Date Published: December 11, 2025
Comments Due:
Email Comments to:
Author(s)
Dragos Prisaca (NIST), Stephen Quinn (NIST), Jack Vander Pol (NIWC Atlantic), Daniel Harris (NIWC Atlantic)
Announcement
About SCAP
The Security Content Automation Protocol (SCAP) is a suite of interoperable specifications for the standardized expression, exchange, and processing of security configuration and vulnerability information. SCAP enables consistent automation and reporting across products and environments by defining machine-readable content and associated processing requirements.
About the Publications
- SP 800-126r4 — Updates the SCAP technical specification to focus on SCAP Version 1.4 by removing backward compatibility requirements for earlier SCAP versions, revising digital signature requirements, and eliminating unused requirements. This revision also updates requirements regarding Open Vulnerability and Assessment Language (OVAL) references and related component specification (i.e., redirecting OVAL references to the OVAL Community GitHub). Hyperlinks and schema references are also updated to the current SCAP 1.4 resources.
- SP 800-126Ar4 (updated annex) — Aligns the annex with SCAP Version 1.4. Informative notes and change logs are refreshed, and the document structure and normative references are revised to conform to the latest NIST templates and editorial policies.
The Security Content Automation Protocol (SCAP) is a suite of specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. This publication, along with its annex (NIST Special Publication 800-126Ar1) and a set of schemas, collectively define the technical composition of SCAP version 1.4 in terms of its component specifications, their interrelationships and interoperation, and the requirements for SCAP content.
The Security Content Automation Protocol (SCAP) is a suite of specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. This publication, along with its annex (NIST Special Publication...
See full abstract
The Security Content Automation Protocol (SCAP) is a suite of specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. This publication, along with its annex (NIST Special Publication 800-126Ar1) and a set of schemas, collectively define the technical composition of SCAP version 1.4 in terms of its component specifications, their interrelationships and interoperation, and the requirements for SCAP content.
Hide full abstract
Keywords
checklists; patch verification; security automation; security checklists; security configuration; Security Content Automation Protocol (SCAP); software flaws; vulnerabilities
Control Families
None selected
