The National Institute of Standards and Technology (NIST) has issued for public comment a draft publication describing a new method to automate the task of verifying computer security settings. Known as the Security Content Automation Protocol (SCAP), the specification has recently been incorporated into software scanners for checking security settings in federal computers.
The new publication provides an overview of SCAP, discusses programs for ensuring that products implement SCAP properly and recommends how federal agencies and other organizations can use SCAP effectively.
“You can do a lot of things with SCAP,” said NIST computer scientist Matthew Barrett, the publication’s lead author. “An organization can express vulnerability assessment instructions in a machine-readable format, and SCAP-validated tools can use that information to automate many computer security activities.”