The Security Content Automation Protocol - SCAP


The Security Content Automation Protocol 

  • Suite of specifications that standardize format/nomenclature by which software flaw and security configuration information is communicated, both to machines and humans
  • Multi-purpose framework of specifications that support automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement
  • Promote interoperability of security products, and fostering the use of standard expressions of security content
  • Mandated by FedRAMP Continuous Monitoring

5 Specification Categories

  • Languages -> standard vocabularies/conventions for expressing security policy, technical check mechanisms, and assessment results   ->  Extensible Configuration Checklist Description Format (XCCDF), Open Vulnerability and Assessment Language (OVAL®), and Open Checklist Interactive Language (OCIL™)
  • Reporting Formats -> provide necessary constructs to express collected information in standardized formats -> Asset Reporting Format (ARF) and Asset Identification
  • Enumerations   ->  define standard nomenclature and official dictionary expressed using that nomenclature -> Common Platform Enumeration (CPE™), Common Configuration Enumeration (CCE™), and Common Vulnerabilities and Exposures (CVE®)
  • Measurement and scoring systems -> evaluation of specific characteristics of a security weakness (i.e., software vulnerabilities and security configuration issues) and, based on those characteristics, generating a score that reflects their relative severity   ->  Common Vulnerability Scoring System (CVSS), Common Configuration Scoring System (CCSS)
  • Integrity -> preserve the integrity of SCAP content and results -> Trust Model for Security Automation Data (TMSAD)