From National Institute of Standards and Technology | Jul 7, 2009
Managing the security of systems throughout an enterprise is challenging for several
reasons. Most organizations have many systems to patch and configure securely, with
numerous pieces of software (operating systems and applications) to be secured on each
system. This is extremely time-consuming and error-prone because there has been no
standardized, automated way of securing software. Organizations also need to
periodically verify the security of each system, which is also much more difficult to
do without standardized, automated checking tools. Further complicating system security
management is the need to respond appropriately to new vulnerabilities and threats,
prioritizing them so the most significant ones can be addressed sooner.
Organizations need a comprehensive, standardized approach to overcoming these
challenges, and the Security Content Automation Protocol (SCAP) has been developed to
help provide such an approach. SCAP comprises a suite of specifications for organizing
and expressing security-related information in standardized ways, as well as related
reference data, such as identifiers for software flaws and security configuration
issues. SCAP can be used for maintaining the security of enterprise systems, such as
automatically verifying the installation of patches, checking system security
configuration settings, and examining systems for signs of compromise.
This document defines SCAP and the component specifications that comprise it. It
describes common uses of SCAP and makes recommendations for SCAP users. The document
also provides insights to IT product and service vendors about adopting SCAP in their
offerings. SCAP does not replace existing security software; rather, support for it can
be embedded into existing software.
This ZIP file incluses:
- Guide to Adopting and Using the Security Content Autmation Protocol
- Cover Sheet and Terms
- Intro Page
