Security Content Automation Protocol: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 19:18, 15 January 2024 edit MrLavoie (talk \| contribs) 148 edits Added inline citation for opening paragraph along with more detail for what SCAP is/does. ← Previous edit		Latest revision as of 09:18, 27 August 2025 edit undo Citation bot (talk \| contribs) Bots 5,868,452 edits Added bibcode. Removed URL that duplicated identifier. Removed parameters. \| Use this bot. Report bugs. \| Suggested by Headbomb \| Linked from Wikipedia:WikiProject_Academic_Journals/Journals_cited_by_Wikipedia/Sandbox \| #UCB_webform_linked 391/967
(4 intermediate revisions by 4 users not shown)
Line 6: ==Purpose== To guard against security threats, organizations need to continuously monitor the computer systems and applications they have deployed, incorporate security upgrades to software and deploy updates to configurations. The Security Content Automation Protocol (SCAP), pronounced "ess-cap",<ref>{{Cite journal \|last1=Radack \|first1=Shirley \|last2=Kuhn \|first2=Rick \|date=2011-02-04 \|title=Managing Security: The Security Content Automation Protocol ~~\|url=https://ieeexplore.ieee.org/document/5708279~~ \|journal=IT Professional \|volume=13 \|issue=1 \|pages=9–11 \|doi=10.1109/MITP.2011.11 \|bibcode=2011ITPro..13a...9R \|s2cid=5344382 \|issn=1520-9202}}</ref> but most commonly as "skap" comprises a number of open standards that are widely used to enumerate software flaws and configuration issues related to security. Applications which conduct security monitoring use the standards when measuring systems to find vulnerabilities, and offer methods to score those findings in order to evaluate the possible impact. The SCAP suite of specifications standardize the nomenclature and formats used by these automated vulnerability management, measurement, and policy compliance products. ===SCAP Checklists===▼ A vendor of a computer system configuration scanner can get their product validated against SCAP, demonstrating that it will interoperate with other scanners and express the scan results in a standardized way. Security Content Automation Protocol (SCAP) checklists standardize and enable automation of the linkage between computer security configurations and the [[National Institute of Standards and Technology\|NIST]] [[NIST Special Publication 800-53\|Special Publication 800-53]] (SP 800-53) controls framework. Since 2018, version 1.3 of SCAP is meant to perform initial measurement and continuous monitoring of security settings and corresponding SP 800-53 controls. Future versions will likely standardize and enable automation for implementing and changing security settings of corresponding SP 800-53 controls. In this way, SCAP contributes to the implementation, assessment, and monitoring steps of the NIST Risk Management Framework. Accordingly, SCAP forms an integral part of the NIST [http://csrc.nist.gov/groups/SMA/fisma/ FISMA] implementation project.▼ ==SCAP Validation Program==▼ The SCAP Validation Program tests the ability of products to employ SCAP standards. The NIST [[National Voluntary Laboratory Accreditation Program]] (NVLAP) accredits independent laboratories under the program to perform SCAP validations. A vendor of a computer system configuration scanner can get their product validated against SCAP, demonstrating that it will interoperate with other scanners and express the scan results in a standardized way. Vendors seeking validation of a product can contact an [http://nvd.nist.gov/scapproducts.cfm#scap_labs NVLAP accredited SCAP validation laboratory] for assistance in the validation process. A customer who is subject to the [[Federal Information Security Management Act of 2002\|FISMA]] requirements, or wants to use security products that have been tested and validated to the SCAP standard by an independent third party laboratory, should visit the [http://nvd.nist.gov/scapproducts.cfm SCAP validated products web page] to verify the status of the product(s) being considered.▼ ===SCAP Components===▼ SCAP defines how the following standards (referred to as SCAP 'Components') are combined: ▲===SCAP Components=== Starting with SCAP version 1.0 (November, 2009) * [[Common Vulnerabilities and Exposures]] [http://cve.mitre.org/ (CVE)] Line 29 ⟶ 34: Starting with SCAP version 1.3 (February, 2018) * [https://csrc.nist.gov/projects/Software-Identification-SWID Software Identification (SWID) tags] ▲===SCAP Checklists=== ▲Security Content Automation Protocol (SCAP) checklists standardize and enable automation of the linkage between computer security configurations and the [[National Institute of Standards and Technology\|NIST]] [[NIST Special Publication 800-53\|Special Publication 800-53]] (SP 800-53) controls framework. Since 2018, version 1.3 of SCAP is meant to perform initial measurement and continuous monitoring of security settings and corresponding SP 800-53 controls. Future versions will likely standardize and enable automation for implementing and changing security settings of corresponding SP 800-53 controls. In this way, SCAP contributes to the implementation, assessment, and monitoring steps of the NIST Risk Management Framework. Accordingly, SCAP forms an integral part of the NIST [http://csrc.nist.gov/groups/SMA/fisma/ FISMA] implementation project. ▲==SCAP Validation Program== The SCAP Validation Program tests the ability of products to employ SCAP standards. The NIST [[National Voluntary Laboratory Accreditation Program]] (NVLAP) accredits independent laboratories under the program to perform SCAP validations. ~~A vendor seeking validation of a product can contact an [http://nvd.nist.gov/scapproducts.cfm#scap_labs NVLAP accredited SCAP validation laboratory] for assistance in the validation process.~~ ▲A customer who is subject to the [[Federal Information Security Management Act of 2002\|FISMA]] requirements, or wants to use security products that have been tested and validated to the SCAP standard by an independent third party laboratory, should visit the [http://nvd.nist.gov/scapproducts.cfm SCAP validated products web page] to verify the status of the product(s) being considered. ==References==