National Institute of Standards and Technology (NIST) - Information technology Laboratory (ITL)

SCAP 1.3 Specifications

The following specifications are proposed for SCAP version 1.3.

Protocol

SCAP: Security Content Automation Protocol
Version: 1.3
Status: Final
Specification: NIST Special Publication (SP) 800-126 rev 3
Specification Annex: NIST Special Publication (SP) 800-126 rev 3 Annex
XML Schema: Source Data Stream, Constructs
Example: Source Data Stream Example
Schematron: Instructions and Download

Tools

SCAP Content Validation Tool
Version: 1.3.2
Released: 02/14/2018
Download: SCAP Content Validation Tool (Download 21 MB)
SHA-256: 8267128F57EBAEF007AD37F6BEC2AA9F0A73FC76DD07D983BDD6CB909A39AE76
Description: The SCAP Content Validation Tool is designed to validate the correctness of a SCAP data stream for a particular use case according to what is defined in SP 800-126. This version of the tool is designed to validate SCAP content adhering to SCAP version 1.1, 1.2, and 1.3. For additional information about how to use the tool run: scapval.bat -h.

Languages

XCCDF: The Extensible Configuration Checklist Description Format
Version: 1.2
Web site: https://scap.nist.gov/specifications/xccdf/
Email Discussion List: xccdf-dev@nist.gov (View archive) (Subscribe) (Unsubscribe)
OVAL®: Open Vulnerability and Assessment Language
Version: 5.11.2
Web site: https://oval.cisecurity.org/community
Developer's Forum: oval_developer@lists.cisecurity.org (View archive) (Register)
OCIL: Open Checklist Interactive Language
Version: 2.0
Web site: https://scap.nist.gov/specifications/ocil/
Email Discussion List: ocil-dev@nist.gov (Subscribe) (Unsubscribe)
Asset Identification
Version: 1.1
Web site: https://scap.nist.gov/specifications/ai/
Email Discussion List: asset-dev@nist.gov (Subscribe) (Unsubscribe)
ARF: Asset Reporting Format
Version: 1.1
Web site: https://scap.nist.gov/specifications/arf/
Email Discussion List: asset-dev@nist.gov (Subscribe) (Unsubscribe)

Identification schemes

CCE™: Common Configuration Enumeration
Version: 5
Contact Email: cce@nist.gov
Official CCE List: https://nvd.nist.gov/cce
Community Forum: cce-working-group@nist.gov (Subscribe) (Unsubscribe)
CPE™: Common Platform Enumeration
Version: 2.3
Web site: https://scap.nist.gov/specifications/cpe
Contact Email: cpe@nist.gov
Official Dictionary: https://nvd.nist.gov/cpe.cfm
Community Forum: cpe-discussion@nist.gov (Subscribe) (Unsubscribe)
Software Identification (SWID) Tags
Version: 2015
Web site: https://scap.nist.gov/specifications/swid
Contact Email: scap@nist.gov
CVE®: Common Vulnerabilities and Exposures
Version: No version
Web site: http://cve.mitre.org/
Contact Email: cve@mitre.org
Official CVE List: http://cve.mitre.org/cve/index.html
NVD CVE-based Vulnerabilities: https://web.nvd.nist.gov/view/vuln/search

Metrics

CVSS: Common Vulnerability Scoring System
Version: 3
Specification: CVSS v3 Specification
User Guide: CVSS v3 User Guide
Web site: http://www.first.org/cvss
CCSS: Common Configuration Scoring System
Version: 1.0
Specification: NIST IR 7502

Integrity

TMSAD: Trust Model for Security Automation Data
Version: 1.0
Web site: https://scap.nist.gov/specifications/tmsad/

Related Publications and Resources

Guide to Using Vulnerability Naming Schemes
Specification: SP 800-51 Rev. 1