National Institute of Standards and Technology (NIST) - Information technology Laboratory (ITL)

SCAP Related Publications

NIST SP 800-117

Guide to Adopting and Using the Security Content Automation Protocol (SCAP), has been published as final. SCAP is a suite of specifications for organizing, expressing, and measuring security-related information in standardized ways, as well as related reference data such as unique identifiers for vulnerabilities. SP 800-117 provides an overview of SCAP Version 1.0, focusing on how organizations can use SCAP-enabled tools to enhance their security posture. It also explains to IT product and service vendors how they can adopt SCAP Version 1.0 capabilities within their offerings.

Revision History

July 27, 2010 - Final for SCAP Version 1.0
Final version of 800-117 for SCAP Version 1.0 published.
May 5, 2009 - Initial Draft
NIST requests comments on draft SP 800-117 by June 12, 2009. Please submit comments to 800-117comments@nist.gov with "Comments SP 800-117" in the subject line.

NIST SP 800-126

Special Publication SP 800-126 Revision 2, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2 has been released. NIST announces the release of Special Publication (SP) 800-126 Revision 2, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2. SCAP consists of a suite of specifications for standardizing the format and nomenclature by which security software communicates information about software flaws and security configurations. SP 800-126 defines and explains SCAP version 1.2, including the basics of the SCAP component specifications and their interrelationships, the characteristics of SCAP content, and the SCAP requirements not defined in the individual component specifications. Major changes from SCAP version 1.1 to 1.2 include the addition of the following components: Asset Reporting Format (ARF), Asset Identification, Common Configuration Scoring System (CCSS), and Trust Model for Security Automation Data (TMSAD), which provides support for digitally signing SCAP source and result content. SCAP 1.2 also includes new source and result data stream models, and it upgrades Open Vulnerability and Assessment Language (OVAL) support to version 5.10, Common Platform Enumeration (CPE) support to version 2.3, and Extensible Configuration Checklist Description Format (XCCDF) support to version 1.2.

Special Publication SP 800-126 Revision 1, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.1 has been released. SCAP consists of a suite of specifications for standardizing the format and nomenclature by which security software communicates information about software flaws and security configurations. SP 800-126 defines and explains SCAP version 1.1, including the basics of the SCAP component specifications and their interrelationships, the characteristics of SCAP content, and the SCAP requirements not defined in the individual component specifications. Major changes from SCAP version 1.0 to 1.1 include the addition of Open Checklist Interactive Language (OCIL) and an upgrade to Open Vulnerability and Assessment Language (OVAL) version 5.8.

The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.0 has been released. SCAP comprises specifications for organizing and expressing security-related information in standardized ways, as well as related reference data such as unique identifiers for vulnerabilities. SP 800-126 also provides an overview of SCAP, focusing on how software developers can integrate SCAP technology into their product offerings and interfaces.

Revision History

September 2011 - Final Revision 2 for SCAP version 1.2
Final version of 800-126 for SCAP Version 1.2 released.
July 12, 2011 - Draft Revision for SCAP version 1.2
NIST requests comments on draft SP 800-126 Revision 2 by August 1, 2011. Please submit comments to 800-126comments@nist.gov with "Comments SP 800-126" in the subject line.
February 24, 2011 - Final Revision 1 for SCAP version 1.1
Final version of 800-126 for SCAP Version 1.1 released.
January 11, 2011 - Third Draft Revision 1 for SCAP Version 1.1
Addressed draft 2 public comments and changed the OVAL version to 5.8.
May 27, 2010 - Second Draft Revision 1 for SCAP Version 1.1
NIST requests comments on draft SP 800-126 Revision 1 by June 28, 2010. Please submit comments to 800-126comments@nist.gov with "Comments SP 800-126" in the subject line.
December 15, 2009 - Draft Revision 1 for SCAP Version 1.1
NIST requests comments on draft SP 800-126 Revision 1 by January 23, 2010. Please submit comments to 800-126comments@nist.gov with "Comments SP 800-126" in the subject line.
November 2009 - Final for SCAP Version 1.0
Final version of 800-126 for SCAP Version 1.0 released.
July 31, 2009 - Initial Draft for SCAP Version 1.0
NIST requests comments on draft SP 800-126 by August 31, 2009. Please submit comments to 800-126comments@nist.gov with "Comments SP 800-126" in the subject line.

NIST IR 7511

This report describes the requirements that must be met by products to achieve SCAP validation. Validation is awarded based on a defined set of SCAP capabilities and/or individual SCAP components by independent laboratories that have been accredited for SCAP testing by the NIST National Voluntary Laboratory Accreditation Program. The NIST IR 7511 has been written primarily for accredited laboratories and for vendors interested in receiving SCAP validation for their products.

Interested parties should review the latest release of the NIST IR 7511.

Revision History

September 2012 - Security Content Automation Protocol (SCAP) Version 1.2 Validation Program Test Requirements (DRAFT)
This update to Draft NIST Interagency Report (IR) 7511 Revision 3.04 is open for a 2-week comment period. If you have questions or comments regarding this document, please send email to: IR7511comments@nist.gov. The deadline to submit comments is Friday, October 12, 2012.
February 2009 - Security Content Automation Protocol (SCAP) Version 1.0 Validation Program Test Requirements (DRAFT)
This publication supersedes the draft Security Content Automation Protocol (SCAP) Validation Program Test Requirements Version 1.0 that was released in August 2008 as draft. This publication will be used for SCAP validation effective January 31, 2009.

NIST SP 800-51

Special Publication (SP) 800-51 Revision 1, Guide to Using Vulnerability Naming Schemes provides recommendations for using two vulnerability naming schemes: Common Vulnerabilities and Exposures (CVE) and Common Configuration Enumeration (CCE). SP 800-51 Revision 1 gives an introduction to both naming schemes and makes recommendations for end-user organizations on using the names produced by these schemes. The publication also presents recommendations for software and service vendors on how they should use vulnerability names and naming schemes in their product and service offerings. SP 800-51 Revision 1 replaces the original SP 800-51, which was released in 2002.

Revision History

February 24, 2011 - Final Revision 1
Final version of SP 800-51 Rev. 1 released.