National Institute of Standards and Technology (NIST) - Information technology Laboratory (ITL)

SCAP 1.3 Specifications

The following specifications are proposed for SCAP version 1.3.


SCAP: Security Content Automation Protocol
Version: 1.3
Status: Final
Specification: NIST Special Publication (SP) 800-126 rev 3
Specification Annex: NIST Special Publication (SP) 800-126 rev 3 Annex
XML Schema: Source Data Stream, Constructs
Example: Source Data Stream Example
Schematron: Instructions and Download


SCAP Content Validation Tool
Version: 1.3.2
Released: 02/14/2018
Download: SCAP Content Validation Tool (Download 21 MB)
SHA-256: 8267128F57EBAEF007AD37F6BEC2AA9F0A73FC76DD07D983BDD6CB909A39AE76
Description: The SCAP Content Validation Tool is designed to validate the correctness of a SCAP data stream for a particular use case according to what is defined in SP 800-126. This version of the tool is designed to validate SCAP content adhering to SCAP version 1.1, 1.2, and 1.3. For additional information about how to use the tool run: scapval.bat -h.


XCCDF: The Extensible Configuration Checklist Description Format
Version: 1.2
Web site:
Email Discussion List: (View archive) (Subscribe) (Unsubscribe)
OVAL®: Open Vulnerability and Assessment Language
Version: 5.11.2
Web site:
Developer's Forum: (View archive) (Register)
OCIL: Open Checklist Interactive Language
Version: 2.0
Web site:
Email Discussion List: (Subscribe) (Unsubscribe)
Asset Identification
Version: 1.1
Web site:
Email Discussion List: (Subscribe) (Unsubscribe)
ARF: Asset Reporting Format
Version: 1.1
Web site:
Email Discussion List: (Subscribe) (Unsubscribe)

Identification schemes

CCE™: Common Configuration Enumeration
Version: 5
Contact Email:
Official CCE List:
Community Forum: (Subscribe) (Unsubscribe)
CPE™: Common Platform Enumeration
Version: 2.3
Web site:
Contact Email:
Official Dictionary:
Community Forum: (Subscribe) (Unsubscribe)
Software Identification (SWID) Tags
Version: 2015
Web site:
Contact Email:
CVE®: Common Vulnerabilities and Exposures
Version: No version
Web site:
Contact Email:
Official CVE List:
NVD CVE-based Vulnerabilities:


CVSS: Common Vulnerability Scoring System
Version: 3
Specification: CVSS v3 Specification
User Guide: CVSS v3 User Guide
Web site:
CCSS: Common Configuration Scoring System
Version: 1.0
Specification: NIST IR 7502


TMSAD: Trust Model for Security Automation Data
Version: 1.0
Web site:

Related Publications and Resources

Guide to Using Vulnerability Naming Schemes
Specification: SP 800-51 Rev. 1