National Institute of Standards and Technology (NIST) - Information technology Laboratory (ITL)

Security Content Automation Protocol (SCAP) Validation Program

The SCAP Validation Program is designed to test the ability of products to use the features and functionality available through SCAP and its component standards.

Under the SCAP Validation Program, independent laboratories are accredited by the NIST National Voluntary Laboratory Accreditation Program (NVLAP). Accreditation requirements are defined in NIST Handbook 150, and NIST Handbook 150-17. Independent laboratories conduct the tests contained in the SCAP Validation Program Derived Test Requirements Document, on information technology (IT) security products and deliver the results to NIST. Based on the independent laboratory test report, the SCAP Validation Program then validates the product under test based on the independent laboratory test report. The validations awarded to vendor products will be publicly posted on the NIST SCAP Validated Tools web page at http://nvd.nist.gov/scapproducts.

SCAP validation will focus on evaluating specific versions of vendor products based on the platforms they support. Validations will be awarded on a platform-by-platform basis for the version of the product that was tested. Currently, products may seek validations on Red Hat and Windows platforms.

SCAP 1.2 (IR 7511 Rev 3)

SCAP 1.2 (IR 7511 Rev 3 Errata)

The IR 7511 Rev 3 Errata released July 2013 includes updates pertaining to platform groupings, the determination of product major version number, and clarification of requirements. Please see the change log table in the IR 7511 document for a complete list of updates.

Authenticated Configuration Scanner
The capability to audit and assess a target system to determine its compliance with a defined set of configuration requirements using target system logon privileges. The ACS capability includes the functionality previously covered by FDCC Scanner and USGCB Scanner capabilities.
  • CVE Option (optional CVE support may be combined with ACS)

    The CVE option is the capability to support CVEs. This option may be awarded in conjunction with the ACS validation. The CVE option cannot be claimed by itself.
  • OCIL Option (optional OCIL support may be combined with ACS)

    The OCIL option is the capability to support the Open Checklist Interactive Language (OCIL) to collect information (data) from people and or from existing data stores by other collection efforts. The OCIL option cannot be claimed by itself. This option may only be claimed in conjunction with the Authenticated Configuration Scanner (ACS) capability

SCAP 1.0 (IR 7511 Rev 2) - Superceded by SCAP 1.2 (IR 7511 Rev 3)

The SCAP 1.0 validations expire December 31, 2013

FDCC Scanner
The capability to audit and assess a target system to determine its compliance with the FDCC requirements.
USGCB Scanner (IR 7511 Rev 2 Update 2)
The capability to audit and assess a target system to determine its compliance using USGCB content.
Authenticated Configuration Scanner
The capability to audit and assess a target system to determine its compliance with a defined set of configuration requirements using target system logon privileges.
Authenticated Vulnerability and Patch Scanner
The capability to scan a target system to locate and identify the presence of known vulnerabilities and evaluate the software patch status to determine compliance with a defined patch policy using target system logon privileges.
Unauthenticated Vulnerability Scanner
The capability of determining the presence of known vulnerabilities by evaluating the target system over the network.

Description of Legacy SCAP Capability Validations

Intrusion Detection and Prevention Systems (IDPS)
A product that monitors a system or network for unauthorized or malicious activities. An intrusion prevention system actively protects the target system or network against these activities.
Asset Management
The ability to actively discover, audit, and assess asset characteristics including: installed and licensed products; location within the world, a network or enterprise; ownership; and other related information on IT assets such as workstations, servers, and routers.
Asset Database
The ability to passively store and report on asset characteristics including: installed and licensed products; location within the world, a network or enterprise; ownership; and other related information on IT assets such as workstations, servers, and routers.
Vulnerability Database
A SCAP vulnerability database is a product that contains a catalog of security related software flaw issues labeled with CVEs where applicable. This data is made accessible to users through a search capability or data feed and contains descriptions of software flaws, references to additional information (e.g., links to patches or vulnerability advisories), and impact scores. The user-to-database interaction is provided independent of any scans, intrusion detection, or reporting activities. Thus, a product that only scans to find vulnerabilities and then stores the results in a database does not meet the requirements for an SCAP vulnerability database (such a product would map to a different SCAP capability). A product that presents the user general knowledge about vulnerabilities, independent of a particular environment, would meet the definition of an SCAP vulnerability database.
Misconfiguration Database
A SCAP mis-configuration database is a product that contains a catalog of security related configuration issues labeled with CCEs where applicable. This data is made accessible to users through a search capability or data feed and contains descriptions of configuration issues and references to additional information (e.g., configuration guidance, mandates, or other advisories). The user-to-database interaction is provided independent of any configuration scans or intrusion detection activities. Thus, a product that only scans to find mis-configurations and then stores the results in a database does not meet the requirements for an SCAP mis-configuration database (such a product would map to a different SCAP capability). A product that presents the user general knowledge about security related configuration issues, independent of a particular environment, would meet the definition of an SCAP vulnerability database.
Malware Tool
The ability to identify and report on the presence of viruses, Trojan horses, spyware, or other malware on a target system.
Patch Remediation
The capability to install patches on a target system in compliance with a defined patching policy.
Misconfiguration Remediation
The capability to alter the configuration of a target system to bring it into compliance with a defined set of configuration recommendations.

The above information, along with details on all the test requirements products successfully met to achieve validation, can be found in the SCAP Validation Program Derived Test Requirements (DTR) document.