Vulnerabilities Checklists Product Dictionary Impact Metrics Data Feeds Statistics
Home ISAP/SCAP SCAP Validated Tools SCAP Events About Contact Vendor Comments
Mission and Overview
NVD is the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance (e.g. FISMA).
Resource Status

NVD contains:

32678 CVE Vulnerabilities
161Checklists
151 US-CERT Alerts
2257 US-CERT Vuln Notes
2097OVAL Queries

Last updated:  09/15/08

CVE Publication rate:

11 vulnerabilities / day
Email List

NVD provides four mailing lists to the public. For information and subscription instructions please visit NVD Mailing Lists

Workload Index
Vulnerability Workload Index: 6.66
About Us

NVD is a product of the NIST Computer Security Division and is sponsored by the Department of Homeland Security’s National Cyber Security Division. It supports the U.S. government multi-agency (OSD, DHS, NSA, DISA, and NIST) Information Security Automation Program. It is the U.S. government content repository for the Security Content Automation Protocol (SCAP).

Security Content Automation Protocol Validated Products

This webpage contains a list of products that have been validated by NIST as conforming to the Security Content Automation Protocol (SCAP) and its component standards. Click on the vendor or product name to see a full description of the products validation information and status.

Please visit the SCAP validation program webpage for a description of the validation process and information on the SCAP capabilities referenced in the table below. For more information relating to SCAP please visit http://scap.nist.gov.

Support for U.S. Government Programs

Federal Desktop Core Configuration Initiative

The U.S. Office of Management and Budget has required, in the July 31st, 2007 memorandum to Federal CIOs, that "Information technology providers must use S-CAP validated tools, as they become available, to certify their products do not alter these configurations, and agencies must use these tools when monitoring use of these configurations."

Situational Awareness and Incident Response SmartBUY

The General Services Administration is requiring SCAP validation within blanket purchase agreements for vulnerability and configuration management products (Solicitation Number: Reference-Number-QTA0-08-HC-B-0003).

Security Content Automation Protocol (SCAP) Validated Products
Product Vendor
Product Name
SCAP Validations
SecureFusion
Patchlink Update Server
Policy Auditor
IP 360
IP 360 Mobile
Secure Configuration Manager
C5 Compliance Platform
NetChk Compliance
Security Center
Secutor Magnus
Secutor Prime
S-CAT
Resolution Manager



Potential SCAP Validations for 2008

The following information is based on information provided to NIST by vendors that have indicated their intention to get SCAP Validated in 2008.

SCAP CapabilityPotential Validations
FDCC Scanner11
Authenticated Configuration Scanner12
Authenticated Vulnerability and Patch Scanner8
Unauthenticated Vulnerability Scanner6
Mis-configuration Remediation3
Mis-configuration Database6
Vulnerability Database6




Laboratories Accredited to do SCAP Testing

The labs listed below have been accredited by the NIST National Voluntary Laboratory Accreditation Program (NVLAP) to perform SCAP validation testing. Click on the lab name to see a full listing of the lab's accredited scopes

NVLAP Accredited Independent SCAP Testing Laboratories
Laboratory Name
Accredited Testing Scopes
AEGISOLVE, Inc.
  • SCAP
  • CVE
  • CCE
  • CPE
  • CVSS
  • XCCDF
  • OVAL
ATSEC
  • SCAP
  • CVE
  • CCE
  • CPE
  • CVSS
  • XCCDF
  • OVAL
COACT
  • SCAP
  • CVE
  • CCE
  • CPE
  • CVSS
  • XCCDF
  • OVAL
Cygnacom
  • SCAP
  • CVE
  • CCE
  • CPE
  • CVSS
  • XCCDF
  • OVAL
DOMUS
  • SCAP
  • CVE
  • CCE
  • CPE
  • CVSS
  • XCCDF
  • OVAL
EWA - Canada
  • SCAP
  • CVE
  • CCE
  • CPE
  • CVSS
  • XCCDF
  • OVAL
ICSA Labs
  • SCAP
  • CVE
  • CCE
  • CPE
  • CVSS
  • XCCDF
  • OVAL
InfoGard
  • SCAP
  • CVE
  • CCE
  • CPE
  • CVSS
  • XCCDF
  • OVAL
SAIC
  • SCAP
  • CVE
  • CCE
  • CPE
  • CVSS
  • XCCDF
  • OVAL

Disclaimer Notice & Privacy Statement / Security Notice

Send comments or suggestions to nvd@nist.gov

NIST Computer Security Resource Center (CSRC)

NIST is an Agency of the U.S. Commerce Department

Full vulnerability listing