Security Content Automation Protocol (SCAP) Repository

Welcome to the Security Content Automation Protocol (SCAP) GitHub repository! This repository serves as a central location for tracking issues, sharing specifications, and documenting the standards related to SCAP, which provides a framework for automating security management, configuration assessments, and vulnerability detection.

About SCAP

The Security Content Automation Protocol (SCAP) is a suite of standards that support automated configuration, vulnerability, and patch checking, security measurement, and technical control compliance activities. Developed by NIST, SCAP enables both organizations and tools to enforce, assess, and report on IT security compliance more effectively.

Key SCAP Components

SCAP consists of multiple component specifications that work together to standardize security configuration and vulnerability assessments:

• Extensible Configuration Checklist Description Format (XCCDF)
• Open Vulnerability and Assessment Language (OVAL)
• Open Checklist Interactive Language (OCIL)
• Asset Identification (AI)
• Common Platform Enumeration (CPE)
• Common Vulnerabilities and Exposures (CVE)
• Common Configuration Enumeration (CCE)
• Common Vulnerability Scoring System (CVSS)
• Software Identification (SWID) Tags
• Asset Reporting Format (ARF)
• Trust Model for Security Automation Data (TMSAD)

For more detailed information on each component, see the NIST documentation on SCAP.

Repository Structure

• Specifications: This directory contains the official SCAP specifications, schemas, and supporting documents.
• Issues: Use the Issues tab to report or discuss problems, requests for changes, or suggestions for the SCAP components and specifications.
• Examples: Sample files and configurations that demonstrate how SCAP components can be utilized and integrated within various systems.

Contributing

We welcome contributions! Please review the contribution guidelines in CONTRIBUTING.md for details on how to contribute to SCAP specifications, report issues, or add new examples. This repository follows the NIST SCAP guidelines and validation requirements, so please ensure contributions align with these standards.

Getting Started

To start using SCAP:

1. Review the component specifications in the Specifications directory.
2. Experiment with the Examples to see how SCAP configurations work in practice.
3. Post any issues or feedback you have using the Issues tab.

Resources

• NIST SCAP Documentation: NIST SCAP Project Page
• SCAP Validation: SCAP Validation Program

This repository is maintained by contributors in the security automation community. Please reach out with questions or for support using SCAP.

License

This repository follows NIST’s Public Domain Dedication License, unless otherwise noted.