Security Content Automation Protocol (SCAP)

Focused male IT technicians working at laptop in dark server room

Caiaimage / Agnieszka Olek / Getty Images

SCAP is an acronym for Security Content Automation Protocol. Its purpose is to apply an already-accepted security standard to organizations that don't currently have one or that have weak implementations.

In other words, it allows security administrators to scan computers, software, and other devices based on a predetermined security baseline to determine if the configuration and software patches are implemented to the standard that they are being compared to.

The National Vulnerability Database (NVD) is the U.S. government content repository for SCAP.

Some security standards similar to SCAP include SACM (Security Automation and Continuous Monitoring), CC (Common Criteria), SWID (Software Identification) tags, and FIPS (Federal Information Processing Standards).

There are two main parts to the Security Content Automation Protocol — SCAP content and SCAP scanners.

SCAP Content

SCAP content modules are freely available content developed by the National Institute of Standards and Technologies (NIST) and its industry partners. The content modules are made from "secure" configurations that are agreed to by NIST and its SCAP partners.

An example would be the Federal Desktop Core Configuration, which is a security-hardened configuration of some versions of Microsoft Windows. The content serves as a baseline for comparison of systems being scanned by the SCAP scanning tools.

SCAP Scanners

A SCAP scanner is a tool that compares a target computer or application's configuration and/or patch level against that of the SCAP content baseline.

The tool will note any deviations and produce a report. Some SCAP scanners also have the ability to correct the target computer and bring it into compliance with the standard baseline.

There are many commercial and open-source SCAP scanners available, depending on the feature set that is desired. Some scanners are meant for enterprise-level scanning, while others are meant for individual PC use.

You can find a list of SCAP tools at NVD. Some examples of SCAP products include ThreatGuard, Tenable, Red Hat, and IBM BigFix.

Software vendors that need their product validated as being in compliance with SCAP, can contact an NVLAP accredited SCAP validation lab.