Security Content Automation Protocol (SCAP) Certification Statements
The specifications that comprise SCAP are as follows:
- Extensible Configuration Checklist Description Format (XCCDF)
- Open Vulnerability and Assessment Language (OVAL)
- Common Configuration Enumeration (CCE)
- Common Platform Enumeration (CPE)
- Common Vulnerabilities and Exposures (CVE)
- Common Vulnerability Scoring System (CVSS)
General SCAP Requirements:
- SCAP.V.1: The vendor shall indicate where in the product documentation information regarding the use of SCAP can be found.
See Standards.
- SCAP.V.3.1: The vendor shall indicate which one or more of the defined SCAP capabilities their product is being tested for.
See Standards.
- SCAP.V.3.2: The vendor shall provide product documentation that enumerates the general product capabilities for the target platform (e.g., antivirus, intrusion detection, firewall) that relate to the asserted SCAP capabilities.
See Overview.
- SCAP.V.4: The vendor shall provide instructions on where the dates for all offline SCAP data can be inspected in the product output.
See Viewing Results in Other Formats.
SCAP-Expressed Data Stream Import Requirements
- SCAP.V.5: The vendor shall provide documentation explaining how an SCAP-expressed data stream can be imported into the product and subsequently executed.
See Importing Profiles.
Compliance Mapping Output Requirements
- SCAP.V.6: The vendor shall provide instruction on where the corresponding XCCDF and OVAL result files can be located for inspection.
See Viewing Results in Other Formats.
Misconfiguration Remediation
- SCAP.V.12: The vendor shall provide instructions on how an SCAP-expressed data stream can be imported and executed on the target system to remediate non-compliant settings. The vendor shall also provide instructions on where the results of the remediation action can be viewed within the product output.
See: