XCCDF, OVAL, CVE, CPE, ARF, CVSS, CCE, TMSAD collectively known as the Security Content Automation Protocol (SCAP) might come across as the alphabet soup of standards. But for many in the government—especially in the security community—SCAP might be the best thing since the Internet. Issued by the National Institute of Standards and Technology (NIST), SCAP is a combination of open security standards that were developed from community participation. It is a methodology used to evaluate vulnerability management, measurement, and policy compliance of security software solutions. SCAP certification assures an organization that the security solution they have invested in meets NIST's and FISMA's highest standards. In particular, an SCAP certified security solution complies with the reporting requirements of NIST and FISMA, and exports validated data in a standardized XML format.
SecurityCenter 5 is now fully certified against SCAP 1.2
We are pleased to announce that Tenable’s SecurityCenter 5 is now an SCAP validated tool, certified to perform SCAP 1.2 compatible assessments.
Why is SCAP so important?
In the early days before the SCAP 1.0 standard was released, whenever a government agency tried to evaluate security software solutions for configuration auditing or vulnerability assessment, no two vendors produced the same result against the same target; and worse, the reports created by the vendors’ products were completely incompatible with each other and required specialized software to interpret. So there was no easy way to compare products and their results.
Agreeing on even simple items such as password length was a challenge. For example, if a policy required a password length of 8 and the target was configured for password length of 10, one vendor might flag it as fail (not an exact match), and another vendor might pass the same check (interpreted as stricter than the policy value). Even though each vendor was right, imagine repeating the same process over thousands of individual security specifications and trying to measure results. Government agencies didn’t have a good way to compare vendors or to test products consistently. All they could do was look at the software price, toss a coin and hope that the chosen software worked as expected once it went live. Of course I am over simplifying, but you get the point: SCAP is all about standardization.
Eventually, government agencies called for standardization. The result was an amalgamation of standards under the umbrella of a single protocol called the Security Content Automation Protocol (SCAP).
NIST then required that all vendors who wanted to sell to the government must define settings in the same way (XCCDF), evaluate targets the same way (OVAL), determine if targets are applicable for a test the same way (CPE), and generate reports that are identical for the same target (ARF). The result? Reports generated by one tool could be easily imported into another product for analysis and comparison as long as the product was SCAP certified. Any vendor innovation would come from ease of use or speedier scans for example, not from specialized evaluations of tests or exotic reports.
This was a welcome development for Tenable, because it meant we no longer had to convert large benchmark PDF files into our proprietary .audit files. We were one of the first vendors to get SCAP 1.0 certified in 2008. Any customer with access to SCAP content was able to run scans with it using SecurityCenter.
For all the promise that the initial versions SCAP (1.0/1.1) held, SCAP did not initially achieve all its goals. Many vendors supported it, and a lot of content was generated for SCAP. But some goals remained unrealized: the reports from vendors were not always importable, and coverage for all OVAL tests was spotty.
In retrospect, the standard was put together hastily, the requirements were open to interpretation, and testing was sketchy. Compared to the current SCAP version, the standards to achieve certification were far simpler and less detailed. The result was that not all SCAP validated tools were created equal.
If SCAP 1.0/1.1 was a toddler, then SCAP 1.2 is the grown-up. That’s the level of transformation and complexity added to SCAP. We now have more clarity.
SCAP 1.2 ushered in a completely new content format. Previous SCAP versions had four different files for XCCDF, OVAL and CPE content; they are now all merged into one big XML file. NIST released the SCAP validation test suite so that all vendors know exactly what they will be tested against. And the new standard mandates backward compatibility with SCAP 1.0/1.1 so that the existing SCAP 1.0/1.1 content will still work.
The SCAP test suite has 46 different requirements and 75,000 tests
The SCAP test suite has 46 different requirements and 75,000 tests. Failing just one test means failing SCAP certification completely. After months of hard work, we are happy to report that SecurityCenter 5 is now fully certified against SCAP 1.2.
Any vendor who has been through SCAP certification knows how rigorous it is and how rewarding it is to deliver an SCAP validated solution to our customers. We are honored to work with government agencies that trust Tenable with their security needs. SecurityCenter provides you with the highest standard in continuous network monitoring and SCAP solutions.