Extensible Configuration Checklist Description Format (XCCDF) Requirements
- The product's documentation (printed or electronic) must state that it uses XCCDF and explain the relevant details to the users of the product.
...
- The vendor shall provide instructions on how the product generates human-readable prose from valid XCCDF documents.
XCCDF + OVAL Requirements
- (Input) The vendor shall provide documentation and instruction on how to import an SCAP-expressed data stream for the target platform, including XCCDF and OVAL content, into the product.
- (Output) The vendor shall provide instruction on where the corresponding XCCDF and OVAL results files can be located for inspection.
XCCDF + CCE Requirements
- The vendor shall provide instructions on where the XCCDF Rules and their associated CCE IDs can be visually inspected within the product output.
XCCDF + OVAL + CPE Requirements
- The vendor shall provide instructions on how the product indicates the validity of the imported SCAP-expressed data stream to a target platform. Instructions should also describe how the imported data stream is indicated to not be valid for a target platform. This requirement is testing the use of the OVAL check associated with a CPE name via the CPE dictionary to determine applicability of the data stream.