National Institute of Standards and Technology (NIST) - Information technology Laboratory (ITL)

SCAP Specifications

The following specifications are proposed for SCAP version 1.2.

Protocol

SCAP: Security Content Automation Protocol
Version: 1.2
Status: Final
Specification: NIST Special Publication (SP) 800-126 rev 2
XML Schema: Source Data Stream, Constructs
Example: Source Data Stream Example
Schematron: Instructions and Download
Errata: NIST Special Publication (SP) 800-126 Rev 2 Errata
Change Proposals: Summer 2011 Developer Days (May 31, 2011)

Tools

SCAP Content Validation Tool
Version: 1.2.1.11
Released: 06/04/2014
Download: SCAP Content Validation Tool (Download 20 MB)
sha-1: 80D45818F32C6D906406845720DDF9535ACC3B7C
sha-256: CEB372647898C59875128B6CA4590A06DAAD5924CFF9BFEC92AABD2248E5E60E
Description: The SCAP Content Validation Tool is designed to validate the correctness of a SCAP data stream for a particular use case according to what is defined in SP 800-126. This version of the tool is designed to validate SCAP content adhering to SCAP version 1.0, 1.1, and 1.2. The scapval.html within the tool zip file contains additional information about how to run the tool.
SCAP 1.0 Zip Bundle to SCAP 1.2 Data Stream Converter
Sourceforge Site

Languages

XCCDF: The Extensible Configuration Checklist Description Format
Version: 1.2
Web site: http://scap.nist.gov/specifications/xccdf/
Email Discussion List: xccdf-dev@nist.gov (View archive) (Subscribe) (Unsubscribe)
OVAL®: Open Vulnerability and Assessment Language
Version: 5.10
Web site: http://oval.mitre.org/
Developer's Forum: oval-developer-list@lists.mitre.org (View archive) (Register)
OCIL: Open Checklist Interactive Language
Version: 2.0
Web site: http://scap.nist.gov/specifications/ocil/
Email Discussion List: ocil-dev@nist.gov (Subscribe) (Unsubscribe)
Asset Identification
Version: 1.1
Web site: http://scap.nist.gov/specifications/ai/
Email Discussion List: asset-dev@nist.gov (Subscribe) (Unsubscribe)
ARF: Asset Reporting Format
Version: 1.1
Web site: http://scap.nist.gov/specifications/arf/
Email Discussion List: asset-dev@nist.gov (Subscribe) (Unsubscribe)

Enumerations

CCE™: Common Configuration Enumeration
Version: 5
Contact Email: cce@nist.gov
Official CCE List: http://nvd.nist.gov/cce
Community Forum: cce-working-group@nist.gov (Subscribe) (Unsubscribe)
CPE™: Common Platform Enumeration
Version: 2.3
Web site: http://scap.nist.gov/specifications/cpe
Contact Email: cpe@nist.gov
Official Dictionary: https://nvd.nist.gov/cpe.cfm
Community Forum: cpe-discussion@nist.gov (Subscribe) (Unsubscribe)
CVE®: Common Vulnerabilities and Exposures
Version: No version
Web site: http://cve.mitre.org/
Contact Email: cve@mitre.org
Official CVE List: http://cve.mitre.org/cve/index.html
NVD CVE-based Vulnerabilities: http://web.nvd.nist.gov/view/vuln/search

Metrics

CVSS: Common Vulnerability Scoring System
Version: 2
Specification: NIST IR 7435
Web site: http://www.first.org/cvss/
CCSS: Common Configuration Scoring System
Version: 1.0
Specification: NIST IR 7502

Integrity

TMSAD: Trust Model for Security Automation Data
Version: 1.0
Web site: http://scap.nist.gov/specifications/tmsad/

Related Publications and Resources

Guide to Using Vulnerability Naming Schemes
Specification: SP 800-51 Rev. 1