National Institute of Standards and Technology (NIST) - Information technology Laboratory (ITL)

Security Content Automation Protocol (SCAP) Validation FAQ

SCAP 1.2 Validation Program FAQ

  1. What is Security Content Automation Protocol (SCAP) validation?
  2. What is new in the SCAP 1.2 Validation Program?
  3. What are the major changes in the NIST IR 7511 Revision 3 Errata?
  4. How should product consumers or acquisition professionals use the SCAP 1.2 Validated Products list?
  5. What is an SCAP validated tool and how should an SCAP tool be used?
  6. I have a question about my SCAP validated product. Who should I contact for customer support?
  7. When do the SCAP 1.0 validations expire?

SCAP 1.2 Validation Test Suite FAQ

  1. What is the SCAP 1.2 Validation Test Suite?
  2. What is the objective of making the validation test suite public?
  3. How was the public validation test suite developed?
  4. What is in the validation test suite?
  5. Is the validation test suite a security checklist?
  6. How can I use the validation test suite?
  7. What platforms are supported?
  8. Where can I comment and provide feedback on the validation test suite?

SCAP 1.2 Validation Test Suite Maintenance FAQ

  1. What version method is used for the validation test suite?
  2. How often is the validation test suite updated?
  3. What version of the validation test suite is used for testing SCAP enabled products?



  1. What is Security Content Automation Protocol (SCAP) validation?
    To enable the goals set forth in OMB Memorandum M-08-22, it is necessary to have security configuration scanning tools that can use official SCAP content. In response, NIST established the SCAP validation program. Implemented through the NIST National Voluntary Laboratory Accreditation Program (NVLAP), independent laboratories can be accredited to perform the testing necessary to validate that security tools can accurately parse the SCAP content required for their specific functionality. Additional details on SCAP validation are available at http://scap.nist.gov/validation/. More information about USGCB may be found at http://usgcb.nist.gov
    Back to Top
  2. What is new in the SCAP 1.2 Validation Program?
    The SCAP 1.2 Validation Program validates products against SCAP 1.2 and its component specifications. The SCAP 1.2 Validation Program supercedes the SCAP 1.0 Validation Program. The SCAP capabilities offered in the SCAP 1.2 program are authenticated configuration scanner (ACS) with optional CVE and OCIL validation. Vendors may choose one or both of the CVE and OCIL validation options in conjunction with the ACS capability. The optional validations may not be awarded without ACS. Products with an SCAP 1.2 validation are intended to be backward compatible in that they should correctly process well formatted SCAP 1.0, SCAP 1.1, and SCAP 1.2 data streams. Refer to IR 7511 revision 3 for the SCAP 1.2 Derived Test Requirements.
    Back to Top
  3. What are the major changes in the NIST IR 7511 Revision 3 Errata?

    The NIST IR 7511 Revision 3 errata released July 2013 includes updates concerning platform groupings, determination of product major version number, and clarification of requirements. No additional test requirements were introduced. The SCAP Validation Program no longer groups platforms into families. Vendors may choose individual platforms for validation testing. SCAP validation will be awarded to major product versions for one or more SCAP capabilities and one or more platforms. A complete list of changes is documented in the NIST IR 7511 Revision 3 errata table.

    The SCAP validation record includes information about the product, SCAP capabilities, and platforms tested. The vendor is responsible for choosing the SCAP capabilities and platforms required by their target market. Consumers are responsible for referencing the SCAP 1.2 validation record that details the level of SCAP testing performed on a product.

    Back to Top
  4. How should product consumers or acquisition professionals use the SCAP 1.2 Validated Products list?
    SCAP 1.2 product validations are awarded to products that meet all requirements defined in NIST IR 7511 Revision 3. Vendors may choose the SCAP capabilities and platforms supported. Consumers and acquisition professionals should select products based on the needs of their respective organization. The SCAP Validation Program encourages consumers to note the following differences between validated products:
    • Operating systems supported
    • SCAP capabilities such as Authenticated Configuration Scanner, CVE, or OCIL
    • SCAP version of validation
    NOTE: Consumers should coordinate with the vendor to ensure the validated product supports operating systems relevant to their environment prior to purchase.
    Back to Top
  5. What is an SCAP validated tool and how should an SCAP tool be used?

    The SCAP validated tools that are listed on the SCAP Validated Products page at http://nvd.nist.gov/scapproducts.cfm are those that have met all requirements defined in NIST IR 7511. Consumers of these products may download SCAP expressed checklists from http://checklists.nist.gov, import the SCAP expressed checklist into the SCAP validated tool, and scan computer systems assessing the configuration compliance with the checklist. SCAP expressed checklists are also referred to as SCAP Content and are listed as Tier III and Tier IV on the http://checklists.nist.gov site. SCAP enabled tools should be capable of importing and processing SCAP content available in the National Checklist Program Repository at http://checklists.nist.gov as well as any well-formed SCAP content from other sources.

    Consumers should refer to NIST IR 7511 for a complete list of test requirements that must be passed in order for a product to be awarded an SCAP validation and listed on the SCAP Validated Products web page. NIST validates products that meet the requirements defined in NIST IR 7511. NIST does not provide guarantee concerning product performance.

