SCAP Compliance

The Security Content Automation Protocol (SCAP) is a specification established by the U.S. National Institute of Standards and Technology (NIST) for expressing and manipulating security data in standardized ways. Currently, SCAP can enumerate product names and vulnerabilities (both software flaws and configuration issues); identify the presence of vulnerabilities; and assign severity scores to software flaw vulnerabilities.

The NIST SCAP Validation Program tests the ability of IT security products to use SCAP features and functionality. Independent NIST accredited laboratories conduct the SCAP Validation Program tests and deliver the results to NIST. SAINT’s scanning solutions have been validated through this process; this is published by NIST on the National Vulnerability Data (NVD) list of validated tools.

SAINT includes SCAP supported FDCC and USGCB and DISA policies.

SAINT Support for SCAP

In 2011, SAINTscanner became the first product to receive validation by NIST for the U.S. Government Configuration Baseline (USGCB). SAINT is also validated under SCAP as an Authenticated Vulnerability and Patch Scanner; Unauthenticated Vulnerability Scanner; Federal Desktop Core Configuration (FDCC) Scanner; and Authenticated Configuration Scanner. SAINT also provides support for the new Cyberscope report format; as well as offering a SAINT-specific Executive Report to show system pass/fail results for selected configuration policies. Additionally, SAINT provides a Policy Editor for customers to edit configuration policies and save the custom policy for local requirements. SAINT also supports open standards languages, enumerations and metrics applicable to both ‘unauthenticated’ and ‘authenticated’ scanners for OVAL, XCCDF, CPE, CVE, CCE and CVSS, as described below. SAINT provides pre-defined analysis and reporting capabilities that includes these enumerations and metrics; as well as over 150 customizable report features for user-defined reporting.

OVAL Adopter Logo
  Open Vulnerability and Assessment Language (OVAL®) is an international information security standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. SAINT provides support to the OVAL® Adoption Program as a Vulnerability Scanner, and provides the capabilities as both a Definition Evaluator and a System Characteristics Producer.

XCCDF   XCCDF security benchmark automation is a specification language for writing security checklists, benchmarks, and related types of documents, defined by NIST. Security checklists (or benchmarks) can be downloaded from http://scap.nist.gov/content; these data streams can then be downloaded into SAINT to run an XCCDF scan.

CPE

  Common Platform Enumeration (CPE™) enumeration is a structured naming scheme for information technology systems, software, and packages.


CVE

  Common Vulnerabilities and Exposures (CVE®) enumeration is a dictionary of publicly known information security vulnerabilities and other information security exposures.

CVSS

 

  Common Vulnerability Scoring System (CVSS) metric is a vulnerability scoring system designed to provide an open and standardized method for rating Information Technology vulnerabilities framework for communicating the characteristics and impacts of IT vulnerabilities.

CCE   Common Configuration Enumeration (CCE™) provides unique identifiers to system configuration issues in order to facilitate fast and accurate correlation of configuration data across multiple information sources and tools.