The National Institute of Standards and Technology (NIST) has issued for public comment a draft publication describing a new method to automate the task of verifying computer security settings. Known as the Security Content Automation Protocol (SCAP), the specification has recently been incorporated into software scanners for checking security settings in federal computers.
The new publication provides an overview of SCAP, discusses programs for ensuring that products implement SCAP properly and recommends how federal agencies and other organizations can use SCAP effectively.
"You can do a lot of things with SCAP," said NIST computer scientist Matthew Barrett, the publication's lead author. "An organization can express vulnerability assessment instructions in a machine-readable format, and SCAP-validated tools can use that information to automate many computer security activities."
In July 2008, the Office of Management and Budget required federal agencies to use SCAP-validated products to measure compliance with the Federal Desktop Core Configuration (FDCC), a mandated group of security settings for federal computers that run Windows XP and Vista. SCAP lists known security-related configuration problems and software flaws and can identify these vulnerabilities and evaluate results to determine FDCC compliance. The scan results are in a standardized format consistent across agencies and readable by other SCAP tools.
Organizations also can use SCAP to automate technical compliance with other information technology requirements, such as the Federal Information Security Management Act (FISMA). SCAP can be used to map high-level FISMA "controls"—for example, identifying, reporting and correcting information system flaws—to low-level rules—such as making sure patches for financial software are up to date.
SCAP incorporates six open specifications, including a dictionary of names for security-related software flaws; naming conventions for hardware, operating systems and applications; and a specification for exchanging technical details on how to check systems for security-related issues. SCAP combines the specifications and incorporates two XML-based programming languages for manipulating SCAP-based information.
Vendors are incorporating SCAP into their products, such as those that check for security issues. NIST also manages programs for validating third-party software tools to ensure they properly incorporate SCAP and for accrediting outside laboratories that perform validation tests of SCAP tools. Although developed for the federal government, SCAP can be used by other organizations.
NIST requests comments on the new publication, 800-117, "Guide to Adopting and Using the Security Content Automation Protocol (SCAP)." It can be obtained at http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-117.pdf. Email comments to 800-117comments [at] nist.gov by Friday, June 12, 2009.