End-of-Life Announcement: NIST SCAP Validation Program

End-of-Life Announcement: NIST SCAP Validation Program

The National Institute of Standards and Technology (NIST) announces the phased conclusion of the Security Content Automation Protocol (SCAP) Validation Program.

Since its inception in 2009, the SCAP Validation Program has played a crucial role in advancing standardized security automation and vulnerability management. Managed through the National Voluntary Laboratory Accreditation Program (NVLAP), the program enabled independent laboratories to test and validate products against SCAP standards, helping organizations worldwide strengthen their security posture.

Key Dates and Changes

• Effective Immediately: NVLAP will no longer accept new applications for SCAP accreditation or process renewals for existing SCAP scope. No new or renewal assessments will be conducted. (Please see NIST Lab Bulletin LB-160-2025)
• Test Reports: NVLAP will continue to accept SCAP Validation Test reports from accredited laboratories until 12:00 AM (midnight) EDT on September 2, 2025. Reports with major flaws that require re-testing will not be accepted for validation.

This transition marks the end of an era for the NIST SCAP Validation Program, reflecting the field’s growth and changing needs in security automation. NIST will share additional information about SCAP Validation Test Reports on the NIST SCAP Validation website.

If you have questions about these changes, the NVLAP Security Testing, or SCAP Validation Test Reports, please contact us at: ir7511comments [at] nist.gov (ir7511comments[at]nist[dot]gov).

We thank all participating laboratories, vendors, and stakeholders for their dedication to SCAP and their ongoing commitment to advancing cybersecurity over the past decade.