What is “SCAP”, as mentioned in the OMB memo?
The Security Content Automation Protocol (SCAP) is a suite of open standards that provide technical specifications for expressing and exchanging security-related data. This data can be used for several purposes, including automating vulnerability checking, technical control compliance activities, and security measurement. The federal government, in cooperation with academia and private industry, uses and encourages widespread support for the SCAP. The SCAP is comprised of the following standards: Common Vulnerabilities and Exposures (CVE(r)) Common Configuration Enumeration (CCE(tm)) Common Platform Enumeration (CPE(tm)) Common Vulnerability Scoring System (CVSS) Extensible Configuration Checklist Description Format (XCCDF) Open Vulnerability and Assessment Language (OVAL(tm)) The SCAP is one component of a larger program, the Information Security Automation Program (ISAP). The ISAP seeks to automate the implementation and verification of information system security controls. Objective