The following specifications comprise SCAP version 1.3.
SCAP: Security Content Automation Protocol
Version: 1.3
Status: Final
Specification: NIST Special Publication (SP) 800-126 rev 3
Specification Annex: NIST Special Publication (SP) 800-126 rev 3 Annex
XML Schema: Source Data Stream, Constructs
Example: Source Data Stream Example
Schematron: Instructions and Download
SCAP Content Validation Tool
Version: 1.3.6 Release Candidate 3
Released: 1/6/2022
Download: SCAP Content Validation Tool (Download 49 MB)
SHA-256: 82E60CBD184A6DF1744BA819E4AAA5F8857D223DC11C1AC7E72F4E99895A2B32
Description: The SCAP Content Validation Tool is designed to validate the correctness of a SCAP data stream for a particular use case according to what is defined in SP 800-126. This version of the tool is designed to validate SCAP content adhering to SCAP version 1.1, 1.2, and 1.3. For additional information about how to use the tool run: scapval.bat -h.
XCCDF: The Extensible Configuration Checklist Description Format
Version: 1.2
Web site: https://scap.nist.gov/specifications/xccdf/
Email Discussion List: xccdf-dev@nist.gov (View archive) (Subscribe) (Unsubscribe)
OVAL®: Open Vulnerability and Assessment Language
Version: 5.11.2
Web site: OVAL Repository on GitHub
Developer's Forum: oval_developer@lists.cisecurity.org (View archive) (Register)
OCIL: Open Checklist Interactive Language
Version: 2.0
Web site: https://scap.nist.gov/specifications/ocil/
Email Discussion List: ocil-dev@nist.gov (Subscribe) (Unsubscribe)
Asset Identification
Version: 1.1
Web site: https://scap.nist.gov/specifications/ai/
Email Discussion List: asset-dev@nist.gov (Subscribe) (Unsubscribe)
ARF: Asset Reporting Format
Version: 1.1
Web site: https://scap.nist.gov/specifications/arf/
Email Discussion List: asset-dev@nist.gov (Subscribe) (Unsubscribe)
CCE™: Common Configuration Enumeration
Version: 5
Contact Email: cce@nist.gov
Official CCE List: https://nvd.nist.gov/config/cce
Community Forum: cce-working-group@nist.gov (Subscribe) (Unsubscribe)
CPE™: Common Platform Enumeration
Version: 2.3
Web site: https://scap.nist.gov/specifications/cpe
Contact Email: cpe@nist.gov
Official Dictionary: https://nvd.nist.gov/products/cpe
Community Forum: cpe-discussion@nist.gov (Subscribe) (Unsubscribe)
Software Identification (SWID) Tags
Version: 2015
Web site: https://scap.nist.gov/specifications/swid
Contact Email: scap@nist.gov
CVE®: Common Vulnerabilities and Exposures
Version: No version
Web site: http://cve.mitre.org/
Contact Email: cve@mitre.org
Official CVE List: http://cve.mitre.org/cve/index.html
NVD CVE-based Vulnerabilities: https://nvd.nist.gov/view/vuln/search
CVSS: Common Vulnerability Scoring System
Version: 3
Specification: CVSS v3 Specification
User Guide: CVSS v3 User Guide
Web site: http://www.first.org/cvss
CCSS: Common Configuration Scoring System
Version: 1.0
Specification: NIST IR 7502
TMSAD: Trust Model for Security Automation Data
Version: 1.0
Web site: https://scap.nist.gov/specifications/tmsad
Guide to Using Vulnerability Naming Schemes
Specification: SP 800-51 Rev. 1
Security and Privacy: configuration management, patch management, security automation, security measurement, vulnerability management