National Institute of Standards and Technology (NIST) - Information technology Laboratory (ITL)

Security Content Automation Protocol (SCAP) Validation FAQ

SCAP 1.2 Validation Program FAQ

  1. What is Security Content Automation Protocol (SCAP) validation?
  2. What is new in the SCAP 1.2 Validation Program?
  3. When do the SCAP 1.0 validations expire?

SCAP 1.2 Validation Test Suite FAQ

  1. What is the SCAP 1.2 Validation Test Suite?
  2. What is the objective of making the validation test suite public?
  3. How was the public validation test suite developed?
  4. What is in the validation test suite?
  5. Is the validation test suite a security checklist?
  6. How can I use the validation test suite?
  7. What platforms are supported?
  8. Where can I comment and provide feedback on the validation test suite?



  1. What is Security Content Automation Protocol (SCAP) validation?
    To enable the goals originally set forth in OMB Memorandum M-07-18, it is necessary to have security configuration scanning tools that can use official SCAP content. In response, NIST established the SCAP validation program. Implemented through the NIST National Voluntary Laboratory Accreditation Program (NVLAP), independent laboratories can be accredited to perform the testing necessary to validate that security tools can accurately parse the SCAP content required for their specific functionality. Additional details on SCAP validation are available at http://scap.nist.gov/validation/. More information about USGCB may be found at http://usgcb.nist.gov
    Back to Top
  2. What is new in the SCAP 1.2 Validation Program?
    The SCAP 1.2 Validation Program validates products against SCAP 1.2 and its component specifications. The SCAP 1.2 Validation Program supercedes the SCAP 1.0 Validation Program. The SCAP capabilities offered in the SCAP 1.2 program are authenticated configuration scanner (ACS) with optional CVE and OCIL validation. Vendors may choose one or both of the CVE and OCIL validation options in conjunction with the ACS capability. The optional validations may not be awarded without ACS. Products with an SCAP 1.2 validation are intended to be backward compatible in that they should correctly process well formatted SCAP 1.0, SCAP 1.1, and SCAP 1.2 data streams. Refer to IR 7511 revision 3 for the SCAP 1.2 Derived Test Requirements.
    Back to Top
  3. When do the SCAP 1.0 validations expire?
    All SCAP 1.0 product validations expire December 31, 2013.
    Back to Top
  4. What is the SCAP 1.2 Validation Test Suite?
    The SCAP 1.2 public validation test suite is a collection of SCAP 1.2 source content based on OVAL test types. This content is used for validating products in the SCAP 1.2 Validation Program. Although the USGCB content is not bundled with the public validation test suite, it is also exercised as part of SCAP 1.2 validations. USGCB data streams may be downloaded from http://usgcb.nist.gov.
    Back to Top
  5. What is the objective of making the validation test suite public?
    NIST is making the SCAP 1.2 validation test suite public so tool vendors may better prepare products for validation, and so end users can perform their own conformance testing when selecting tools.
    Back to Top
  6. How was the public validation test suite developed?
    The public validation test suite is the portion of the validation content that is based on OVAL test types. These OVAL test types were selected as a representation of Tier III and Tier IV data streams. The USGCB data streams are also exercised in the SCAP 1.2 Validation Program. The USGCB data streams are not included in the public validation test suite bundle and may be downloaded at http://usgcb.nist.gov.
    Back to Top
  7. What is in the validation test suite?
    The test suite is a collection of SCAP 1.2 data streams, many based on OVAL test types. Each directory in the test suite contains several items:
    1. SCAP 1.2 data stream
    2. spreadsheet showing the expected configuration of the test system and the expected results
    3. configuration scripts for automating the configuration of test systems
    4. readme file
    Back to Top
  8. Is the validation test suite a security checklist?
    No. the validation test suite is not an SCAP expressed checklist. The validation test suite is similar to unit testing. The goal is exercising all possible operators of selected OVAL test types.
    Back to Top
  9. How can I use the validation test suite?
    This content should be run on a non-production system. While attempts are made to clean up the changes made as part of testing, there is no guarantee that the system will be in a secure or usuable state afterward. After running this content the system should be wiped and the operating system reinstalled and configured appropriately before the system is used.
    1. Install the operating system. Testers may start with a default installation.
    2. Configure target system according to the configuration defined in the spreadsheet. The configuration scripts may be used.
    3. Scan target system using the data stream in the validation test suite.
    4. Verify the tool's scan results match the expected results as defined in the spreadsheet.
    Back to Top
  10. What platforms are supported?
    The SCAP 1.2 Validation Program currently includes the Red Hat family of platforms and the Windows family of platforms.
    Back to Top
  11. Where can I comment and provide feedback on the validation test suite?
    Please provide comments to the National Institute of Standards and Technology (NIST) at scap@nist.gov.
    Back to Top