Spotlight on Standards: Lessons Learned from SCAP

Author: Charles Schmidt
September 2019

Today's adversaries operate at computer speed and vulnerable systems can be compromised within seconds. At these speeds, it is not feasible to depend upon manual processes to assess security posture or correlate findings between security tools. Instead, enterprise defenders need immediate awareness of changes to endpoint posture, and security tools need to support automated collation of their findings in order to provide defenders with the relevant context necessary to take action as soon as action is needed.

In response to this need, the Security Content Automation Protocol (SCAP) was first published by NIST in 2011, the result of multiple years of development and community collaboration amongst users, commercial vendors, and the government. SCAP sets out guidance for the coordinated use of several "component standards" to work together to support automated posture evaluation of enterprise endpoints. Today, SCAP and its component standards are used as part of many organizations' cybersecurity strategies.

However, despite some success, SCAP continues to face numerous challenges. The US government is a major user of SCAP, but SCAP has received less adoption among commercial companies. Many commercial security vendors either have not adopted SCAP in their tools or support it in ways that hamper interoperability with other vendors' tools. Production of SCAP content also remains a major challenge, with gaps in coverage and long lag times between product release and availability of assessment content. At the same time, while generally more timely than earlier practices, SCAP assessments remain periodic and don't provide the real-time insight into enterprise security posture that today's security administrators need. For these and other reasons, the current version of SCAP has fallen short of its goal to provide a common framework that provides a broad and dynamic collection of content, support for real-time and open data sharing between tools, and comprehensive coverage of enterprise security assessment needs.

As work begins on SCAP's first major revision, SCAP v2, it is important that all participants in this effort understand what has worked and what has not, so that SCAP v2 can leverage the best parts of SCAP v1 while addressing the issues that have held it back. We believe that a committed community of participants can help expand and enhance SCAP v2 to provide real-time assessment of enterprise security posture to improve detection and enable defenders to react quickly when alerted to adversary activities. You are invited to be a part of this effort by joining the SCAP v2 community and sharing your insights to create a better framework for automating enterprise security. For more information, visit