National Institute of Standards and Technology (NIST) - Information technology Laboratory (ITL)

SCAP Specifications

The following specifications comprise SCAP version 1.1.

Protocol

SCAP: Security Content Automation Protocol
Version: 1.1
Status: Final
Specification: NIST SP 800-126 Rev. 1

Tools

SCAP Content Validation Tool
Version: 1.1.2.9
Released: 04/28/2011
Download: SCAP Content Validation Tool for SCAP 1.0 and 1.1 (Download 20.9 MB) [Note: A new version is available here that supports SCAP 1.2.]
sha-1: E327A3477E4B6E9CD313B021E88572244967C4F8
sha-256: E9A49AF8DDC4E4A79785174969BD644ECDFF4C91E690625E9E9933FB9E2E33E5
Description: The SCAP Content Validation Tool is designed to validate the correctness of a SCAP data stream for a particular use case according to what is defined in SP 800-126. This version of the tool is designed to validate SCAP content adhering to SCAP version 1.0 and 1.1. The scapval.html within the tool zip file contains additional information about how to run the tool.

Languages

XCCDF: The eXtensible Configuration Checklist Description Format
Version: 1.1.4
Specification: NIST IR 7275 revision 3
Web site: http://scap.nist.gov/specifications/xccdf/
Email Discussion List: xccdf-dev@nist.gov (View archive) (Subscribe) (Unsubscribe)
OVAL®: Open Vulnerability and Assessment Language
Version: 5.8
Web site: http://oval.mitre.org/
Developer's Forum: OVAL-DEVELOPER-LIST@LISTS.MITRE.ORG (View archive) (Register)
OCIL: Open Checklist Interactive Language
Version: 2.0
Web site: http://scap.nist.gov/specifications/ocil/
Email Discussion List: ocil-dev@nist.gov (Subscribe) (Unsubscribe)
The Open Checklist Interactive Language defines a framework for expressing a set of questions to be presented to a user and corresponding procedures to interpret responses to these questions. Although the OCIL specification was developed for use with IT security checklists, the uses of OCIL are by no means confined to IT security. Other possible use cases include research surveys, academic course exams, and instructional walkthroughs.

Enumerations

CCE™: Common Configuration Enumeration
Version: 5
Web site: http://cce.mitre.org/
Contact Email: cce@mitre.org
Official CCE List: http://cce.mitre.org/lists/cce_list.html#current
CPE™: Common Platform Enumeration
Version: 2.2
Specification: CPE Specification 2.2
Web site: http://cpe.mitre.org/
Official Dictionary: http://nvd.nist.gov/cpe.cfm
Community Forum: CPE-DISCUSSION-LIST@LISTS.MITRE.ORG (View archive) (Register)
CVE®: Common Vulnerabilities and Exposures
Version: No version
Web site: http://cve.mitre.org/
Contact Email: cve@mitre.org
Official CVE List: http://cve.mitre.org/cve/index.html
NVD CVE-based Vulnerabilities: http://web.nvd.nist.gov/view/vuln/search

Metrics

CVSS: Common Vulnerability Scoring System
Version: 2
Specification: NIST IR 7435
Web site: http://www.first.org/cvss/

Related Publications and Resources

Guide to Using Vulnerability Naming Schemes
Specification: SP 800-51 Rev. 1