Security Content Automation Protocol (SCAP) Certification Statements
The specifications that comprise SCAP are as follows:
- Extensible Configuration Checklist Description Format (XCCDF)
- Open Vulnerability and Assessment Language (OVAL)
- Common Configuration Enumeration (CCE)
- Common Platform Enumeration (CPE)
- Common Vulnerabilities and Exposures (CVE)
- Common Vulnerability Scoring System (CVSS)
General SCAP Requirements:
- The vendor shall provide instructions on how to execute a previously imported valid FDCC SCAP-expressed data stream.
See Creating a Policy.
- The product's documentation (printed or electronic) must state that it uses SCAP and explain relevant details to the users of the product.
See Standards.
- The vendor shall indicate which one or more of the defined SCAP capabilities their product is being tested for.
See Standards.
- The vendor shall provide product documentation that enumerates the general product capabilities for the target platform (e.g., antivirus, intrusion detection, firewall) that relate to the asserted SCAP capabilities.
See Overview.
- The vendor shall provide instructions on where the dates for all offline SCAP data can be inspected in the product output.
See Viewing Results in Other Formats.
SCAP-Expressed Data Stream Import Requirements
- The vendor shall provide documentation explaining how an SCAP-expressed data stream can be imported into the product and subsequently executed.
See Importing Profiles.
Compliance Mapping Output Requirements
- The vendor shall provide documentation explaining where CCE compliance mappings can be viewed within the product output.
See Viewing Results in Other Formats.
Misconfiguration Remediation
- The vendor shall provide instructions on how an SCAP-expressed data stream can be imported and executed on the target system to remediate non-compliant settings. The vendor shall also provide instructions on where the results of the remediation action can be viewed within the product output.
See: