Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.


The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Security Content Automation Protocol


Currently, automation for vulnerability management, compliance management, and related software is sparse and typically functional only within one vendors product line. Due to competitive pressures, any commercial vendors attempting automation have done so in a very proprietary way, often lacking transparency and greatly hindering interoperability and repeatability Lacking automation, security operations teams across the U.S. Federal government and in private sector 1) have become overwhelmed by an increasing compliance workload and increasing number of vulnerabilities and 2) are spending a considerable amount of resources trying to keep pace through both manual methods and point solutions (i.e., very specific, non-reusable mechanism to connect proprietary solutions). Without leadership from a nonbiased entity, solutions to this problem have seen slow or limited functionality and adoption.


By standardizing communication by and between security and related software, NIST will significantly increase an organizationals ability to share, aggregate, measure, and report security information. Efficiencies gained through interoperability, repeatability, and automation thereof will result in very significant cost savings for organizations utilizing this technology.

Created December 22, 2009, Updated March 23, 2018