SCAP certification statements

Security Content Automation Protocol (SCAP) certification statements

The specifications that comprise SCAP are as follows (for details, go to Standards):

  • Extensible Configuration Checklist Description Format (XCCDF)
  • Open Vulnerability and Assessment Language (OVAL)
  • Common Configuration Enumeration (CCE)
  • Common Platform Enumeration (CPE)
  • Common Vulnerabilities and Exposures (CVE)
  • Common Vulnerability Scoring System (CVSS)

General SCAP requirements

  • SCAP.V.1.2:  The vendor SHALL supply documentation on how to import an SCAP data stream, apply it against a target, and produce an SCAP result data stream conforming to the ARF specification. For further details, go to Generate cyberscope report.
  • SCAP.V.1: The vendor shall indicate where in the product documentation information regarding the use of SCAP can be found. For further details, go to Standards.
  • SCAP.V.3.1: The vendor shall indicate which one or more of the defined SCAP capabilities their product is being tested for. For further details, go to Standards.
  • SCAP.V.3.2: The vendor shall provide product documentation that enumerates the general product capabilities for the target platform (e.g., antivirus, intrusion detection, firewall) that relate to the asserted SCAP capabilities. For further details, go to Security Analysis Solution (SAS) 8.2 overview.
  • SCAP.V.4: The vendor shall provide instructions on where the dates for all offline SCAP data can be inspected in the product output. For further details, go to Viewing Results in Other Formats.

XCCDF + OVAL requirements

  • SCAP.V.5: The vendor shall provide documentation and instruction on how to import an SCAP-expressed data stream for the target platform, including XCCDF and OVAL content, into the product. For further details, go to Import profiles.
  • SCAP.V.6: The vendor shall provide instruction on where the corresponding XCCDF and OVAL results files can be located for inspection. 

  1. Right-click on the computer in the view at the bottom of the policy that has completed an assessment, then click Resource Manager
  2. Under the Data tab, navigate to Event Classes > Data Classes > Arellia > Security Analysis > OVAL Analysis
  3. Select the assessment in the list, then right-click and click View Raw Oval Results Document or View Raw XCCDF Results.

XCCDF + CCE Requirements

SCAP.V.7: The vendor shall provide instructions on where the XCCDF Rules and their associated CCE IDs can be visually inspected within the product output. For further details, go to Viewing analysis results. CCE IDs are listed in the rule configuration when you double-click them in the Compliance Viewer.

XCCDF + OVAL + CPE Requirements

SCAP.V.8 : The vendor shall provide instructions on how the product indicates the validity of the imported SCAP-expressed data stream to a target platform. Instructions should also describe how the imported data stream is indicated to not be valid for a target platform. This requirement is testing the use of the OVAL check associated with a CPE name via the CPE dictionary to determine applicability of the data stream. Selecting the profile will choose the associated target computers (if any exist). For further details, go to Create a Security Analysis policy

CVSS + CCE

SCAP.V.9: The vendor shall provide documentation explaining where the NVD CVSS base scores and vector strings can be located with the corresponding CVE ID. The vendor may optionally provide the tester information on how the product can be updated with new NVD CVSS base scores and vector strings prior to testing. For further details, go to Vulnerability reports.

SCAP-Expressed Data Stream Import

SCAP.V.10: The vendor shall provide documentation explaining how an SCAP-expressed data stream can be imported into the product and subsequently executed. For further details, go to Import profiles.

Misconfiguration remediation

SCAP.V.12 : The vendor shall provide instructions on how an SCAP-expressed data stream can be imported and executed on the target system to remediate non-compliant settings. The vendor shall also provide instructions on where the results of the remediation action can be viewed within the product output.
 

For further details, go to: