Security Content Automation Protocol SCAP

SCAP 1.4

The following specifications comprise SCAP version 1.4.

Protocol

SCAP: Security Content Automation Protocol

Version: 1.4

Status: Initial Public Draft (IPD)

Specification: NIST Special Publication (SP) 800-126 rev 4 (IPD)

Specification Annex: NIST Special Publication (SP) 800-126 rev 4 Annex (IPD)

XML Schema: Source Data Stream, Constructs

Schematron: Instructions and Downloads

Contact: [email protected]

Tools

SCAP Content Validation Tool (scapval)

Version: 1.4.1

Released: 12/22/2025

Download: SCAP Content Validation Tool

File hash (sha-256): ddafadba7a1682efad1c30f175ae2be139bd2d253610dcb3d29fd37966eacee6

Description: The SCAP Content Validation Tool validates the technical correctness of an SCAP data stream against the requirements defined for a specific use case in NIST Special Publication (SP) 800-126. This version of the tool supports the validation of content conforming to SCAP versions 1.2, 1.3, and 1.4. For detailed usage instructions, execute the command `scapval.bat -h`.

Languages

XCCDF: The Extensible Configuration Checklist Description Format

Version: 1.2

Website: XCCDF

OVAL®: Open Vulnerability and Assessment Language

Version: 5.12.2

Website: OVAL Community on GitHub

OCIL: Open Checklist Interactive Language

Version: 2.0

Website: OCIL

Asset Identification

Version: 1.1

Website: AI

ARF: Asset Reporting Format

Version: 1.1

Website: ARF

Identification schemes

CCE™: Common Configuration Enumeration

Version: 5

Website: CCE

Official CCE List: CCE Platform Listing

CPE™: Common Platform Enumeration

Version: 2.3

Website: CPE

Contact Email: [email protected]

Official CPE Dictionary: CPE Dictionary

CVE®: Common Vulnerabilities and Exposures

Version: No version

Website: CVE

Official CVE Repository: CVE List on GitHub

NVD CVE-based Vulnerabilities: NVD Data Feed

Metrics

CVSS: Common Vulnerability Scoring System

Version: 3

Specification: CVSS v3 Specification

User Guide: CVSS v3 User Guide

Website: http://www.first.org/cvss

CCSS: Common Configuration Scoring System

Version: 1.0

Specification: NIST IR 7502

Integrity

TMSAD: Trust Model for Security Automation Data

Version: 1.0

Website: TMSAD