NIST releases SCAP update


The National Institute of Standards and Technology published Sept. 29 an update to the Technical Specification for the Security Content Automation Protocol, or SCAP. SP 800-126 Version 1.2 (.pdf) builds on the draft version of the document, published in July, and the feedback collected during the comment period, which closed Aug. 1.

The suite of specifications aims to standardize system security management, promote the interoperability of security products and foster the standard expressions of security content, according to NIST. Federal agencies, in cooperation with academia and private industry, are adopting SCAP.

The technical specification outlined in NIST's SCAP update describes the requirements and conventions necessary for the "consistent and accurate exchange of SCAP-conformant content and the ability to reliably use the content with SCAP-conformant products," write report authors.

The specifications are divided into 11 major components which fall into five categories:

  • SCAP languages, which outline standard vocabularies and conventions for security policy, assessment and mechanisms;
  • SCAP reporting formats for expressing collected information, namely the asset reporting format and asset identification;
  • SCAP enumerations, which define a standard naming format;
  • SCAP evaluation characteristics for security measurement and scoring; and
  • SCAP integrity specifications.

Agencies have closely followed updates to NIST's SCAP guidance for some time. In an August 2008 memorandum (.pdf) to agency chief information officers, then-Office of Management and Budget Administrator for E-Government and Information Technology Karen Evans urged federal CIOs to use SCAP-validated tools as part of FISMA continuous monitoring.

The latest guidance also expands on recommendations for private-sector development of SCAP 1.2-based content and products.

In August, NIST released four new publications that detail specifications to be used by the latest version of SCAP. Each interagency report (.pdf)--IR 7695, IR 7696, IR 7697 and IR 7698--was updated to version 2.3.

NIST Spokesperson Evelyn Brown said the wave of updates to SCAP-related guidance is partially due to the fast-approaching IT Security Automation Conference. The conference will be held Oct. 31 through Nov. 2 in Arlington, Va., and will focus on continuous monitoring, software assurance, network automation, IT security threats, specification updates and vendor products and capabilities.

For more:
- see NIST SP 800-126 Version 1.2 (.pdf)

Related Articles:
NIST issues IT risk management guidance, rounding out Joint Task Force suite 
NIST encourages agencies to adopt SCAP
NIST proposes computer security plan