GUIDE TO ADOPTING AND USING THE SECURITY CONTENT AUTOMATION PROTOCOL (SCAP) VERSION 1.0
ES-1
Executive Summary
Managing the security of systems throughout an enterprise is challenging for several reasons. Most
organizations have many systems to patch and configure securely, with numerous pieces of software
(operating systems and applications) to be secured on each system. Organizations need to conduct
continuous monitoring of the security configuration of each system and be able to determine the security
posture of systems and the organization at any given time. Organizations also need to demonstrate
compliance with various sets of security requirements, such as the Federal Information Security
Management Act (FISMA), which is mandated by the U.S. Government for its agencies. All of these
tasks are extremely time-consuming and error-prone because there has been no standardized, automated
way of performing them. Another problem for organizations is the lack of interoperability across security
tools; for example, the use of proprietary names for vulnerabilities or platforms creates inconsistencies in
reports from multiple tools, which can cause delays in security assessment, decision-making, and
vulnerability remediation.
Organizations need standardized, automated approaches to overcoming these challenges, and the Security
Content Automation Protocol (SCAP) was developed to help address this. The definition for SCAP
(pronounced ess-cap), as expressed in NIST Special Publication (SP) 800-126, is ―a suite of specifications
that standardize the format and nomenclature by which security software products communicate software
flaw and security configuration information.‖ SCAP is designed to organize, express, and measure
security-related information in standardized ways, as well as related reference data, such as identifiers for
post-compilation software flaws and security configuration issues. SCAP can be used to maintain the
security of enterprise systems, such as automatically verifying the installation of patches, checking system
security configuration settings, and examining systems for signs of compromise. Individual specifications
that comprise SCAP can also be used for forensic activities and other purposes.
This document describes common uses of SCAP and makes recommendations for SCAP users. The
document also provides insights to IT product and service vendors about adopting SCAP in their
offerings. SCAP does not replace existing security software; rather, support for it can be embedded into
existing software.
To take advantage of SCAP’s capabilities, organizations should follow these recommendations:
Organizations should use security configuration checklists that are expressed using SCAP to
improve and monitor their systems’ security.
A security configuration checklist that is expressed using SCAP, otherwise known as an SCAP-
expressed
1
checklist, documents desired security configuration settings, installed patches, and other
system security elements in a standardized format. Organizations should identify and obtain SCAP-
expressed checklists relevant for their systems’ software, then customize the checklists as appropriate to
meet specific organizational requirements. After fully testing the checklists, organizations should
implement their recommendations. (The current version of SCAP does not provide a capability to
automatically implement checklists. However, SCAP-expressed checklists can be applied today using
proprietary methods, and NIST plans on enhancing SCAP to provide standardized implementation
methods.) Organizations should use SCAP-expressed checklists on an ongoing basis to confirm that
systems are configured properly. Federal agencies should use SCAP-expressed checklists to ensure
conformance to NIST and OMB security configuration guidance.
1
SCAP-expressed content conforms to the requirements specified in NIST SP 800-126 and can be tested for compliance to
SP 800-126 using the NIST-provided software located at http://scap.nist.gov/content.