Security Content Automation Protocol: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 15:29, 7 November 2012 edit Pmsyyz (talk \| contribs) Extended confirmed users 18,604 edits →SCAP Checklists: fix link ← Previous edit		Latest revision as of 09:18, 27 August 2025 edit undo Citation bot (talk \| contribs) Bots 5,868,232 edits Added bibcode. Removed URL that duplicated identifier. Removed parameters. \| Use this bot. Report bugs. \| Suggested by Headbomb \| Linked from Wikipedia:WikiProject_Academic_Journals/Journals_cited_by_Wikipedia/Sandbox \| #UCB_webform_linked 391/967
(48 intermediate revisions by 39 users not shown)
Line 1: {{Short description\|Set of security information exchange specifications}} The '''Security Content Automation Protocol''' ('''SCAP''') is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation (e.g., [[FISMA]] compliance). The [[National Vulnerability Database]] (NVD) is the U.S. government content repository for SCAP. {{more footnotes\|date=September 2023}} {{Use American English\|date=September 2023}} {{Use mdy dates\|date=September 2023}} The '''Security Content Automation Protocol''' ('''SCAP''') is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization, including e.g., [[Federal Information Security Management Act of 2002\|FISMA (Federal Information Security Management Act, 2002)]] compliance. The [[National Vulnerability Database]] (NVD) is the U.S. government content repository for SCAP. An example of an implementation of SCAP is OpenSCAP. SCAP is a suite of tools that have been compiled to be compatible with various protocols for things like configuration management, compliance requirements, software flaws, or vulnerabilities patching. Accumulation of these standards provides a means for data to be communicated between humans and machines efficiently. The objective of the framework is to promote a communal approach to the implementation of automated security mechanisms that are not monopolized.<ref>{{Cite web \|last=Computer Security Division \|first=Information Technology Laboratory \|date=2016-12-07 \|title=Security Content Automation Protocol {{!}} CSRC {{!}} CSRC \|url=https://csrc.nist.gov/projects/security-content-automation-protocol/ \|access-date=2024-01-15 \|website=CSRC {{!}} NIST \|language=EN-US}}</ref> ==Purpose== To guard against security threats, organizations need to continuously monitor the computer systems and applications they have deployed, incorporate security upgrades to software and deploy updates to configurations. The Security Content Automation Protocol (SCAP), pronounced “S"ess-~~Cap”~~cap",<ref>{{Cite ~~combines~~journal \|last1=Radack \|first1=Shirley \|last2=Kuhn \|first2=Rick \|date=2011-02-04 \|title=Managing Security: The Security Content Automation Protocol \|journal=IT Professional \|volume=13 \|issue=1 \|pages=9–11 \|doi=10.1109/MITP.2011.11 \|bibcode=2011ITPro..13a...9R \|s2cid=5344382 \|issn=1520-9202}}</ref> but most commonly as "skap" comprises a number of open standards that are widely used to enumerate software flaws and configuration issues related to security. ~~They~~Applications ~~measure~~which conduct security monitoring use the standards when measuring systems to find vulnerabilities, and offer methods to score those findings in order to evaluate the possible impact. ItThe isSCAP asuite ~~method~~of ~~for~~specifications ~~using~~standardize ~~those~~the ~~open~~nomenclature ~~standards~~and formats used by ~~for~~these automated vulnerability management, measurement, and policy compliance ~~evaluation~~products. ~~SCAP defines how the following standards (referred to as SCAP 'Components') are combined:~~ ===SCAP Components===▼ ===SCAP Checklists===▼ Security Content Automation Protocol (SCAP) checklists standardize and enable automation of the linkage between computer security configurations and the [[National Institute of Standards and Technology\|NIST]] [[NIST Special Publication 800-53\|Special Publication 800-53]] (SP 800-53) controls framework. ~~The~~Since ~~current~~2018, version 1.3 of SCAP is meant to perform initial measurement and continuous monitoring of security settings and corresponding SP 800-53 controls. Future versions will likely standardize and enable automation for implementing and changing security settings of corresponding SP 800-53 controls. In this way, SCAP contributes to the implementation, assessment, and monitoring steps of the NIST Risk Management Framework. Accordingly, SCAP isforms an integral part of the NIST [http://csrc.nist.gov/groups/SMA/fisma/ FISMA] implementation project.▼ ==SCAP Validation Program==▼ The SCAP Validation Program tests the ability of products to employ SCAP standards. The NIST [[National Voluntary Laboratory Accreditation Program]] (NVLAP) accredits independent laboratories under the program to perform SCAP validations. A vendor of a computer system configuration scanner can get their product validated against SCAP, demonstrating that it will interoperate with other scanners and express the scan results in a standardized way. Vendors seeking validation of a product can contact an [http://nvd.nist.gov/scapproducts.cfm#scap_labs NVLAP accredited SCAP validation laboratory] for assistance in the validation process. A customer who is subject to the [[Federal Information Security Management Act of 2002\|FISMA]] requirements, or wants to use security products that have been tested and validated to the SCAP standard by an ~~[http://nvd.nist.gov/scapproducts.cfm#scap_labs~~ independent third party laboratory], should visit the [http://nvd.nist.gov/scapproducts.cfm SCAP validated products web page] to verify the status of the product(s) being considered.