    Back to Top
  6. I have a question about my SCAP validated product. Who should I contact for customer support?

    Consumers of SCAP validated products should contact the product vendor with questions about performance and operational issues such as installation, configuration, erroneous results, or reporting. The vendor may be identified on the SCAP Validated Products list at http://nvd.nist.gov/scapproducts.cfm.

    The SCAP Validation Program team can answer questions about the information and resources available at http://scap.nist.gov/validation.

    Back to Top
  7. When do the SCAP 1.0 validations expire?
    All SCAP 1.0 product validations expire December 31, 2013.
    Back to Top
  8. What is the SCAP 1.2 Validation Test Suite?
    The SCAP 1.2 public validation test suite is a collection of SCAP 1.2 source content based on OVAL test types. This content is used for validating products in the SCAP 1.2 Validation Program. Although the USGCB content is not bundled with the public validation test suite, it is also exercised as part of SCAP 1.2 validations. USGCB data streams may be downloaded from http://usgcb.nist.gov.
    Back to Top
  9. What is the objective of making the validation test suite public?
    NIST is making the SCAP 1.2 validation test suite public so tool vendors may better prepare products for validation, and so end users can perform their own conformance testing when selecting tools.
    Back to Top
  10. How was the public validation test suite developed?
    The public validation test suite is the portion of the validation content that is based on OVAL test types. These OVAL test types were selected as a representation of Tier III and Tier IV data streams. The USGCB data streams are also exercised in the SCAP 1.2 Validation Program. The USGCB data streams are not included in the public validation test suite bundle and may be downloaded at http://usgcb.nist.gov.
    Back to Top
  11. What is in the validation test suite?
    The test suite is a collection of SCAP 1.2 data streams, many based on OVAL test types. Each directory in the test suite contains several items:
    1. SCAP 1.2 data stream
    2. spreadsheet showing the expected configuration of the test system and the expected results
    3. configuration scripts for automating the configuration of test systems
    4. readme file
    Back to Top
  12. Is the validation test suite a security checklist?
    No. the validation test suite is not an SCAP expressed checklist. The validation test suite is similar to unit testing. The goal is exercising all possible operators of selected OVAL test types.
    Back to Top
  13. How can I use the validation test suite?
    This content should be run on a non-production system. While attempts are made to clean up the changes made as part of testing, there is no guarantee that the system will be in a secure or usuable state afterward. After running this content the system should be wiped and the operating system reinstalled and configured appropriately before the system is used.
    1. Install the operating system. Testers may start with a default installation.
    2. Configure target system according to the configuration defined in the spreadsheet. The configuration scripts may be used.
    3. Scan target system using the data stream in the validation test suite.
    4. Verify the tool's scan results match the expected results as defined in the spreadsheet.
    Back to Top
  14. What platforms are supported?
    The SCAP 1.2 Validation Program currently includes the Red Hat family of platforms and the Windows family of platforms.
    Back to Top
  15. Where can I comment and provide feedback on the validation test suite?
    Please provide comments to the National Institute of Standards and Technology (NIST) at scap@nist.gov.
    Back to Top
  16. What version method is used for the validation test suite?
    The validation test suite uses a version scheme comprised of major version, minor version, patch release, and out of cycle release. For example, ValidationTestSuite-w-w.x.y.z where
    • w-w = major release - A major release would be an update of the validation program for a new version of SCAP. Because the version method is being introduced with the SCAP 1.2 Validation Program, the initial release of the test suite in December 2012 is 1-2.0.0.0
    • x = minor release - A minor release covers the expansion of the validation test suite such as the addition of new OVAL test types, expansion to the existing OVAL check types, or the addition of an SCAP capability or platform to the existing Validation Program.
    • y = patch release - A patch release includes only corrections in the data streams. No new functionality or expansion is included in patch releases.
    • z = out of cycle release - An out of cycle release includes only corrections in the data streams for errors that are deemed particularly serious or errors that could result in validated tools that return erroneous output.
    Back to Top
  17. How often is the validation test suite updated?
    The development and maintenance cycle for the validation test suite is six months. The first four months are designated for planning, development, and quality assurance testing. These activities result in a beta release that is published for community feedback. After the feedback is reviewed and addressed, the final release is published to http://scap.nist.gov/validation/resources.html. Patch updates may be published every six months as needed. Minor releases may be published once a year as needed.
    Back to Top
  18. What version of the validation test suite is used for testing SCAP enabled products?
    The validation test suite version that will be accepted for SCAP 1.2 validation consideration is determined by the date when NIST receives the test report from the accredited laboratory. In order for the product to be considered for an SCAP 1.2 validation, the validation test suite version used for testing should be either the currently posted version or the prior version released. Note that, test reports reflecting the use of validation test suite versions older than 12 months will not be accepted unless it is the last version released. The validation test suite version that was used for testing will be part of the product validation record and will be available on the SCAP 1.2 Validated Products web page.
    Back to Top