The Security Content Automation Protocol (SCAP) is a suite of specifications that standardize the format and nomenclature by which software products communicate information about software flaws and security system configurations, both to machines and humans.
Pronounced “ess-cap,” SCAP is a multipurpose suite of specifications that support automated checking of security configuration settings, vulnerability checking, technical control compliance activities, and security measurement.
SCAP was developed through the cooperation and collaboration of public and private sector organizations, including government, industry and academia. In conducting business, organizations must manage many different and complex software components, including firmware, operating systems and applications. These components must be configured securely, patched when needed, and continuously monitored for security.
The components must be able to interact safely and securely to deter widespread cyber attacks and to deal with any attacks that might occur. The use of standardized, automated methods for system security management can help organizations operate more effectively in complex, interconnected environments and realize cost savings, an asset in today’s fiscally constrained situations.
Many organizations, including the federal government, are adopting SCAP and encouraging its use to implement the automation of security activities. SCAP is also being adopted by major software manufacturers and is becoming a significant component of large information security management and governance programs.
Both users and suppliers of software components have a common interest in achieving open specifications for security automation and system security management. Standardized specifications promote the interoperability of security products and create opportunities for product innovation.
The Information Technology Laboratory at the National Institute of Standards and Technology (NIST) has been working with other organizations to develop technical specifications for SCAP. Recently NIST issued an updated specification as Special Publication 800-126 Rev. 2,
The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2. The publication defines the technical composition of SCAP version 1.2, including its component specifications, their interrelationships and interoperation, and the requirements for SCAP content.
Download the full NIST SCAP Specifications Bulletin Here: