SCAP is a suite of specifications for exchanging security automation content used to assess configuration compliance and to detect the presence of vulnerable versions of software. The same SCAP content can be used by multiple tools to perform a given assessment described by the content.
Contribute to SCAP v2 to by engaging in discussion on the SCAP Dev list, attending SCAP v2 related events, and contributing text to SCAP v2 specifications and component standards. Information on subscribing to the SCAP Dev list is available at SCAP v2 Community
Current Status and Activities
Following the SCAP 2.0 release, development of future SCAP v2 releases will focus on expanding the scope of supported endpoint types as dictated by the community, developing support for additional use cases, and standardizing the protocols that will be used to access the SCAP Configuration Management Database (CMDB).
SWID tags are very important in SCAP v2. Common Platform Enumeration (CPE) doesn’t scale well, doesn't support patch information, and was intended to be a software identifier rather than a software inventory standard. SWID tags can be produced by the software provider and are managed with the software on an endpoint, which is much more scalable and supports software inventory use cases.
Rapid growth in Common Vulnerability and Exposures (CVE) assignments, over the last couple of years, has also increased the work load and labor costs for analyzing CVE information and producing CPEs by the National Vulnerability Database (NVD). The use of SWID tags provides the vulnerability management community with an approach to software identification and characterization that scales well as compared to CPE. Developing tools that facilitate the integration of SWID tags into the software development and release process is the only sustainable path to support software identification in a scalable way.
SCAP v2 is intended to be a community-driven effort that adopts standard data models and protocols that support hardware inventory, software inventory, vulnerability management, and configuration setting management use cases. Standards will be considered by the community on a case-by-case basis to determine their ability to satisfy these use cases as well as the community’s willingness to implement them. The long-term viability, extensibility, and scalability of a data model or protocol must be a consideration for selection. Ideally, the data models and protocols adopted for SCAP v2 will provide a stable base that can be extended to support additional endpoint information and capabilities over time.
The list of standards SCAP v2 supports is still evolving and is open for community discussion. NIST is committed to discuss with the community the benefits of applicable standards and how they can support SCAP v2 use cases.
Security and Privacy: configuration management, patch management, security automation, security measurement