U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Security Content Automation Protocol SCAP

SCAP 1.3

The following specifications comprise SCAP version 1.3.

Protocol

SCAP: Security Content Automation Protocol

Version: 1.3

Status: Final

Specification: NIST Special Publication (SP) 800-126 rev 3

Specification Annex: NIST Special Publication (SP) 800-126 rev 3 Annex

XML Schema: Source Data Stream, Constructs

Example: Source Data Stream Example

Schematron: Instructions and Download

Tools

SCAP Content Validation Tool

Version: 1.3.6 Release Candidate

Released: 07/15/2021

Download: SCAP Content Validation Tool (Download 41 MB)

SHA-256: 6FFA769C72E95736D05F14ADBC81381A968ECF7A00171D2F4FCFE2A9EF15E3F9

Description: The SCAP Content Validation Tool is designed to validate the correctness of a SCAP data stream for a particular use case according to what is defined in SP 800-126. This version of the tool is designed to validate SCAP content adhering to SCAP version 1.1, 1.2, and 1.3. For additional information about how to use the tool run: scapval.bat -h.

SCAP Content Validation Tool

Version: 1.3.5

Released: 08/05/2020

Download: SCAP Content Validation Tool (Download 21 MB)

SHA-256: 089E81633341506BF29A3C257459077B8D3D2420B7366D91C8C1BF079C922B7C

Description: The SCAP Content Validation Tool is designed to validate the correctness of a SCAP data stream for a particular use case according to what is defined in SP 800-126. This version of the tool is designed to validate SCAP content adhering to SCAP version 1.1, 1.2, and 1.3. For additional information about how to use the tool run: scapval.bat -h.

Languages

XCCDF: The Extensible Configuration Checklist Description Format

Version: 1.2

Web site: https://scap.nist.gov/specifications/xccdf/

Email Discussion List: xccdf-dev@nist.gov (View archive) (Subscribe) (Unsubscribe)

OVAL®: Open Vulnerability and Assessment Language

Version: 5.11.2

Web site: https://oval.cisecurity.org/community

Developer's Forum: oval_developer@lists.cisecurity.org (View archive) (Register)

OCIL: Open Checklist Interactive Language

Version: 2.0

Web site: https://scap.nist.gov/specifications/ocil/

Email Discussion List: ocil-dev@nist.gov (Subscribe) (Unsubscribe)

Asset Identification

Version: 1.1

Web site: https://scap.nist.gov/specifications/ai/

Email Discussion List: asset-dev@nist.gov (Subscribe) (Unsubscribe)

ARF: Asset Reporting Format

Version: 1.1

Web site: https://scap.nist.gov/specifications/arf/

Email Discussion List: asset-dev@nist.gov (Subscribe) (Unsubscribe)

Identification schemes

CCE™: Common Configuration Enumeration

Version: 5

Contact Email: cce@nist.gov

Official CCE List: https://nvd.nist.gov/config/cce

Community Forum: cce-working-group@nist.gov (Subscribe) (Unsubscribe)

CPE™: Common Platform Enumeration

Version: 2.3

Web site: https://scap.nist.gov/specifications/cpe

Contact Email: cpe@nist.gov

Official Dictionary: https://nvd.nist.gov/products/cpe

Community Forum: cpe-discussion@nist.gov (Subscribe) (Unsubscribe)

Software Identification (SWID) Tags

Version: 2015

Web site: https://scap.nist.gov/specifications/swid

Contact Email: scap@nist.gov

CVE®: Common Vulnerabilities and Exposures

Version: No version

Web site: http://cve.mitre.org/

Contact Email: cve@mitre.org

Official CVE List: http://cve.mitre.org/cve/index.html

NVD CVE-based Vulnerabilities: https://nvd.nist.gov/view/vuln/search

Metrics

CVSS: Common Vulnerability Scoring System

Version: 3

Specification: CVSS v3 Specification

User Guide: CVSS v3 User Guide

Web site: http://www.first.org/cvss

CCSS: Common Configuration Scoring System

Version: 1.0

Specification: NIST IR 7502

Integrity

TMSAD: Trust Model for Security Automation Data

Version: 1.0

Web site: https://scap.nist.gov/specifications/tmsad

Related Publications and Resources

Guide to Using Vulnerability Naming Schemes

Specification: SP 800-51 Rev. 1

Created December 07, 2016, Updated October 26, 2021