The National Institute of Standards and Technology (NIST) has issued a draft publication for public comment that describes changes to the Security Content Automation Protocol (SCAP). SCAP is a suite of specifications that use the eXtensible Markup Language (XML) to standardize how software products exchange information about software flaws and security configurations.
SCAP incorporates software flaw and security configuration standard reference data from the National Vulnerability Database, which is managed by NIST and sponsored by the Department of Homeland Security. SCAP supports automated vulnerability checking, technical control compliance activities and security measurement. The federal government is adopting SCAP and encourages its use to automate security activities including compliance with the Federal Desktop Core Configuration (FDCC), a group of security settings mandated for federal computers that run Windows XP and Vista. Agencies can use SCAP to automate technical compliance with other information technology requirements, such as the Federal Information Security Management Act (FISMA) and the Payment Card Industry (PCI) framework.
Special Publication 800-126 Revision 1, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.1, facilitates development of interoperable SCAP tools and content. The publication has significant changes from the version 1.0 specification defined in the original Special Publication 800-126 release.
The most notable change is the addition to SCAP of the Open Checklist Interactive Language (OCIL), which is a framework for expressing security checks that cannot be fully automated—those that require some human interaction or feedback. OCIL provides a standardized way of performing these manual checks through questionnaires, with language constructs for questions, user instructions and possible responses to questions.
SP 800-126 Revision 1, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.1 can be found at http://csrc.nist.gov/publications/drafts/800-126-r1/draft-sp800-126r1.pdf. The public comment period runs through Jan. 23, 2010. Comments should be addressed to 800-126comments [at] nist.gov.