Jump to content

Security Content Automation Protocol

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Nealmcb (talk | contribs) at 03:40, 15 August 2016 (standard (against which products are validated) is more appropriate category than procedure). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable the automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization, including e.g., FISMA compliance. The National Vulnerability Database (NVD) is the U.S. government content repository for SCAP.

Purpose

To guard against security threats, organizations need to continuously monitor the computer systems and applications they have deployed, incorporate security upgrades to software and deploy updates to configurations. The Security Content Automation Protocol (SCAP), pronounced "ess-cap", comprises a number of open standards that are widely used to enumerate software flaws and configuration issues related to security. Applications which conduct security monitoring use the standards when measuring systems to find vulnerabilities, and offer methods to score those findings in order to evaluate the possible impact. The SCAP suite of specifications standardize the nomenclature and formats used by these automated vulnerability management, measurement, and policy compliance products.

A vendor of a computer system configuration scanner can get their product validated against SCAP, demonstrating that it will interoperate with other scanners and express the scan results in a standardized way.

SCAP defines how the following standards (referred to as SCAP 'Components') are combined:

SCAP Components

Starting with SCAP version 1.0 (July, 2010)

Starting with SCAP version 1.1 (February, 2011)

Starting with SCAP version 1.2 (September, 2011)

SCAP Checklists

Security Content Automation Protocol (SCAP) checklists standardize and enable automation of the linkage between computer security configurations and the NIST Special Publication 800-53 (SP 800-53) controls framework. The current[when?] version of SCAP is meant to perform initial measurement and continuous monitoring of security settings and corresponding SP 800-53 controls. Future versions will likely standardize and enable automation for implementing and changing security settings of corresponding SP 800-53 controls. In this way, SCAP contributes to the implementation, assessment, and monitoring steps of the NIST Risk Management Framework. Accordingly, SCAP forms an integral part of the NIST FISMA implementation project.

SCAP Validation Program

Security programs overseen by NIST focus on working with government and industry to establish more secure systems and networks by developing, managing and promoting security assessment tools, techniques, services, and supporting programs for testing, evaluation and validation; and addresses such areas as: development and maintenance of security metrics, security evaluation criteria and evaluation methodologies, tests and test methods; security-specific criteria for laboratory accreditation; guidance on the use of evaluated and tested products; research to address assurance methods and system-wide security and assessment methodologies; security protocol validation activities; and appropriate coordination with assessment-related activities of voluntary industry standards bodies and other assessment regimes.

Independent third party testing assures the customer/user that the product meets the NIST specifications. The SCAP standards can be complex and several configurations must be tested for each component and capability to ensure that the product meets the requirements. A third-party lab (accredited by National Voluntary Laboratory Accreditation Program (NVLAP)) provides assurance that the product has been thoroughly tested and has been found to meet all of the requirements. A vendor seeking validation of a product should contact an NVLAP accredited SCAP validation laboratory for assistance in the validation process.

A customer who is subject to the FISMA requirements, or wants to use security products that have been tested and validated to the SCAP standard by an independent third party laboratory should visit the SCAP validated products web page to verify the status of the product(s) being considered.

Retrieved from "https://en.wikipedia.org/w/index.php?title=Security_Content_Automation_Protocol&oldid=734556411"