NIST Revises SCAP Test Guidance

Publication Focuses on Validation Program, Test Requirements
NIST Revises SCAP Test Guidance

The National Institute of Standards and Technology has published revised guidance that defines the requirements and associated test procedures necessary for products to achieve one or more Security Content Automation Protocol validations.

See Also: OnDemand | Zero Tolerance: Controlling The Landscape Where You'll Meet Your Adversaries

NIST Interagency Report 7511 Rev. 3, Security Content Automation Protocol Version 1.2 Validation Program Test Requirements, details how validations are awarded, based on a defined set of SCAP capabilities by independent laboratories that have been accredited for SCAP testing by the NIST National Voluntary Laboratory Accreditation Program.

SCAP provides the capability to audit and assess a target system to determine its compliance with a defined set of configuration requirements using target system logon privileges and to process and present Common Vulnerabilities and Exposures and Open Checklist Interactive Language formats correctly and completely. CVE is a format to describe publicly known information security vulnerabilities and exposures. OVAL is an XML-based language used for communicating the details of vulnerabilities, patches, security configuration settings and other machine states in a machine-readable form.

This publication is intended for National Voluntary Laboratory Accreditation Program accredited laboratories conducting SCAP product testing for the program, vendors interested in receiving SCAP validation for their products and organizations deploying SCAP products in their environments.

According to NIST, accredited laboratories use the information in IR 7511 to guide their testing and ensure all necessary requirements are met by a product before recommending to NIST that the product be awarded the requested validation. Vendors use the report's information to understand the features products need in order to be eligible for an SCAP validation. Government agencies, businesses and integrators use the information to gain insight into the criteria required for SCAP validated products.

The secondary audience for this publication is end users, who can review the test requirements in order to understand validated product SCAP capabilities and gain knowledge about SCAP validation.

About the Author

Information Security Media Group

Information Security Media Group (ISMG) is the world's largest media company devoted to information security and risk management. Each of its 34 media sites provides relevant education, research and news that is specifically tailored to key vertical sectors including banking, healthcare and the public sector; geographies from North America to Southeast Asia; and topics such as data breach prevention, cyber risk assessment and fraud. Its yearly global summit series connects senior security professionals with industry thought leaders to find actionable solutions for pressing cybersecurity challenges.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.