Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.


The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Advancing Security Automation and Standardization: Revised Technical Specifications Issued for the Security Content Automation Protocol (SCAP)



Shirley M. Radack


This bulletin summarizes the information presented in NIST Special Publication (SP) 800-126 Rev. 2, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2. This publication was written by David Waltermire and Stephen Quinn of NIST, Karen Scarfone of Scarfone Cybersecurity, and Adam Halbardier of Booz Allen Hamilton. SP 800-126 Rev. 2 defines the technical composition of SCAP version 1.2, including its component specifications, their interrelationships and interoperation, and the requirements for SCAP content. SCAP is a multi-purpose protocol that supports automated checking of security configuration settings, vulnerability checking, technical control compliance activities, and security measurement. The bulletin discusses the contents of the publication, including the components of SCAP Version 1.2, NIST's recommendations for applying SCAP, the validation of SCAP products, and plans for future SCAP activities. References are provided to NIST publications that are related to SCAP and that support SCAP validation.
ITL Bulletin -


configuration management, cyber security, information security, information systems, information technology (IT), National Vulnerability Database, NIST Special Publications, risk management, Risk Management Framework, Security Content Automation Protocol, security checklists, security controls, software flaws, security management, threats, voluntary consensus standards, vulnerabilities
Created January 24, 2012, Updated January 27, 2020