Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

Security Content Automation Protocol Validation Program

SCAP Validation Resources Page

SCAP 1.3 Documents

SCAP Version 1.3 Validation Program Derived Test Requirements
Revision: 5
Status: Final
Specification: Security Content Automation Protocol (SCAP) Version 1.3 Validation Program Test Requirements

SCAP: Security Content Automation Protocol
Version: 1.3
Status: Final
Specification: The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3

SCAP: Annex to NIST Special Publication 800-126 Revision 3
Version: 1.3
Status: Final
Specification: SCAP 1.3 Component Specification Version Updates: An Annex to NIST Special Publication 800-126 Revision 3

SCAP 1.2 Documents

SCAP Version 1.2 Validation Program Derived Test Requirements
Revision: 4
Status: Final
Specification: SCAP 1.2 Validation Program Test Requirements

SCAP: Security Content Automation Protocol
Version: 1.2
Status: Final
Specification: NIST SP800-126 Rev. 2

SCAP 1.2 Validation Program FAQ

The SCAP Validation Program FAQ addresses common questions about updates to the SCAP 1.2 Validation Program.

SCAP Content used in the SCAP 1.2 Validation Program

The SCAP 1.2 Validation Program uses two broad categories of SCAP content for testing products. The broad categories of content include:

  • Validation Test Content
    • OVAL Test Data (SCAP 1.2)
    • Content for specific DTR requirements (SCAP 1.2, SCAP 1.1, and SCAP 1.0)
  • USGCB Content (SCAP 1.2, SCAP 1.1, and SCAP 1.0)

The Validation Test Content contains OVAL Test Data that exercises commonly used OVAL constructs and the data streams needed for testing specific DTR requirements:

  • validationTestSuites - contains the discrete data streams organized by OVAL test.
  • combinedDataStreams - contains the combined individual (discrete) data streams organized by platform.
  • requirementsTest - contains the data streams for testing specific DTR requirements such as SCAP.R.500, SCAP.R.600, SCAP.R.700, SCAP.R.800, SCAP.R.1100, SCAP.R.1200, SCAP.R.1800 (OCIL), SCAP.R.1900, SCAP.R.2100, SCAP.R.2200, SCAP.R.2910, SCAP.R.2920, SCAP.R.2930, SCAP.R.2940, SCAP.R.3005, SCAP.R.3010, and SCAP.R.3300.

This test suite is closer to unit testing rather than being based on a checklist. We recommend reviewing the FAQ and Validation Test Suite readme file prior to use.

SCAP Validation Test Content Releases

Date SCAP Content Documentation Expiration Date
September 14, 2017 Validation Test Suite version 1-2.2.0.0

Download: Validation Test Suite Bundle
Change log n/a
  SHA256

7D33B68D6589D877FF0CE6C8A508F98578734F9C9BE54E09BBB96BF2855F9B70

June 8, 2017 Validation Test Suite version (RELEASE CANDIDATE) 1-2.2.0.0-rc1   Last Date for Comments:
July 8, 2017
June 02, 2016 Validation Test Suite version 1-2.1.1.0
Download: Validation Test Suite Bundle
Change log March 15, 2018
  SHA256

768749B36CCF6B92947A18014A3018DDBDD95126E2CA93DAB18EA318E1712D7B

April 05, 2016 Validation Test Suite version 1-2.1.0.0
Download: Validation Test Suite Bundle
Change log
Known Issues
December 02, 2016
  SHA256

AA139815572FED37F5C825B5003C82EF38D47529B00D998FF1E0DB7FF30ED538

February 16, 2016 Validation Test Suite version (RELEASE CANDIDATE) 1-2.1.0.0-rc1   Last Date for Comments:
March 18, 2016
February 08, 2016 Validation Test Suite version 1-2.0.3.0 -- Updated catalog files for Windows
Download: Validation Test Suite Bundle
Change log August 31, 2016
  SHA256

C61528D861BDC2C1DC0F3A8FE8D6D11AB366AF433C833288826E9B850C402FDF

April 1, 2015 Validation Test Suite version 1-2.0.3.0
Download: Validation Test Suite Bundle
Change log August 31, 2016
  SHA256

5B42B6D9D5FFF2E2E1658D89382B9B960231C12C1966072B6754A01EFF9B0389

February 03, 2015 Validation Test Suite version (RELEASE CANDIDATE) 1-2.0.3.0   Last Date for Comments:
March 03, 2015
March 11, 2014 Validation Test Suite version 1-2.0.2.0
Download: Validation Test Suite Bundle
Change log September 30, 2015
(Six months after the final release of 1-2.0.3.0)
  SHA256

0B829786357AA886D8D0774E73F1C31C60777A06AF115341B4B1216BF4A936DD

February 10, 2014 Validation Test Suite (RELEASE CANDIDATE) version 1-2.0.2.0-rc1   Last Date for Comments:
March 10, 2014
August 7, 2013 Validation Test Suite version 1-2.0.1.0
Download: Validation Test Suite Bundle
Change log August 7, 2014
  SHA256

3FA74D487403214032C4B36E8F535C3143DB2FE1991FE9757188E09D66EF7FAD

June 11, 2013 Validation Test Suite (RELEASE CANDIDATE) version 1-2.0.1.0-rc1   Last Date for Comments:
July 11, 2013
December 21, 2012 Validation Test Suite version 1-2.0.0.0 Original release December 21, 2013

USGCB Content

Description: The USGCB Red Hat and Windows content is included in the SCAP 1.2 Validation Program.USGCB Download: https://usgcb.nist.gov/

Tools

SCAP Content Validation Tool

Download: SCAP Content Validation Tool

Description: The SCAP Content Validation Tool is designed to validate the correctness of a SCAP data stream for a particular use case according to what is defined in SP 800-126. This version of the tool is designed to validate SCAP content adhering to SCAP version 1.0 and 1.1. The scapval.html within the tool zip file contains additional information about how to run the tool.

SCAP Reference Implementation Tool

Download: SCAP Interpreter

Description: The SCAP Interpreter is an open source application that processes SCAP data streams. SCAP versions 1.0, 1.1, and 1.2 are supported. The SCAP Interpreter uses the XCCDF and OVAL Interpreters.

XCCDF Reference Implementation Tool

Download: XCCDF Interpreter

Description: The XCCDF Interpreter is an open source application for performing system analysis and report generation using the XCCDF format. This application will process an XCCDF and OVAL file.

OVAL Reference Implementation Tool

Download: OVAL Interpreter

Description: The OVAL interpreter (ovaldi) is an open source application that demonstrates the evaluation of OVAL definitions. This interpreter collects system information, evaluates it, and generates a detailed OVAL Results file.

OCIL Reference Implementation Tool

Download: OCIL Interpreter

Description: The OCIL interpreter (ocilqi) is an open source application that demonstrates how an OCIL document can be evaluated. It guides the end user in completing questionnaires, viewing, and computing results.

Created November 06, 2017, Updated August 28, 2018