NIST Revises SCAP Test Guidance
Publication Focuses on Validation Program, Test RequirementsThe National Institute of Standards and Technology has published revised guidance that defines the requirements and associated test procedures necessary for products to achieve one or more Security Content Automation Protocol validations.
See Also: A CISO’s Guide to Defender Alignment
NIST Interagency Report 7511 Rev. 3, Security Content Automation Protocol Version 1.2 Validation Program Test Requirements, details how validations are awarded, based on a defined set of SCAP capabilities by independent laboratories that have been accredited for SCAP testing by the NIST National Voluntary Laboratory Accreditation Program.
SCAP provides the capability to audit and assess a target system to determine its compliance with a defined set of configuration requirements using target system logon privileges and to process and present Common Vulnerabilities and Exposures and Open Checklist Interactive Language formats correctly and completely. CVE is a format to describe publicly known information security vulnerabilities and exposures. OVAL is an XML-based language used for communicating the details of vulnerabilities, patches, security configuration settings and other machine states in a machine-readable form.
This publication is intended for National Voluntary Laboratory Accreditation Program accredited laboratories conducting SCAP product testing for the program, vendors interested in receiving SCAP validation for their products and organizations deploying SCAP products in their environments.
According to NIST, accredited laboratories use the information in IR 7511 to guide their testing and ensure all necessary requirements are met by a product before recommending to NIST that the product be awarded the requested validation. Vendors use the report's information to understand the features products need in order to be eligible for an SCAP validation. Government agencies, businesses and integrators use the information to gain insight into the criteria required for SCAP validated products.
The secondary audience for this publication is end users, who can review the test requirements in order to understand validated product SCAP capabilities and gain knowledge about SCAP validation.