U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

This is an archive
(replace .gov by .rip)

Security Content Automation Protocol SCAP

Emerging Specifications

Specifications have both intrinsic and synergistic value. They have intrinsic value in that the specification demonstrates value on its own merits. For example, XCCDF is a standard way of expressing checklist content. XCCDF also has a synergistic value when combined with other specifications such as CPE, CCE, and OVAL to create an SCAP-expressed checklist that can be processed by SCAP-validated products. Likewise, CVE has use cases in simply being a consistent way to enumerate vulnerabilities for tracking purposes; however, when combined with CPE and OVAL, CVE is elevated to formulate a greater use case, namely that of automated checks for vulnerabilities that can be processed by SCAP-validated products. It is important to recognize that specifications can and should demonstrate value in their own right without being SCAP specifications.

Of great interest to the community is whether a new specification will become part of the NIST validation program. As a result, NIST developed the following informational resources:

  1. A FAQ that will assist organizations in creating specifications.

  2. The timeline for potential adoption of a specification into SCAP validation testing.

  3. Guidelines to help balance the need for new specifications with the demonstrated value of the specifications.

Created December 07, 2016, Updated October 26, 2021