Security Content Automation Protocol SCAP

SCAP 1.3

The following specifications comprise SCAP version 1.3.


SCAP: Security Content Automation Protocol

Version: 1.3

Status: Final

Specification: NIST Special Publication (SP) 800-126 rev 3

Specification Annex: NIST Special Publication (SP) 800-126 rev 3 Annex

XML Schema: Source Data Stream, Constructs

Example: Source Data Stream Example

Schematron: Instructions and Download


SCAP Content Validation Tool

Version: 1.3.5

Released: 08/05/2020

Download: SCAP Content Validation Tool (Download 21 MB)

SHA-256: 089E81633341506BF29A3C257459077B8D3D2420B7366D91C8C1BF079C922B7C

Description: The SCAP Content Validation Tool is designed to validate the correctness of a SCAP data stream for a particular use case according to what is defined in SP 800-126. This version of the tool is designed to validate SCAP content adhering to SCAP version 1.1, 1.2, and 1.3. For additional information about how to use the tool run: scapval.bat -h.


XCCDF: The Extensible Configuration Checklist Description Format

Version: 1.2

Web site:

Email Discussion List: (View archive) (Subscribe) (Unsubscribe)

OVAL®: Open Vulnerability and Assessment Language

Version: 5.11.2

Web site:

Developer's Forum: (View archive) (Register)

OCIL: Open Checklist Interactive Language

Version: 2.0

Web site:

Email Discussion List: (Subscribe) (Unsubscribe)

Asset Identification

Version: 1.1

Web site:

Email Discussion List: (Subscribe) (Unsubscribe)

ARF: Asset Reporting Format

Version: 1.1

Web site:

Email Discussion List: (Subscribe) (Unsubscribe)

Identification schemes

CCE™: Common Configuration Enumeration

Version: 5

Contact Email:

Official CCE List:

Community Forum: (Subscribe) (Unsubscribe)

CPE™: Common Platform Enumeration

Version: 2.3

Web site:

Contact Email:

Official Dictionary:

Community Forum: (Subscribe) (Unsubscribe)

Software Identification (SWID) Tags

Version: 2015

Web site:

Contact Email:

CVE®: Common Vulnerabilities and Exposures

Version: No version

Web site:

Contact Email:

Official CVE List:

NVD CVE-based Vulnerabilities:


CVSS: Common Vulnerability Scoring System

Version: 3

Specification: CVSS v3 Specification

User Guide: CVSS v3 User Guide

Web site:

CCSS: Common Configuration Scoring System

Version: 1.0

Specification: NIST IR 7502


TMSAD: Trust Model for Security Automation Data

Version: 1.0

Web site:

Related Publications and Resources

Guide to Using Vulnerability Naming Schemes

Specification: SP 800-51 Rev. 1

Created December 07, 2016, Updated August 07, 2020