SCAP: FAQ about the Security Content Automation Protocol

• What is the Security Content Automation Protocol?
• What is SCAP content?
• How do I obtain SCAP content?
• How does SCAP help with FISMA compliance and with complying to other mandates?
• Who needs to validate their products under SCAP?
• Who authors SCAP checklists and test procedures?
• Are there any fees or licensing restrictions associated with SCAP checklists and Test Procedures?
• Have all vendors which advertise “SCAP-compliant” for their product implemented the SCAP standard in an identical manner?
• How can I get a copy of the standards?
• Why do we need independent testing?
• Who does independent testing?
• How long does it take to get an SCAP compliant product validated?
• How much does it cost?
• What is validation?
• What are the requirements for validation from your side?
• Will I be supervised by the NIST?
• How can atsec help with SCAP implementation?

What is the Security Content Automation Protocol?
The Security Content Automation Protocol (SCAP), pronounced “S-Cap”, combines a number of open standards that are used to enumerate software flaws and configuration issues related to security. They measure systems to find vulnerabilities and offer methods to score those findings in order to evaluate the possible impact. It is basically a is a method for using those open standards for automated vulnerability management, measurement, and policy compliance evaluation. SCAP defines how the following standards are combined:

• Common Vulnerabilities and Exposures (CVE®)
• Common Configuration Enumeration (CCE™)
• Common Platform Enumeration (CPE™)
• Common Vulnerability Scoring System (CVSS)
• Extensible Configuration Checklist Description Format (XCCDF)
• Open Vulnerability and Assessment Language (OVAL™)

[up]

What is SCAP content?
SCAP content consists of

• security checklist data
• vulnerability and product name related enumerations
• mappings between the enumerations.

Security checklist data is written in machine readable languages (XCCDF). SCAP checklists have been submitted to, and accepted by, the NIST National Checklist Program. They also conform to an SCAP template and style guide to ensure compatibility with SCAP products and services.

The SCAP enumerations are a list of all known security related software flaws, a list of known software configuration issues, and a list of standard vendor and product names.

The SCAP mappings map the enumerations and provide standards based impact measurements for software flaws and configuration issues. The National Vulnerability Database (NVD) provides the official SCAP mappings. The mappings allow determining the affected standard product names and the standard impact score for any given software flaw.

[up]

How do I obtain SCAP content?
The U.S. government data repository for SCAP content is the National Vulnerability Database (NVD), available at http://nvd.nist.gov. NVD contains data feeds for each standard that can be used license free by the security community. SCAP content repositories for security checklists may become available directly from software vendors or checklist organizations. In such cases, NVD will provide links to the non-NVD SCAP resources.

[up]

How does SCAP help with FISMA compliance and with complying to other mandates?
Security Content Automation Protocol (SCAP) checklists standardize and enable automation of the linkage between computer security configurations and the NIST Special Publication 800-53 Revision 1 (SP 800-53 Rev1) controls framework.  The current version of SCAP is meant to perform initial measurement and continuous monitoring of security settings and corresponding SP 800-53 Rev1 controls.  Future versions will likely standardize and enable automation for implementing and changing security settings of corresponding SP 800-53 Rev1 controls.  In this way, SCAP contributes to the implementation, assessment, and monitoring steps of the NIST Risk Management Framework.  Accordingly, SCAP is an integral part of the NIST FISMA implementation project.

[up]

Who needs to validate their products under SCAP?
Vendors of security configuration management, vulnerability testing and other security auditing tools who wish to sell products into U.S. Government market under FISMA requirements, or to commercial customers who have adopted the standard’s requirements.

[up]

Who authors SCAP checklists and test procedures?
SCAP checklists and test procedures are authored, tested, and approved according to the National Checklist Program (http://nvd.nist.gov/ncp.cfm).  More specifically, SCAP checklists and test procedures can be authored by almost any entity, including vendors of the actual products.  SCAP checklists and test procedures are then processed through the eight step NIST Special Publication 800-70 IT Product Checklist Lifecycle.  Subsequently, SCAP checklists and test procedures becomes officially acknowledged and published.  All SCAP checklists are either published within or referenced by the National Vulnerability Database (NVD, http://nvd.nist.gov) Web site. SCAP checklists conform to the SCAP XCCDF style guide and template.

