The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization, including e.g., FISMA (Federal Information Security Management Act, 2002) compliance. The National Vulnerability Database (NVD) is the U.S. government content repository for SCAP. An example of an implementation of SCAP is OpenSCAP. Show
Purpose[edit]To guard against security threats, organizations need to continuously monitor the computer systems and applications they have deployed, incorporate security upgrades to software and deploy updates to configurations. The Security Content Automation Protocol (SCAP), pronounced "ess-cap", but most commonly as "skap" comprises a number of open standards that are widely used to enumerate software flaws and configuration issues related to security. Applications which conduct security monitoring use the standards when measuring systems to find vulnerabilities, and offer methods to score those findings in order to evaluate the possible impact. The SCAP suite of specifications standardize the nomenclature and formats used by these automated vulnerability management, measurement, and policy compliance products. A vendor of a computer system configuration scanner can get their product validated against SCAP, demonstrating that it will interoperate with other scanners and express the scan results in a standardized way. SCAP defines how the following standards (referred to as SCAP 'Components') are combined: SCAP Components[edit]Starting with SCAP version 1.0 (November, 2009)
Starting with SCAP version 1.1 (February, 2011)
Starting with SCAP version 1.2 (September, 2011)
Starting with SCAP version 1.3 (February, 2018)
SCAP Checklists[edit]Security Content Automation Protocol (SCAP) checklists standardize and enable automation of the linkage between computer security configurations and the NIST Special Publication 800-53 (SP 800-53) controls framework. The current[when?] version of SCAP is meant to perform initial measurement and continuous monitoring of security settings and corresponding SP 800-53 controls. Future versions will likely standardize and enable automation for implementing and changing security settings of corresponding SP 800-53 controls. In this way, SCAP contributes to the implementation, assessment, and monitoring steps of the NIST Risk Management Framework. Accordingly, SCAP forms an integral part of the NIST FISMA implementation project. SCAP Validation Program[edit]The SCAP Validation Program tests the ability of products to employ SCAP standards. The NIST National Voluntary Laboratory Accreditation Program (NVLAP) accredits independent laboratories under the program to perform SCAP validations. A vendor seeking validation of a product can contact an NVLAP accredited SCAP validation laboratory for assistance in the validation process. A customer who is subject to the FISMA requirements, or wants to use security products that have been tested and validated to the SCAP standard by an independent third party laboratory, should visit the SCAP validated products web page to verify the status of the product(s) being considered. External links[edit]
The Security Content Automation Protocol (SCAP) is a synthesis of interoperable specifications derived from community ideas. Community participation is a great strength for SCAP, because the security automation community ensures the broadest possible range of use cases is reflected in SCAP functionality. This Web site is provided to support continued community involvement. From this site, you will find information about both existing SCAP specifications and emerging specifications relevant to NIST's security automation agenda. You are invited to participate, whether monitoring community dialog or leading more substantive activities like specification authorship. NIST's security automation agenda is broader than the vulnerability management application of modern day SCAP. Many different security activities and disciplines can benefit from standardized expression and reporting. We envision further expansion in compliance, remediation, and network monitoring, and encourage your contribution relative to these and additional disciplines. NIST is also working on this expansion plan, so please communicate with the SCAP Team early and often to ensure proper coordination of efforts. Which element of the SCAP framework can be used to consistently describe vulnerabilities?CVE (Common Vulnerabilities and Exposures) is a dictionary of common names (that is, CVE Identifiers) for publicly known information security vulnerabilities. CVE is now the industry standard for vulnerability and exposure names.
What is SCAP in cyber security?The Security Content Automation Protocol (SCAP) is a synthesis of interoperable specifications derived from community ideas. Community participation is a great strength for SCAP, because the security automation community ensures the broadest possible range of use cases is reflected in SCAP functionality.
What SCAP component provides a language for specifying checklists?XCCDF. The XCCDF acronym stands for Extensible Configuration Checklist Description Format. As the name suggests, the language is used to describe the security checklists.
What is SCAP NIST?SCAP is a suite of specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. Information technology and Cybersecurity.
|
Which of the following scap standards provides a standard nomenclature for describing security related software flaws?
Urheberrechte © © 2024 IlerngutCOM Inc.
