Establishing traceability from high-level Federal Information Security Management Act (FISMA) requirements to specific mechanisms to secure hardware and software poses challenges for the government?s systems security managers. Effectively using security controls hinges on ensuring that an agency?s technology staff can properly establish and enforce their systems? security configuration settings. To make the important linkage from law and policy to the mandatory security requirements and controls described in Federal Information Processing Standard 200 and NIST Special Publication 800-53, NIST established the Information Security Automation Program (ISAP). This article describes ISAP and one of its elements, the Security Content Automation Protocol (SCAP).