U.S. flag   An official website of the United States government

Security Content Automation Protocol SCAP

SCAP 1.3

The following specifications comprise SCAP version 1.3.


SCAP: Security Content Automation Protocol

Version: 1.3

Status: Final

Specification: NIST Special Publication (SP) 800-126 rev 3

Specification Annex: NIST Special Publication (SP) 800-126 rev 3 Annex

XML Schema: Source Data Stream, Constructs

Example: Source Data Stream Example

Schematron: Instructions and Download


SCAP Content Validation Tool

Version: 1.3.5

Released: 08/05/2020

Download: SCAP Content Validation Tool (Download 21 MB)

SHA-256: 089E81633341506BF29A3C257459077B8D3D2420B7366D91C8C1BF079C922B7C

Description: The SCAP Content Validation Tool is designed to validate the correctness of a SCAP data stream for a particular use case according to what is defined in SP 800-126. This version of the tool is designed to validate SCAP content adhering to SCAP version 1.1, 1.2, and 1.3. For additional information about how to use the tool run: scapval.bat -h.


XCCDF: The Extensible Configuration Checklist Description Format

Version: 1.2

Web site: https://scap.nist.gov/specifications/xccdf/

Email Discussion List: xccdf-dev@nist.gov (View archive) (Subscribe) (Unsubscribe)

OVAL®: Open Vulnerability and Assessment Language

Version: 5.11.2

Web site: https://oval.cisecurity.org/community

Developer's Forum: oval_developer@lists.cisecurity.org (View archive) (Register)

OCIL: Open Checklist Interactive Language

Version: 2.0

Web site: https://scap.nist.gov/specifications/ocil/

Email Discussion List: ocil-dev@nist.gov (Subscribe) (Unsubscribe)

Asset Identification

Version: 1.1

Web site: https://scap.nist.gov/specifications/ai/

Email Discussion List: asset-dev@nist.gov (Subscribe) (Unsubscribe)

ARF: Asset Reporting Format

Version: 1.1

Web site: https://scap.nist.gov/specifications/arf/

Email Discussion List: asset-dev@nist.gov (Subscribe) (Unsubscribe)

Identification schemes

CCE™: Common Configuration Enumeration

Version: 5

Contact Email: cce@nist.gov

Official CCE List: https://nvd.nist.gov/config/cce

Community Forum: cce-working-group@nist.gov (Subscribe) (Unsubscribe)

CPE™: Common Platform Enumeration

Version: 2.3

Web site: https://scap.nist.gov/specifications/cpe

Contact Email: cpe@nist.gov

Official Dictionary: https://nvd.nist.gov/products/cpe

Community Forum: cpe-discussion@nist.gov (Subscribe) (Unsubscribe)

Software Identification (SWID) Tags

Version: 2015

Web site: https://scap.nist.gov/specifications/swid

Contact Email: scap@nist.gov

CVE®: Common Vulnerabilities and Exposures

Version: No version

Web site: http://cve.mitre.org/

Contact Email: cve@mitre.org

Official CVE List: http://cve.mitre.org/cve/index.html

NVD CVE-based Vulnerabilities: https://nvd.nist.gov/view/vuln/search


CVSS: Common Vulnerability Scoring System

Version: 3

Specification: CVSS v3 Specification

User Guide: CVSS v3 User Guide

Web site: http://www.first.org/cvss

CCSS: Common Configuration Scoring System

Version: 1.0

Specification: NIST IR 7502


TMSAD: Trust Model for Security Automation Data

Version: 1.0

Web site: https://scap.nist.gov/specifications/tmsad

Related Publications and Resources

Guide to Using Vulnerability Naming Schemes

Specification: SP 800-51 Rev. 1

Created December 07, 2016, Updated August 07, 2020