[up]

Are there any fees or licensing restrictions associated with SCAP checklists and Test Procedures?
There are no licensing fees of restrictions associated with the SCAP content hosted through the National Vulnerability Database (NVD, http://nvd.nist.gov).  Vendors, government agencies, and other organizations are encouraged to use this SCAP content for whatever purposes they envision, including as a source for SCAP capable tools. Note that SCAP enumeration data is derived from open standards.

[up]

Have all vendors who advertise “SCAP-compliant” for their product implemented the SCAP standard in an identical manner?
Buyers are encouraged to research “SCAP compatible” products and services thoroughly before investing. Note that not all products have fully implemented every SCAP standard.  See the SCAP website on NVD for information on SCAP for lists of validated products.  Now that the standard is in force, SCAP-Compliant, or SCAP-Compatible will not meet FISMA requirements, the product must be NIST validated for the components and capabilities that you need.

[up]

How can I get a copy of the standards?
The main SCAP standard can be found here:

The six underlying SCAP standards can be found at:

• CVE: http://cve.mitre.org/
• CCE: http://cce.mitre.org/
• CPE: http://cpe.mitre.org/
• CVSS: http://www.first.org/cvss/cvss-guide.html
• XCCDF: http://nvd.nist.gov/xccdf.cfm
• OVAL: http://oval.mitre.org/

[up]

Why do we need independent testing?
Independent third party testing assures the customer/user that the product meets the NIST specifications.  The SCAP standards can be complex and several configurations must be tested for each component and capability to ensure that the product meets the requirements.  An accredited third party lab provides assurance that the product has been thoroughly tested and has been found to meet all of the requirements.

[up]

Who does independent testing?
The SCAP program accepts test results for validation from laboratories that are accredited by NVLAP for SCAP testing. This accreditation is earned after full review of the laboratories’ QMS, and passing of the technical proficiency tests.

[up]

How long does it take to get an SCAP compliant product validated?
The time taken to complete testing and validation depends on several factors.

Assuming that we have a completed product that conforms to the specifications testing can vary between as little as 2 weeks up to several months or more laboratory time.

Once we have completed all testing and submit the report to NIST, the Validation can be issued in as little as a few weeks.

[up]

How much does it cost?
The cost of conformance testing and validation varies with the readiness of the product, the nature of the product (which and how many SCAP components and capabilities are included), previous analysis and evaluation of versions of the product, and the requested timeline.

Please contact us at CMTL@atsec.com to initiate discussions on likely costs.

[up]

What is validation?
The SCAP Program is responsible for maintaining the SCAP standard and ensuring that validated products comply with it. It is this latter responsibility from which the program finds its role as validator. It ensures that the testing performed by the laboratory has been carried out correctly.

[up]

What are the requirements for validation from your side?
The laboratory needs all the evidence in order to complete the mandatory
tests given in the derived test requirements.

• A contract and NDA
• A list of the SCAP test requirements is given in Derived Test Requirements in the SCAP standard.
• In addition we need access to your product and its documentation.

[up]

Will I be supervised by the NIST?
No, the lab is supervised by the NIST.

In general the laboratory acts as your advocate to the SCAP program. The lab will ensure that the tests are performed correctly and will resolve any questions or issues with you in order to present a complete report to the SCAP program for validation.

atsec is committed to helping vendors and sponsors successfully validate their modules as compliant with SCAP and will explain any problems discovered.

Resolutions often include

• provision of additional documentation 
• implementing minor product design or implementation changes

Often resolution of minor problems will not disrupt the schedule or the total cost.

[up]

How can atsec help with SCAP implementation?
Atsec information security is an accredited validation laboratory under NVLAP (National Voluntary Laboratory Accreditation Program). We have extensive expertise in testing, evaluation and validation of software and hardware products. We offer

• Formal laboratory testing and validation using NIST test suites
• Consultation about SCAP requirements
• Assessment of test readines

[up]