...
General SCAP Requirements:
- The vendor shall provide instructions on how to execute a previously imported valid FDCC SCAP-expressed data stream.
See Creating a Policy.The product's documentation (printed or electronic) must state that it uses SCAP and explain relevant details to the users of the product.V.1: The vendor shall indicate where in the product documentation information regarding the use of SCAP can be found.
See Standards.
- SCAP.V.3.1: The vendor shall indicate which one or more of the defined SCAP capabilities their product is being tested for.
See Standards.
- SCAP.V.3.2: The vendor shall provide product documentation that enumerates the general product capabilities for the target platform (e.g., antivirus, intrusion detection, firewall) that relate to the asserted SCAP capabilities.
See Overview.
- SCAP.V.4: The vendor shall provide instructions on where the dates for all offline SCAP data can be inspected in the product output.
See Viewing Results in Other Formats.
SCAP-Expressed Data Stream Import Requirements
- SCAP.V.5: The vendor shall provide documentation explaining how an SCAP-expressed data stream can be imported into the product and subsequently executed.
See Importing Profiles.
Compliance Mapping Output Requirements
- SCAP.V.6: The vendor shall provide documentation explaining where CCE compliance mappings can be viewed within the product outputinstruction on where the corresponding XCCDF and OVAL result files can be located for inspection.
See Viewing Results in Other Formats.
Misconfiguration Remediation
- SCAP.V.12: The vendor shall provide instructions on how an SCAP-expressed data stream can be imported and executed on the target system to remediate non-compliant settings. The vendor shall also provide instructions on where the results of the remediation action can be viewed within the product output.
See: