This is an archive
(replace .gov by .rip)

NIST Requests Comments on the Security Content Automation Protocol (SCAP)
August 21, 2015

NIST requests comments on the design and development of the Security Content Automation Protocol (SCAP) version 1.3. This new version of SCAP will be documented in a future third revision draft release of Special Publication (SP) 800-126, The Technical Specification for the Security Content Automation Protocol: SCAP Version 1.3. Please send suggestions for potential changes from SCAP 1.2 (as documented in SP 800-126 Revision 2) and/or other ideas for SCAP 1.3 by September 28, 2015 to 800-126comments@nist.gov.

Background

SCAP is a suite of specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. SCAP is a multi-purpose framework of specifications that support automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement. Goals for the ongoing development of SCAP include standardizing system security management, promoting interoperability of security products, and fostering the use of standard expressions of security content.

The component specifications included in the current version of SCAP (1.2) are as follows.

Languages:

Reporting Formats:

  • Asset Reporting Format (ARF) 1.1, a format for expressing the transport format of information about assets and the relationships between assets and reports
  • Asset Identification 1.1, a format for uniquely identifying assets based on known identifiers and/or known information about the assets

Enumerations:

Measurement and Scoring Systems:

Integrity:

Because some of these component specifications have been updated since the release of SCAP 1.2, tentative plans are for the SCAP 1.3 revision to add support for the following specifications to take advantage of their enhanced capabilities:

Consideration is also being given to no longer requiring support for CVSS v2.0 in SCAP 1.3 or in the next update to SCAP.

NIST is soliciting public feedback on SCAP 1.3 to identify the potential changes that industry, government, and others would like to see in the SCAP specification.

Note to Reviewers

Feedback on the topics listed below are of particular interest to NIST to shape the development of SCAP 1.3. Commenters are encouraged to share their thoughts on one or more of these topics, as well as to suggest any other areas of revision or enhancement to SCAP.

  • Regarding support for SCAP 1.0 (as documented in the SP 800-126 from November 2009), when should support for it no longer be required for backwards compatibility? Please suggest specific timeframes or conditions under which support should no longer be necessary.
  • Regarding support for SCAP 1.1 (as documented in SP 800-126 Revision 1 from February 2011), when should support for it no longer be required for backwards compatibility? Please suggest specific timeframes or conditions under which support should no longer be necessary.
  • What degree of backwards compatibility should be required for CVSS and OVAL? If possible, please provide estimates of the quantitative impact of restricting backwards compatibility.
  • When should support for CVSS v2 no longer be required? Please suggest specific timeframes or conditions under which support should no longer be necessary.
  • What should be the minimum OVAL version that SCAP 1.3 supports? (For SCAP 1.2, the minimum version is OVAL 5.3.) Provide specific reasons or requirements for needing a particular minimum OVAL version to be supported by SCAP 1.3.

 

Created December 21, 2016, Updated June 22, 2020