National Institute of Standards and Technology (NIST) - Information technology Laboratory (ITL)

SCAP Related Publications

NIST SP 800-117

DRAFT Guide to Adopting and Using the Security Content Automation Protocol (SCAP), has been released for public comment. SCAP comprises specifications for organizing and expressing security-related information in standardized ways, as well as related reference data such as unique identifiers for vulnerabilities. SP 800-117 provides an overview of SCAP, focusing on how organizations can use SCAP-enabled tools to enhance their security posture. It also explains how IT product and service vendors can adopt SCAP's capabilities within their offerings.

Revision History

May 5, 2009 - Initial Draft
NIST requests comments on draft SP 800-117 by June 12, 2009. Please submit comments to 800-117comments@nist.gov with "Comments SP 800-117" in the subject line.

NIST SP 800-126

The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.0, has been released. SCAP comprises specifications for organizing and expressing security-related information in standardized ways, as well as related reference data such as unique identifiers for vulnerabilities. SP 800-126 also provides an overview of SCAP, focusing on how software developers can integrate SCAP technology into their product offerings and interfaces.

Revision History

November 2009 - Final
Final version of 800-126 for SCAP Version 1.0 released.
July 31, 2009 - Initial Draft
NIST requests comments on draft SP 800-126 by August 31, 2009. Please submit comments to 800-126comments@nist.gov with "Comments SP 800-126" in the subject line.

NIST IR 7511

This report describes the requirements that must be met by products to achieve SCAP validation. Validation is awarded based on a defined set of SCAP capabilities and/or individual SCAP components by independent laboratories that have been accredited for SCAP testing by the NIST National Voluntary Laboratory Accreditation Program. The NIST IR 7511 has been written primarily for accredited laboratories and for vendors interested in receiving SCAP validation for their products.

Interested parties should review the latest release of the NIST IR 7511.

Revision History

February 2009 - Security Content Automation Protocol (SCAP) Version 1.0 Validation Program Test Requirements (DRAFT)
This publication supersedes the draft Security Content Automation Protocol (SCAP) Validation Program Test Requirements Version 1.0 that was released in August 2008 as draft. This publication will be used for SCAP validation effective January 31, 2009.