The Security Content Automation Protocol (SCAP) consists of open standards that are widely used by organizations to measure and continuously monitor the security settings and controls of computer systems and applications in order to find software flaws and security-related configuration issues. Also, SCAP standardizes the nomenclature and formats used to manage and measure the vulnerability of computer systems to threats and their compliance to policies, especially Federal Information Security Management Act (FISMA).
NIST has published NIST Internal Report (NISTIR) 7511 Revision 5, Security Content Automation Protocol (SCAP) Version 1.3 Validation Program Test Requirements, the latest in a series of documents on SCAP, that describes the test requirements for SCAP version 1.3. SCAP 1.3 consists of a suite of specifications for standardizing the format and nomenclature by which security software communicates information about software flaws and security configurations.
The SCAP Validation Program offers vendors an opportunity to provide independent verification that security software correctly processes SCAP-expressed security information and provides standardized output. Industry and government end users benefit from the SCAP Validation Program by having assurance that SCAP-validated products have undergone independent testing and have met all necessary requirements defined in NISTIR 7511.
Under the SCAP Validation Program, independent laboratories are accredited by the NIST National Voluntary Laboratory Accreditation Program (NVLAP). Independent laboratories conduct the tests defined in this document on products at the request of vendors and deliver the results to NIST. Based on the independent laboratory test report, the SCAP Validation Program then validates the product under test, and the validation certificates awarded to vendor products are publicly posted on the NIST SCAP Validated Products web page.
This publication is intended for NVLAP-accredited laboratories conducting SCAP product and module testing for the program, vendors interested in receiving SCAP validation for their products or modules, and organizations deploying SCAP products in their environments.