The National Institute of Standards and Technology (NIST) developed SCAP to assist government IT system administrators in configuring IT products, to provide greater levels of security, and produce evidence of compliance to high-level requirements. SCAP enables an automated, standardized approach to maintaining the security of complex enterprise systems, such as implementing security configuration baselines, verifying the presence of patches, performing continuous monitoring of system security configuration settings, examining systems for signs of compromise, and having situational awareness—being able to determine the security posture of systems and the organization at any given time.
The Navy’s SPAWAR Systems Center developed the SCAP compliance checker (SCC) as a SCAP validated tool for identifying adherence to the underlying SCAP protocol. SCC supports SCAP 1.0, 1.1, and 1.2. SCC parses requirements from SCAP content streams which are composed of specifications such as the asset reporting format (ARF), SCAP expression and checking languages, the open checklist interactive language, and common platform dictionary. It then surveys target systems for compliance with those requirements and produces detailed results in XML, HTML, and text formats. The reports allow system administrators to efficiently bring their systems into compliance. SCC performs XML schema validation on both input and output XML files. SCC performs digital signature validation using the trust model specification, and verifies that the content was signed using a known and trusted digital certificate.
SCC supports other tests not required by SCAP 1.2., and many operating systems not officially part of SCAP 1.2, including Solaris, Mac OS X, HP-UX, AIX, and Debian Linux.
- Scalable to address the number and variety of systems to secure
- Performs compliance and vulnerability scanning
- Enables fast response to new threats
- Ensures FISMA compliance
- Code available for download
- Potential for collaboration with Navy researchers