SCAP (Security Content Automation Protocol) Certification
...
Statements
The specifications that comprise SCAP are as follows:
- Extensible Configuration Checklist Description Format (XCCDF)
- Open Vulnerability and Assessment Language (OVAL)
- Common Configuration Enumeration (CCE)
- Common Platform Enumeration (CPE)
- Common Vulnerabilities and Exposures (CVE)
- Common Vulnerability Scoring System (CVSS)
General SCAP Requirements:
- The vendor shall provide instructions on how to execute a previously imported valid FDCC SCAP-expressed data stream.
...
- The vendor shall provide instructions on where the dates for all offline SCAP data can be inspected in the product output.
SCAP-Expressed Data Stream Import Requirements
- The vendor shall provide documentation explaining how an SCAP-expressed data stream can be imported into the product and subsequently executed.
Compliance Mapping Output Requirements
- The vendor shall provide documentation explaining where CCE compliance mappings can be viewed within the product output.
Misconfiguration Remediation
- The vendor shall provide instructions on how an SCAP-expressed data stream can be imported and executed on the target system to remediate non-compliant settings. The vendor shall also provide instructions on where the results of the remediation action can be viewed within the product output.