Sponsored by the National Institute of Standards and Technology (NIST), Security Content Automation Protocol (SCAP) is a repository of security content used for automating technical control compliance activities, vulnerability checking of both application mis-configurations and software flaws, and security measurement. The primary output from SCAP are security checklists in a standard eXtensible Markup Language format that agencies (and vendors) can use via automated commercial products to help build, operate, measure and maintain secure systems according to official government security recommendations. Each security checklist contains instructions for configuring information technology products for an operational environment or verifying that an information technology product is already securely configured.

SCAP Validated FDCC Scanner Ensures Compliant Agency Configurations

Lumension® Vulnerability Management solution automates the management of security configurations via the import/export of SCAP checklists, discovery of assets and vulnerabilities, defining of policies, enforcing those policies and reporting compliance effectiveness against the standards set forth by NIST and used by the US Department of Defense (DoD), National Security Agency (NSA) and other departments. Lumension® Vulnerability Management Solution includes:
  • Lumension® Patch and Remediation - Proactive management of threats through automated collection, analysis, and delivery of patches (all major operating systems and applications) across heterogeneous networks.
  • Lumension® Scan - Complete network-based scanning solution enables assessment and analysis of threats impacting all network devices.
  • Lumension® Security Configuration Management - Out-of-the-box regulatory and standards-based assessment to ensure endpoints are properly configured.
  • Lumension® Content Wizard - Create custom remediation packages to address configuration issues, remove unauthorized files and applications, address zero-day threats, patch custom software and more.

 

SCAP Standards include OVAL, CVE, CPE, CVSS, CWE, CCE, CRF and XCCDF

Lumension’s SCAP Validated and award-winning product portfolio has been declared or certified compliant in the following areas:
  • Open Vulnerability and Assessment Language (OVAL).
    • Lumension’s solutions compatible with OVAL since October 2006
    • Lumension is one of only three companies listed on the Official OVAL Compatible Products page to have five or more tested compatibilities
  • Common Vulnerabilities and Exposures (CVE)
  • Common Platform Enumeration (2.0) (CPE)
  • Common Vulnerability Scoring System (2.0) (CVSS), including support for temporal and environmental scores
  • Common Weakness Enumeration (CWE), used as a filtering mechanism for CVE
  • Common Configuration Enumeration (CCE), used in XCCDF and in remediation packages
  • Common Result Format (CRF), actively involved in defining this new initiatives. Lumension encouraged this initiative by proposing a Service Orientated Architecture for CVEs in December 2006
  • Extensible Configuration Checklist Description Format (XCCDF)

 

Leader in Development of SCAP Standards

Lumension is a leader in the development of standards including proposing a format for SCAP Remediation in August 2006 and a database pattern for all (current and future) SCAP documents, results and reports.
  • OVAL Remediation a future Common Remediation Language (CRL), presented at OVAL Developers Days in the summer of 2006
  • Use the link at the bottom of this page to download the SCAP Database Model Proposal made in September 2007, a future Common Database (CDB)
     

Detailed data model for SCAP here.