NIST requests comments on the design and development of the Security Content Automation Protocol (SCAP) version 1.3. This new version of SCAP will be documented in a future third revision draft release of Special Publication (SP) 800-126, The Technical Specification for the Security Content Automation Protocol: SCAP Version 1.3. Please send suggestions for potential changes from SCAP 1.2 (as documented in SP 800-126 Revision 2) and/or other ideas for SCAP 1.3 by September 28, 2015 to 800-126comments@nist.gov.
SCAP is a suite of specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. SCAP is a multi-purpose framework of specifications that support automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement. Goals for the ongoing development of SCAP include standardizing system security management, promoting interoperability of security products, and fostering the use of standard expressions of security content.
The component specifications included in the current version of SCAP (1.2) are as follows.
Languages:
Reporting Formats:
Enumerations:
Measurement and Scoring Systems:
Integrity:
Because some of these component specifications have been updated since the release of SCAP 1.2, tentative plans are for the SCAP 1.3 revision to add support for the following specifications to take advantage of their enhanced capabilities:
Consideration is also being given to no longer requiring support for CVSS v2.0 in SCAP 1.3 or in the next update to SCAP.
NIST is soliciting public feedback on SCAP 1.3 to identify the potential changes that industry, government, and others would like to see in the SCAP specification.
Feedback on the topics listed below are of particular interest to NIST to shape the development of SCAP 1.3. Commenters are encouraged to share their thoughts on one or more of these topics, as well as to suggest any other areas of revision or enhancement to SCAP.
Security and Privacy: asset management, configuration management, security automation, security measurement, vulnerability management