Security Content Automation Protocol (SCAP) Validation Program

The SCAP Validation Program is designed to test the ability of products to use the features and functionality available through SCAP and its component standards. For information concerning SCAP, please see http://scap.nist.gov.

Under the SCAP Validation Program, independent laboratories are accredited by the NIST National Voluntary Laboratory Accreditation Program (NVLAP). Accreditation requirements are defined in NIST Handbook 150, and NIST Handbook 150-17. Independent laboratories conduct the tests contained in the SCAP Validation Program Derived Test Requirements Document, on information technology (IT) security products and deliver the results to NIST. Based on the independent laboratory test report, the SCAP Validation Program then validates the product under test based on the independent laboratory test report. The validations awarded to vendor products will be publicly posted on the NIST SCAP Validated Tools web page at http://nvd.nist.gov/scapproducts..

SCAP validation will focus on evaluating specific versions of vendor products based on the platforms they support. Validations will be awarded on a platform-by-platform basis for the version of the product that was validated. Currently, US government SCAP content is primarily focused on Windows operating systems. Thus, vendors seeking validation will be evaluated based on the ability of the product to operate on the Windows target platform. Additional platforms will be available in the future.

Description of SCAP Capability validations:.

• FDCC Scanner: a product with the ability to audit and assess a target system in order to determine its compliance with the Federal Desktop Core Configuration (FDCC) requirements. By default, any product validated as an FDCC Scanner is automatically awarded the Authenticated Configuration Scanner validation.
• Authenticated Configuration Scanner: a product with the ability to audit and assess a target system to determine its compliance with a defined set of configuration requirements using target system logon privileges. The FDCC Scanner capability is an expanded use case of this capability. Therefore, any product awarded the FDCC Scanner validation is automatically awarded the Authenticated Configuration Scanner validation.
• Authenticated Vulnerability and Patch Scanner: a product with the ability to scan a target system to locate and identify the presence of known software flaws and evaluate the software patch status to determine compliance with a defined patch policy using target system logon privileges.
• Unauthenticated Vulnerability Scanner: a product with the ability of determining the presence of known software flaws by evaluating the target system over the network.
• Intrusion Detection and Prevention Systems (IDPS): a product that monitors a system or network for unauthorized or malicious activities. An intrusion prevention system actively protects the target system or network against these activities.
• Patch Remediation: the ability to install patches on a target system in compliance with a defined patching policy.
• Mis-configuration Remediation: the ability to alter the configuration of a target system in order to bring it into compliance with a defined set of configuration recommendations.
• Asset Management: the ability to actively discover, audit, and assess asset characteristics including: installed and licensed products; location within the world, a network or enterprise; ownership; and other related information on IT assets such as workstations, servers, and routers.
• Asset Database: the ability to passively store and report on asset characteristics including: installed and licensed products; location within the world, a network or enterprise; ownership; and other related information on IT assets such as workstations, servers, and routers.
• Vulnerability Database: A SCAP vulnerability database is a product that contains a catalog of security related software flaw issues labeled with CVEs where applicable. This data is made accessible to users through a search capability or data feed and contains descriptions of software flaws, references to additional information (e.g., links to patches or vulnerability advisories), and impact scores. The user-to-database interaction is provided independent of any scans, intrusion detection, or reporting activities. Thus, a product that only scans to find vulnerabilities and then stores the results in a database does not meet the requirements for an SCAP vulnerability database (such a product would map to a different SCAP capability). A product that presents the user general knowledge about vulnerabilities, independent of a particular environment, would meet the definition of an SCAP vulnerability database.
• Mis-configuration Database: A SCAP mis-configuration database is a product that contains a catalog of security related configuration issues labeled with CCEs where applicable. This data is made accessible to users through a search capability or data feed and contains descriptions of configuration issues and references to additional information (e.g., configuration guidance, mandates, or other advisories). The user-to-database interaction is provided independent of any configuration scans or intrusion detection activities. Thus, a product that only scans to find mis-configurations and then stores the results in a database does not meet the requirements for an SCAP mis-configuration database (such a product would map to a different SCAP capability). A product that presents the user general knowledge about security related configuration issues, independent of a particular environment, would meet the definition of an SCAP vulnerability database.
• Malware Tool: the ability to identify and report on the presence of viruses, Trojan horses, spyware, or other malware on a target system.

The above information, along with details on all the test requirements products successfully met to achieve validation, can be found in the SCAP Validation Program Derived Test Requirements (DTR) document.