National Institute of Standards and Technology (NIST) - Information technology Laboratory (ITL)

SCAP Validation Program Publications and Resources

The following documents and resources are relevant to the SCAP Validation Program.

Documents

SCAP Version 1.2 Validation Program Derived Test Requirements
Revision: 4
Status: Final
Specification: NIST IR 7511 Rev. 4
SCAP: Security Content Automation Protocol
Version: 1.2
Status: Final
Specification: NIST SP 800-126 Rev. 2

SCAP 1.2 Validation Program FAQ

The FAQ addresses common questions about updates to the SCAP 1.2 Validation Program.
FAQ: SCAP 1.2 Validation Program FAQ

SCAP Content used in the SCAP 1.2 Validation Program

The SCAP 1.2 Validation Program uses two broad categories of SCAP content for testing products. The broad categories of content include:
  • Validation Test Content
    • OVAL Test Data (SCAP 1.2)
    • Content for specific DTR requirements (SCAP 1.2, SCAP 1.1, and SCAP 1.0)
  • USGCB Content (SCAP 1.2, SCAP 1.1, and SCAP 1.0)
SCAP Validation Test Content
The Validation Test Content contains OVAL Test Data that exercises commonly used OVAL constructs and the data streams needed for testing specific DTR requirements:
  • validationTestSuites - contains the discrete data streams organized by OVAL test.
  • combinedDataStreams - contains the combined individual (discrete) data streams organized by platform.
  • requirementsTest - contains the data streams for testing specific DTR requirements such as SCAP.R.500, SCAP.R.600, SCAP.R.700, SCAP.R.800, SCAP.R.1100, SCAP.R.1200, SCAP.R.1800 (OCIL), SCAP.R.1900, SCAP.R.2100, SCAP.R.2200, SCAP.R.2910, SCAP.R.2920, SCAP.R.2930, SCAP.R.2940, SCAP.R.3005, SCAP.R.3010, and SCAP.R.3300.
This test suite is closer to unit testing rather than being based on a checklist. We recommend reviewing the FAQ and Validation Test Suite readme file prior to use.
Date SCAP Content Documentation Expiration Date
September 14, 2017 Validation Test Suite version 1-2.2.0.0
Download: Validation Test Suite Bundle
SHA256
7D33B68D6589D877FF0CE6C8A508F98578734F9C9BE54E09BBB96BF2855F9B70
Change log n/a
June 8, 2017 Validation Test Suite version (RELEASE CANDIDATE) 1-2.2.0.0-rc1
Last Date for Comments: July 8, 2017
June 02, 2016 Validation Test Suite version 1-2.1.1.0
Download: Validation Test Suite Bundle
SHA256
768749B36CCF6B92947A18014A3018DDBDD95126E2CA93DAB18EA318E1712D7B
Change log March 15, 2018
April 05, 2016 Validation Test Suite version 1-2.1.0.0
Download: Validation Test Suite Bundle
SHA256
AA139815572FED37F5C825B5003C82EF38D47529B00D998FF1E0DB7FF30ED538
Change log
Known Issues
December 02, 2016
February 16, 2016 Validation Test Suite version (RELEASE CANDIDATE) 1-2.1.0.0-rc1
Last Date for Comments: March 18, 2016
February 08, 2016 Validation Test Suite version 1-2.0.3.0 -- Updated catalog files for Windows
Download: Validation Test Suite Bundle
SHA256
C61528D861BDC2C1DC0F3A8FE8D6D11AB366AF433C833288826E9B850C402FDF
Change log August 31, 2016
April 1, 2015 Validation Test Suite version 1-2.0.3.0
Download: Validation Test Suite Bundle
SHA256
5B42B6D9D5FFF2E2E1658D89382B9B960231C12C1966072B6754A01EFF9B0389
Change log August 31, 2016
February 03, 2015 Validation Test Suite version (RELEASE CANDIDATE) 1-2.0.3.0
Last Date for Comments: March 03, 2015
March 11, 2014 Validation Test Suite version 1-2.0.2.0
Download: Validation Test Suite Bundle
SHA256
0B829786357AA886D8D0774E73F1C31C60777A06AF115341B4B1216BF4A936DD
Change log September 30, 2015
(Six months after the final release of 1-2.0.3.0)
February 10, 2014 Validation Test Suite (RELEASE CANDIDATE) version 1-2.0.2.0-rc1
Last Date for Comments: March 10, 2014
August 7, 2013 Validation Test Suite version 1-2.0.1.0
Download: Validation Test Suite Bundle
SHA256
3FA74D487403214032C4B36E8F535C3143DB2FE1991FE9757188E09D66EF7FAD
Change log August 7, 2014
June 11, 2013 Validation Test Suite (RELEASE CANDIDATE) version 1-2.0.1.0-rc1
Last Date for Comments: July 11, 2013
December 21, 2012 Validation Test Suite version 1-2.0.0.0 Original release December 21, 2013
USGCB Content
Description: The USGCB Red Hat and Windows content is included in the SCAP 1.2 Validation Program.
USGCB Download: https://usgcb.nist.gov/

Tools

SCAP Content Validation Tool
Download: SCAP Content Validation Tool
Description: The SCAP Content Validation Tool is designed to validate the correctness of a SCAP data stream for a particular use case according to what is defined in SP 800-126. This version of the tool is designed to validate SCAP content adhering to SCAP version 1.0 and 1.1. The scapval.html within the tool zip file contains additional information about how to run the tool.
SCAP Reference Implementation Tool
Download: SCAP Interpreter
Description: The SCAP Interpreter is an open source application that processes SCAP data streams. SCAP versions 1.0, 1.1, and 1.2 are supported. The SCAP Interpreter uses the XCCDF and OVAL Interpreters.
XCCDF Reference Implementation Tool
Download: XCCDF Interpreter
Description: The XCCDF Interpreter is an open source application for performing system analysis and report generation using the XCCDF format. This application will process an XCCDF and OVAL file.
OVAL Reference Implementation Tool
Download: OVAL Interpreter
Description: The OVAL interpreter (ovaldi) is an open source application that demonstrates the evaluation of OVAL definitions. This interpreter collects system information, evaluates it, and generates a detailed OVAL Results file.
OCIL Reference Implementation Tool
Download: OCIL Interpreter
Description: The OCIL interpreter (ocilqi) is an open source application that demonstrates how an OCIL document can be evaluated. It guides the end user in completing questionnaires, viewing, and computing results.