Definition:

Security Content Automation Protocol (SCAP) is a method for using commonly accepted standards to enable automated vulnerability management and security policy compliance metrics (i.e. FISMA compliance). The National Vulnerability Database (NVD) is the U.S. government content repository for SCAP.

SCAP allows security administrators to scan computers, software, and other devices based on a predetermined security baseline and determine if the configuration and software patches are implemented to the standard that they are being compared to.


SCAP consists of two main components:

1. SCAP Content

SCAP content modules are freely available content developed by the National Institute of Standards and Technologies (NIST) and its industry partners. The content modules are made from "secure" configurations that are agreed to by NIST and its SCAP partners. An example would be the Federal Desktop Core Configuration which is a security hardened configuration of Microsoft Windows. The content serves as a baseline for comparison of systems being scanned by the SCAP scanning tools

2. SCAP Scanners
A SCAP scanner is a tool that compares a target computer or application's configuration and/or patch level against that of the SCAP content baseline. The tool will note any deviations and produce a report. Some SCAP Scanners also have the ability to remediate the target computer and bring it into compliance with the standard baseline. There are many commercial and open-source SCAP Scanners available depending the feature set that is desired. Some scanners are meant for enterprise-level scanning while others are meant for individual PC use.