The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) has released the fourth revision of their Internal Report covering SCAP Version 1.2 Validation Program Test Requirements. SCAP or the “Security Content Automation Protocol” is made up of a suite of specifications developed by the security community for standardizing the way security software communicates and delivers information about potential flaws and configurations for software security. By standardizing security information, interoperability amongst products is streamlined and more fluid and secure systems are developed.
According to ITL, which provides technical leadership for the Nation’s measurement and standards infrastructure, “the SCAP Validation Program offers vendors an opportunity to provide independent verification that security software correctly processes SCAP-expressed security information and provides standardized output. Industry and government end users benefit from the SCAP Validation Program by having assurance that SCAP-validated products have undergone independent testing and have met all requirements defined in NISTIR 7511. The validation program supports the U.S. Office of Management and Budget (OMB) efforts to provide consistent information technology configuration throughout the U.S. federal government.”
NIST’s National Voluntary Laboratory Accreditation Program (NVLAP) oversees and maintains the SCAP Validation Program. Similar to the process for FIPS 140-2, various labs are accredited by NVLAP to perform independent test processes; these labs take test requirement documents and run products through the various tests. The results are then delivered directly to NIST. The SCAP Validation Program then validates the product under test and a publicly posted certificate is awarded to the product vendor, assuming all tests and requirements are met.