SCAP (Security Content Automation Protocol) Certification Requirements
The specifications that comprise SCAP are as follows:
- Extensible Configuration Checklist Description Format (XCCDF)
- Open Vulnerability and Assessment Language (OVAL)
- Common Configuration Enumeration (CCE)
- Common Platform Enumeration (CPE)
- Common Vulnerabilities and Exposures (CVE)
- Common Vulnerability Scoring System (CVSS)
General SCAPÂ Requirements:
- The vendor shall provide instructions on how to execute a previously imported valid FDCC SCAP-expressed data stream.
- The vendor shall provide an English language document to the lab that indicates which settings must be changed and a rationale for each changed setting. This content will be used on NIST web pages to explain details about each validated product and thus must contain only information that is to be publicly released.
- The product's documentation (printed or electronic) must state that it uses SCAP and explain relevant details to the users of the product.
- The vendor shall indicate which one or more of the defined SCAP capabilities their product is being tested for.
- The vendor shall provide product documentation that enumerates the general product capabilities for the target platform (e.g., antivirus, intrusion detection, firewall) that relate to the asserted SCAP capabilities.
- The vendor shall provide instructions on where the dates for all offline SCAP data can be inspected in the product output.