What Is Security Content Automation Protocol (SCAP)

Focused male IT technicians working at laptop in dark server room

Agnieszka Olek / Getty Images

It's critically important for every organization to keep up to date on the latest cybersecurity threats, such as viruses, worms, Trojan horses, and other nefarious digital menaces. SCAP (pronounced S-cap) is a security-enhancement method that uses specific standards to help organizations automate the way they monitor system vulnerabilities and make sure they're in compliance with security policies.

SCAP has many open security standards as well as applications that apply these standards to check for problems and misconfigurations.

SCAP version 2, the next big SCAP revision, is in the works. Event-driven reporting and greater adoption of international standards are two of the capabilities expected.

Why Organizations Use SCAP

SCAP stands for Security Content Automation Protocol. If a company or organization doesn't have a security implementation or has a weak one, SCAP brings accepted security standards the organization can follow.

Simply put, SCAP lets security administrators scan computers, software, and other devices based on a predetermined security baseline. It lets the organization know if it's using the right configuration and software patches for best security practices. SCAP's suite of specifications standardizes all the different terminology and formats, taking the confusion out of keeping organizations secure.

Other security standards similar to SCAP include SACM (Security Automation and Continuous Monitoring), CC (Common Criteria), SWID (Software Identification) tags, and FIPS (Federal Information Processing Standards).

SCAP Components

SCAP content and SCAP scanners are the two main aspects of the Security Content Automation Protocol.

SCAP Content

SCAP content modules are freely available content developed by the National Institute of Standards and Technologies (NIST) and its industry partners. The content modules are made from "secure" configurations that are agreed to by NIST and its SCAP partners.

One example would be the Federal Desktop Core Configuration, which is a security-hardened configuration of some versions of Microsoft Windows. The content serves as a baseline for comparison of systems being scanned by the SCAP scanning tools.

The National Vulnerability Database (NVD) is the U.S. government content repository for SCAP.

SCAP Scanners

An SCAP scanner is a tool that compares a target computer or application's configuration and/or patch level against that of the SCAP content baseline.

The tool will note any deviations and produce a report. Some SCAP scanners also have the ability to correct the target computer and bring it into compliance with the standard baseline.

There are many commercial and open-source SCAP scanners available, depending on the feature set you want. Some scanners are meant for enterprise-level scanning, while others are for individual PC use.

You can find a list of SCAP tools at NVD. Some examples of SCAP products include ThreatGuard, Tenable, Red Hat, and IBM BigFix.

Software vendors that need their product validated as being in compliance with SCAP should contact an NVLAP accredited SCAP validation lab.