NOTICE: Due to a lapse in annual appropriations, most of this website is not being updated. Learn more.

Form submissions will still be accepted but will not receive responses at this time. Sections of this site for programs using non-appropriated funds (such as NVLAP) or those that are excepted from the shutdown (such as CHIPS and NVD) will continue to be updated.

U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

PUBLICATIONS

Transitioning to the Security Content Automation Protocol (SCAP) Version 2

Published

Author(s)

David A. Waltermire, Jessica Fitzgerald-McKay

Abstract

The Security Content Automation Protocol (SCAP) version 2 (v2) automates endpoint posture information collection and the incorporation of that information into network defense capabilities using standardized protocols. SCAP v2 expands the endpoint types supported by SCAP v1 through the explicit inclusion of network equipment, Internet of Things (IoT), and mobile devices in its scope. To automate self-reporting of posture information from endpoint machines, SCAP v2 will integrate with existing network management protocols that include the Internet Engineering Task Force (IETF) Network Endpoint Assessment (NEA) protocols. SCAP v2 will streamline SCAP content acquisition and reuse through its use of the IETF Resource Oriented Lightweight Information Exchange (ROLIE) protocol. Improvements to software version identification and the incorporation of patch information will be made by transitioning from the Common Platform Enumeration (CPE) to Software Identification (SWID) Tags. SCAP v2 provides component-level interoperability via a modular and extensible architecture. This white paper provides a gap analysis of SCAP v1 and an overview of how SCAP v2 will address these gaps; describes the SCAP 2.0 architecture; and provides a plan for completing the work necessary to finalize SCAP v2.
Citation
OTHER -
NIST Pub Series
Other
Pub Type
NIST Pubs

Download Paper

DOI Link

Keywords

architecture, configuration, endpoint, endpoint security, SCAP, security automation, security content automation, Security Content Automation Protocol, software identification, SWID, vulnerability
Cybersecurity and privacy, Network management and monitoring and Protocol design and standardization

Citation

Waltermire, D. and Fitzgerald-McKay, J. (2018), Transitioning to the Security Content Automation Protocol (SCAP) Version 2, Other, National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.CSWP.09102018 (Accessed October 8, 2025)

Issues

If you have any questions about this publication or are having problems accessing it, please contact [email protected].

Created September 10, 2018, Updated May 4, 2021
Was this page helpful?