▼ ▲===SCAP Components=== SCAP defines how the following standards (referred to as SCAP 'Components') are combined: Starting with SCAP version 1.0 (November, 2009) * [[Common Vulnerabilities and Exposures]] [http://cve.mitre.org/ (CVE)] * [~~http~~https://~~cce~~web.~~mitre~~archive.org/web/20140807223026/https://nvd.nist.gov/cce/ Common Configuration Enumeration (CCE)] ([http://cce.mitre.org/ prior web-site at MITRE]) * [http://scap.nist.gov/specifications/cpe/ Common Platform Enumeration (CPE)] * [http://www.first.org/cvss/ Common Vulnerability Scoring System (CVSS)] * [[Extensible Configuration Checklist Description Format]] [http://scap.nist.gov/specifications/xccdf/ (XCCDF)] * [[Open Vulnerability and Assessment Language]] [http://oval.mitre.org/ (OVAL)] Starting with SCAP version 1.1 (February, 2011) * [http://scap.nist.gov/specifications/ocil/ Open Checklist Interactive Language (OCIL) Version 2.0] Starting with SCAP version 1.2 (September, 2011) * [http://scap.nist.gov/specifications/ai/ Asset Identification (AID)] * [http://scap.nist.gov/specifications/arf/ Asset Reporting Format (ARF)] * [http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7502 Common Configuration Scoring System (CCSS)] * [http://scap.nist.gov/specifications/tmsad/ Trust Model for Security Automation Data (TMSAD)] Starting with SCAP version 1.3 (February, 2018) * [https://csrc.nist.gov/projects/Software-Identification-SWID Software Identification (SWID) tags] ==References== ▲===SCAP Checklists=== {{Reflist}} ▲Security Content Automation Protocol (SCAP) checklists standardize and enable automation of the linkage between computer security configurations and the [[NIST Special Publication 800-53]] (SP 800-53) controls framework. The current version of SCAP is meant to perform initial measurement and continuous monitoring of security settings and corresponding SP 800-53 controls. Future versions will likely standardize and enable automation for implementing and changing security settings of corresponding SP 800-53 controls. In this way, SCAP contributes to the implementation, assessment, and monitoring steps of the NIST Risk Management Framework. Accordingly, SCAP is an integral part of the NIST [http://csrc.nist.gov/groups/SMA/fisma/ FISMA] implementation project. ▲==SCAP Validation Program== Security programs overseen by [[National Institute of Standards and Technology\|NIST]] focus on working with government and industry to establish more secure systems and networks by developing, managing and promoting security assessment tools, techniques, services, and supporting programs for testing, evaluation and validation; and addresses such areas as: development and maintenance of security metrics, security evaluation criteria and evaluation methodologies, tests and test methods; security-specific criteria for laboratory accreditation; guidance on the use of evaluated and tested products; research to address assurance methods and system-wide security and assessment methodologies; security protocol validation activities; and appropriate coordination with assessment-related activities of voluntary industry standards bodies and other assessment regimes. [http://nvd.nist.gov/scapproducts.cfm#scap_labs Independent third party testing] assures the customer/user that the product meets the NIST specifications. The SCAP standards can be complex and several configurations must be tested for each component and capability to ensure that the product meets the requirements. A third-party lab (accredited by [[National Voluntary Laboratory Accreditation Program]] (NVLAP)) provides assurance that the product has been thoroughly tested and has been found to meet all of the requirements. A vendor seeking validation of a product should contact an [http://nvd.nist.gov/scapproducts.cfm#scap_labs NVLAP accredited SCAP validation laboratory] for assistance in the validation process. ▲A customer who is subject to the [[Federal Information Security Management Act of 2002\|FISMA]] requirements, or wants to use security products that have been tested and validated to the SCAP standard by an [http://nvd.nist.gov/scapproducts.cfm#scap_labs independent third party laboratory] should visit the [http://nvd.nist.gov/scapproducts.cfm SCAP validated products web page] to verify the status of the product(s) being considered. ==External links== [http://scap.nist.gov Security Content Automation Protocol web site] [~~http~~https://nvd.nist.gov/ National Vulnerability Database web site] [~~http~~https://makingsecuritymeasurable.mitre.org/index.html Mitre "Making Security Measurable" web site] [https://cyber.trackr.live/ SCAP Search] {{Authority control}} [[Category:Computer security]]▼ [[Category:Security compliance]] ▲[[Category:Computer security standards]]