The Security Content Automation Protocol (SCAP) is a suite of specifications that standardize the format and nomenclature by which software flaws and security configuration information is communicated to both machines and humans. SCAP is a multi-purpose framework of specifications that support automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement.
Goals for the development of SCAP include standardizing system security management, promoting interoperability of security products, and fostering the use of standard expressions of security content, according to a National Institute of Standards and Technology release.
NIST has published two documents on version 1.3 of the SCAP.
These two publications and a set of associated schemas collectively define the technical specification for SCAP version 1.3, which is based on enhancements and clarifications to the SCAP 1.2 specification.
SP 800-126A is a new publication that allows SCAP 1.3 to take advantage of particular minor version updates to SCAP component specifications, as well as particular Open Vulnerability and Assessment Language (OVAL) core schema and platform schema versions.
SCAP is a synthesis of interoperable specifications derived from community ideas. Community participation is invaluable for SCAP because the security automation community ensures the broadest possible range of use cases reflected in SCAP functionality.
NIST's security automation agenda is broader than the vulnerability management application of SCAP. Many different security activities and disciplines can benefit from standardized expression and reporting. NIST envisions further expansion in compliance, remediation, and network monitoring, and encourages your contribution relative to these and additional disciplines. NIST is also working on this expansion plan, so please communicate with the SCAP team early and often to ensure proper coordination of efforts. For more information, visit the SCAP homepage: https://scap.nist.gov/.