Security Content Automation Protocol (SCAP) Compliance

SCAP compliant tools use open communication standards for interoperability to streamline security monitoring and reporting functions

What is SCAP?

The Security Content Automation Protocol (SCAP) is a method that uses open standards to organize and express security-related information. The National Institute of Standards and Technology (NIST), in accordance with the Federal Information Security Management Act (FISMA), issues guidance on security best practices. NIST selected SCAP as the standard for enumerating, communicating and reporting on vulnerabilities. Using SCAP-compliant tools enables security system interoperability, which paves the way for the automation of vulnerability management task such as:

• Checking for known vulnerabilities
• Gathering security measurements
• Verifying compliance with security policy and configuration settings
• Generating reports that link low-level settings to high-level requirements

SCAP accredited tools, including SCAP scanners, are no longer optional. Products that do not have SCAP validation will not be approved for purchase. The Office of Management and Budget (OMB) stated in its memorandum to Federal CIOs that “Information Technology providers must use SCAP validated tools, as they become available” in order to be compliant. The General Services Administration (GSA) then introduced the SmartBUY program to prohibit procurement officers from authorizing purchases of scanners that are not SCAP compliant.

Who needs SCAP?

Information technology providers for Federal government agencies and government contractors that exchange data directly with government systems must use SCAP-validated products.

Penalties for non-compliance

Any government agency that does not meet FISMA compliance may be sanctioned by having their budgets cut. In the case of government subcontractors, they risk being terminated from existing contracts, and may become ineligible for bidding on future government contracts.

How Rapid7 Helps

Rapid7 has extensive experience partnering with federal departments and agencies, such as the U.S. Department of Energy, United States Postal Service (USPS), the National Nuclear Security Administration (NNSA), and the National Telecommunications and Information Administration (NTIA), to help them meet their regulatory requirements. Rapid7 NeXpose is an SCAP-validated tool, which allows organizations to scan their system against specific security controls as mandated by the OMB through NIST.

Rapid7 can help your organization achieve SCAP compliance because:

• NeXpose, the industry leader in vulnerability management, is an SCAP validated vulnerability management solution that provides SCAP capabilities required by NIST for Common Vulnerability Enumeration (CVE), Common Platform Enumeration (CPE), and the Common Vulnerability Scoring System (CVSS)
• NeXpose provides a centralized Web interface dashboard for monitoring the update frequency of SCAP components, as well as for viewing descriptions together with CVE identifiers (where available) of all instances of missing patches, software flaws, and vulnerabilities discovered on target systems



• NeXpose provides customizable scan settings for continuous, automatically generated, comprehensive mapping of all assets using safe checks, including: networks, operating systems, Web applications, databases, enterprise applications, custom applications, servers, desktops and laptops, operations systems, firewalls, routers, switches and hubs to manage threats from malicious attacks in one unified solution.
• NeXpose generates both executive summary reports for management and detailed remediation plan reports to automate audit requirements for FISMA compliance
• NeXpose implements the CVSS algorithm natively in NeXpose by computing the CVSS version 2 (CVSS v2) score index for all newly discovered vulnerabilities, while also allowing customized risk scoring based on severity level, ease of exploit, remote execution capability, credentialed access requirement, and other criteria. NeXpose allows vulnerabilities to be quantified both according to CVSS rating, as well as by using their own customized risk scoring based on the specific needs of their unique environment, which provides a unique opportunity for security administrators to manage their risk exposure with the most granularity and precision available in our industry
• NeXpose provides standardized SCAP-compliant interoperability to enforce FISMA compliance by leveraging open communications and standardized identifiers, product names, and scoring to communicate outputs from multiple SCAP-validated tools (i.e. vulnerability scanners, configuration scanners & management tools, reporting tools, and remediation tools). This standardization creates a common standard for referencing issues, which enables security staff to provide consistent incident reporting for external entities such as US-CERT and law enforcement agencies
• NeXpose establishes on-going security risk management as part of hardening your entire infrastructure against cyber attacks, reduces security risks, and protects valuable digital assets with the unsurpassed coverage of your entire network by performing nearly 40,000 vulnerability checks for more than 12,000 vulnerability signatures against over 1,500 types of devices

Contact us to find out more about how Rapid7 can help you leverage open standards to build your on-going security risk management practices using Rapid7 NeXpose as your SCAP-validated vulnerability management solution.