SCAP Validation Resources Page

SCAP 1.3 Documents

SCAP Version 1.3 Validation Program Derived Test Requirements
Revision: 5
Status: Final
Specification: Security Content Automation Protocol (SCAP) Version 1.3 Validation Program Test Requirements

SCAP: Security Content Automation Protocol
Version: 1.3
Status: Final
Specification: The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3

SCAP: Annex to NIST Special Publication 800-126 Revision 3
Version: 1.3
Status: Final
Specification: SCAP 1.3 Component Specification Version Updates: An Annex to NIST Special Publication 800-126 Revision 3

SCAP 1.3 Validation Test Content Releases

SCAP 1.2 Documents

SCAP Version 1.2 Validation Program Derived Test Requirements
Revision: 4
Status: Final
Specification: SCAP 1.2 Validation Program Test Requirements

SCAP: Security Content Automation Protocol
Version: 1.2
Status: Final
Specification: NIST SP800-126 Rev. 2

SCAP 1.2 Validation Program FAQ

The SCAP Validation Program FAQ addresses common questions about updates to the SCAP 1.2 Validation Program.

SCAP Content used in the SCAP 1.2 Validation Program

The SCAP 1.2 Validation Program uses two broad categories of SCAP content for testing products. The broad categories of content include:

• Validation Test Content
  • OVAL Test Data (SCAP 1.2)
  • Content for specific DTR requirements (SCAP 1.2, SCAP 1.1, and SCAP 1.0)
• USGCB Content (SCAP 1.2, SCAP 1.1, and SCAP 1.0)

The Validation Test Content contains OVAL Test Data that exercises commonly used OVAL constructs and the data streams needed for testing specific DTR requirements:

• validationTestSuites - contains the discrete data streams organized by OVAL test.
• combinedDataStreams - contains the combined individual (discrete) data streams organized by platform.
• requirementsTest - contains the data streams for testing specific DTR requirements such as SCAP.R.500, SCAP.R.600, SCAP.R.700, SCAP.R.800, SCAP.R.1100, SCAP.R.1200, SCAP.R.1800 (OCIL), SCAP.R.1900, SCAP.R.2100, SCAP.R.2200, SCAP.R.2910, SCAP.R.2920, SCAP.R.2930, SCAP.R.2940, SCAP.R.3005, SCAP.R.3010, and SCAP.R.3300.

This test suite is closer to unit testing rather than being based on a checklist. We recommend reviewing the FAQ and Validation Test Suite readme file prior to use.

SCAP 1.2 Validation Test Content Releases

USGCB Content

Description: The USGCB Red Hat and Windows content is included in the SCAP 1.2 Validation Program.USGCB Download: https://usgcb.nist.gov/

Tools

SCAP Content Validation Tool

Download: SCAP Content Validation Tool

Description: The SCAP Content Validation Tool is designed to validate the correctness of a SCAP data stream for a particular use case according to what is defined in SP 800-126. This version of the tool is designed to validate SCAP content adhering to SCAP version 1.0 and 1.1. The scapval.html within the tool zip file contains additional information about how to run the tool.

SCAP Reference Implementation Tool

Download: SCAP Interpreter

Description: The SCAP Interpreter is an open source application that processes SCAP data streams. SCAP versions 1.0, 1.1, and 1.2 are supported. The SCAP Interpreter uses the XCCDF and OVAL Interpreters.

XCCDF Reference Implementation Tool

Download: XCCDF Interpreter

Description: The XCCDF Interpreter is an open source application for performing system analysis and report generation using the XCCDF format. This application will process an XCCDF and OVAL file.

OVAL Reference Implementation Tool

Download: OVAL Interpreter

Description: The OVAL interpreter (ovaldi) is an open source application that demonstrates the evaluation of OVAL definitions. This interpreter collects system information, evaluates it, and generates a detailed OVAL Results file.

OCIL Reference Implementation Tool

Download: OCIL Interpreter

Description: The OCIL interpreter (ocilqi) is an open source application that demonstrates how an OCIL document can be evaluated. It guides the end user in completing questionnaires, viewing, and computing results.