enhanced capabilities:

• OVAL 5.11.1, which was released in April 2015. See the OVAL Project Language changelog for information on the major changes from OVAL 5.10.1 to 5.11.1.
• CVSS v3.0, which was released in June 2015. See the CVSS v3.0 User Guide for information on the major changes from CVSS version 2.0 to 3.0.

Consideration is also being given to no longer requiring support for CVSS v2.0 in SCAP 1.3 or in the next update to SCAP.

NIST is soliciting public feedback on SCAP 1.3 to identify the potential changes that industry, government, and others would like to see in the SCAP specification.

Note to Reviewers

Feedback on the topics listed below are of particular interest to NIST to shape the development of SCAP 1.3. Commenters are encouraged to share their thoughts on one or more of these topics, as well as to suggest any other areas of revision or enhancement to SCAP.

• Regarding support for SCAP 1.0 (as documented in the SP 800-126 from November 2009), when should support for it no longer be required for backwards compatibility? Please suggest specific timeframes or conditions under which support should no longer be necessary.
• Regarding support for SCAP 1.1 (as documented in SP 800-126 Revision 1 from February 2011), when should support for it no longer be required for backwards compatibility? Please suggest specific timeframes or conditions under which support should no longer be necessary.
• What degree of backwards compatibility should be required for CVSS and OVAL? If possible, please provide estimates of the quantitative impact of restricting backwards compatibility.
• When should support for CVSS v2 no longer be required? Please suggest specific timeframes or conditions under which support should no longer be necessary.
• What should be the minimum OVAL version that SCAP 1.3 supports? (For SCAP 1.2, the minimum version is OVAL 5.3.) Provide specific reasons or requirements for needing a particular minimum OVAL version to be supported by SCAP 1.3.