Specifications have both intrinsic and synergistic value. They have intrinsic value in that the specification demonstrates value on its own merits. For example, XCCDF is a standard way of expressing checklist content. XCCDF also has a synergistic value when combined with other specifications such as CPE, CCE, and OVAL to create an SCAP-expressed checklist that can be processed by SCAP-validated products. Likewise, CVE has use cases in simply being a consistent way to enumerate vulnerabilities for tracking purposes; however, when combined with CPE and OVAL, CVE is elevated to formulate a greater use case, namely that of automated checks for vulnerabilities that can be processed by SCAP-validated products. It is important to recognize that specifications can and should demonstrate value in their own right without being SCAP specifications.
Of great interest to the community is whether a new specification will become part of the NIST validation program. As a result, NIST developed the following informational resources:
A FAQ that will assist organizations in creating specifications.
The timeline for potential adoption of a specification into SCAP validation testing.
Guidelines to help balance the need for new specifications with the demonstrated value of the specifications.
Security and Privacy: configuration management, patch management, security automation, security measurement, vulnerability management