Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

Security Content Automation Protocol

Release Cycle

The SCAP Release Cycle

Changes to SCAP impact a large number of organizations that manage content and provide SCAP Validated Products and Modules and SCAP-related services. A change to SCAP often results in considerable efforts to migrate products, content, and other capabilities to the new SCAP revision. To mitigate risks relating to level-of-effort, timing, and specification changes, revisions to SCAP are managed according to a coordinated process. The following work flow process addresses these concerns.

The SCAP release cycle defines a process for managing change relating to SCAP and the NIST SCAP Validation Program by providing a consistent and repeatable revision work flow. The process provides points of communication with the SCAP Community to facilitate the necessary community involvement, communication of upcoming changes, and time for development of products to address SCAP and validation program changes. Possible sources of change may include:

  • The addition of new SCAP specifications

  • Updates to existing specifications

  • Updates to DTRs based on new or revised specifications

  • Enhancements to DTRs or testing procedures for existing SCAP specifications or capabilities.

 

Expected SCAP Revision Cycle

Steps:

  1. The NIST review, community feedback, and update candidate process - This step allows a specification to mature and demonstrate value in terms of operational use within organizations, community feedback, vendor use and adoption, etc., without imposing a time limit.

  2. Review Candidate SCAP Specifications - As specifications evolve, NIST may consider a new or modified specification for SCAP adoption. Periodically, a specification reaches a degree of maturity, adoption, and utility where NIST considers it a potential candidate for SCAP. These specifications will be announced so that the community will have time to provide additional comments and feedback before the specification becomes final. If the specification is already final, this will allow an additional comment period before NIST publishes the draft NIST SP 800-126 (see step 3).

  3. Deadline for Publication of Draft SCAP SP 800-126 and Validation DTRs (NIST IR 7511) - Candidate specifications that are identified as potential SCAP specifications will be included in the Draft NIST SP 800-126. Likewise, a draft publication of NIST IR 7511: Security Content Automation Protocol (SCAP) Version 1.0 Validation Program Test Requirements will be updated to include derived test requirements (DTRs). These draft publications serve as the official notice to the community that the validation testing program will include new or updated specifications. If there are no new candidate specifications and there are no changes to the specifications from the previous year, then the current NIST SP 800-126 will remain in effect. Review of this draft will follow the NIST publication review process.

  4. SCAP Beta Content Available - After publishing the draft NIST SP 800-126 and NIST IR 7511, NIST will provide sample, beta quality content, for data streams for which they are responsible. For example, NIST is currently the custodian of the FDCC SCAP content on behalf of OMB. If the NIST SP 800-126 includes a new specification that will affect the FDCC SCAP content, beta FDCC SCAP content will be produced by NIST for use/testing by the community.

  5. Deadline for Publication of Final NIST SP 800-126 and Validation DTRs (NIST IR 7511) - No later than twelve months after the draft NIST SP 800-126 and NIST IR 7511 are published, they will become effective.

  6. SCAP Content Final - Related to step 4, content originally published as beta will become final at this time. The community can expect that the content will be released in various maturing versions including several versions of alpha, several versions of beta, and then in a final version at this time.

  7. Laboratory Product Validation Period Begins (DTR Effective Date) - After the finalization of NIST SP 800-126 and NIST IR 7511, accredited laboratories begin testing products using the finalized SP 800-126 and IR 7511 as official references. Products seeking new validations and those seeking re-validations will be tested using these new or updated documents. Even if the NIST SP 800-126 does not change, re-validation may be necessary due to changes in the NIST IR 7511.

  8. Laboratory Product Validation Period Ends (DTR Expiration Date) - 12 months from the start of step 7, product testing according to the previous versions of NIST SP 800-126 and NIST IR 7511 ends. Future product testing will use the latest versions of NIST SP 800-126 and NIST IR 7511.

  9. Product Validations Expire and Mandatory Content Maintenance Period Ends - Product validations are valid for 1 year from the time the validation was originally awarded. As a result, there will be overlapping validations adhering to different versions of NIST SP 800-126 and NIST IR 7511. NIST will maintain all SCAP content for a minimum period of 12 months from the date of step 8. As a general practice NIST maintains content using the "least version principle" to insure a maximum amount of backwards compatibility.

Created December 07, 2016, Updated October 04, 2018