Security Content Automation Protocol (SCAP)
From SCADApedia
The Security Content Automation Protocol (SCAP) is a NIST program to audit security settings in workstations and servers. SCAP creates checklists with a large number of recommended security settings. SCAP also validates security scanners that are able to use the SCAP checklists. This allows government agencies to test deployed systems against the Federal Desktop Core Configuration and other government recommended configurations. While designed for US Government use, the SCAP program is also highly useful for non-governmental organizations and is available free of charge.
Contents |
Purpose
SCAP is a suite of selected open standards that enumerate software flaws, security related configuration issues, and product names; measure systems to determine the presence of vulnerabilities; and provide mechanisms to rank (score) the results of these measurements in order to evaluate the impact of the discovered security issues. SCAP defines how these standards are combined.
SCAP Checklists
NIST is developing a growing number of SCAP checklists. The early emphasis was on Windows operating system settings. The program has expanded to develop checklists for various flavors of UNIX, web browsers, anti-virus, firewalls and more.
The checklists are developed based on NIST expertise and input from other industry and government efforts. Many of the SCAP checklists are virtually identical to the Center for Internet Security recommendations. SCAP priority appears to be the testing tool and relies heavily on outside efforts for checklist development.
Validation Program
The SCAP Validation Program tests the ability of products to use the SCAP checklists and produce accurate results.
Under the SCAP Validation Program, independent laboratories are accredited by the NIST National Voluntary Laboratory Accreditation Program (NVLAP). Independent laboratories test the product as specified in the SCAP Validation Program Derived Test Requirements Document, on information technology security products and deliver the results to NIST. Based on the independent laboratory test report, the SCAP Validation Program then validates the product under test based on the independent laboratory test report.
Currently, US government SCAP content is primarily focused on Windows operating systems. Thus, vendors seeking validation are evaluated based on the ability of the product to operate on the Windows target platform. Additional platforms are planned to be available in the future.
As of July 2008, nine vendors had scanning or auditing products that passed SCAP validation.
Relation to Bandolier
Bandolier is a Digital Bond research project to develop audit files that can be used to determine if a control system component is in its optimal security configuration. While the original audit files are written for Nessus, the audit files will be also available in OVAL / XCCDF format. Therefore the Bandolier audit files will be able to be used in any SCAP Validated tool, and the Bandolier audit files are very much like the SCAP Checklists, albeit without the NIST blessing or review process.
External Links
Security Content Automation Protocol web site
Extensible Configuration Checklist Description Format (XCCDF)
