U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

This is an archive
(replace .gov by .rip)

Security Content Automation Protocol SCAP

SCAP 1.2

The following specifications comprise SCAP version 1.2.

Protocol

SCAP: Security Content Automation Protocol

Version: 1.2

Status: Final

Specification: NIST Special Publication (SP) 800-126 rev 2

XML Schema: Source Data Stream, Constructs

Example: Source Data Stream Example

Schematron: Instructions and Download

Errata: NIST Special Publication (SP) 800-126 Rev 2 Errata

Change Proposals: Summer 2011 Developer Days (May 31, 2011)

Tools

SCAP Content Validation Tool

Version: 1.2.1.16

Released: 12/16/2016

Download: SCAP Content Validation Tool (Download 25 MB)

sha-256: E8675B12FE13BF66BFB31D8FA907409698826EBF572D303AB67FBD5F681E6BD5

Description: The SCAP Content Validation Tool is designed to validate the correctness of a SCAP data stream for a particular use case according to what is defined in SP 800-126. This version of the tool is designed to validate SCAP content adhering to SCAP version 1.0, 1.1, and 1.2. The scapval.html within the tool zip file contains additional information about how to run the tool.

SCAP 1.0 Zip Bundle to SCAP 1.2 Data Stream Converter

Sourceforge Site

Languages

XCCDF: The Extensible Configuration Checklist Description Format

Version: 1.2

Web site: xccdf

Email Discussion List: xccdf-dev@nist.gov (View archive) (Subscribe) (Unsubscribe)

OVAL®: Open Vulnerability and Assessment Language

Version: 5.10

Web site: http://oval.mitre.org/

Developer's Forum: oval-developer-list@lists.mitre.org (View archive) (Register)

OCIL: Open Checklist Interactive Language

Version: 2.0

Web site: https://scap.nist.gov/specifications/ocil/

Email Discussion List: ocil-dev@nist.gov (Subscribe) (Unsubscribe)

Asset Identification

Version: 1.1

Web site: https://scap.nist.gov/specifications/ai/

Email Discussion List: asset-dev@nist.gov (Subscribe) (Unsubscribe)

ARF: Asset Reporting Format

Version: 1.1

Web site: https://scap.nist.gov/specifications/arf/

Email Discussion List: asset-dev@nist.gov (Subscribe) (Unsubscribe)

Enumerations

CCE™: Common Configuration Enumeration

Version: 5

Contact Email: cce@nist.gov

Official CCE List: https://nvd.nist.gov/cce

Community Forum: cce-working-group@nist.gov (Subscribe) (Unsubscribe)

CPE™: Common Platform Enumeration

Version: 2.3

Web site: https://scap.nist.gov/specifications/cpe

Contact Email: cpe@nist.gov

Official Dictionary: https://nvd.nist.gov/products/cpe

Community Forum: cpe-discussion@nist.gov (Subscribe) (Unsubscribe)

CVE®: Common Vulnerabilities and Exposures

Version: No version

Web site: http://cve.mitre.org/

Contact Email: cve@mitre.org

Official CVE List: http://cve.mitre.org/cve/index.html

NVD CVE-based Vulnerabilities: https://nvd.nist.gov/vuln/search

Metrics

CVSS: Common Vulnerability Scoring System

Version: 2

Specification: NIST IR 7435

Web site: http://www.first.org/cvss/

CCSS: Common Configuration Scoring System

Version: 1.0

Specification: NIST IR 7502

Integrity

TMSAD: Trust Model for Security Automation Data

Version: 1.0

Web site: https://scap.nist.gov/specifications/tmsad/

Related Publications and Resources

Guide to Using Vulnerability Naming Schemes

Specification: SP 800-51 Rev. 1

Created December 07, 2016, Updated October 26, 2021