SCAP — Security Content Automation Protocol
The Security Content Automation Protocol (SCAP) is a U.S. Government standard for automating vulnerability management and policy compliance with mandated security configurations for personal computers used by federal agencies. Vulnerability scanners used by federal agencies must be validated for SCAP compliance.
SCAP incorporates six open standards for finding vulnerabilities and misconfigurations related to security. It focuses on automating these processes, scoring results, and prioritizing their impact. The goal is to automatically check the security configuration status of an agency's installed base of personal computers against the NIST Special Publication 800-53 controls framework to ensure secure computing. This framework was created by the National Institute of Standards and Technology under mandate of FISMA — the Federal Information Security and Management Act.
SCAP plays a central role in the Federal Desktop Core Configuration (FDCC) Initiative, which, since February 1, 2008, has mandated standard security configurations for agencies using, or planning upgrades to Microsoft Windows XP and VISTA operating systems. The Office of Management and Budget issued this statement to federal Chief Information Officers on July 31, 2007: "Information technology providers must use SCAP validated tools, as they become available, to certify their products do not alter these configurations, and agencies must use these tools when monitoring use of these configurations."
Why SCAP Matters to Your Organization
Threats to federal systems and critical cyber infrastructure come from sovereign states, terrorists, criminals, lone hackers, and mistakes committed by staff and contractors. A successful exploit would be disastrous if it stopped vital functions of government and critical services. If a federal agency fails to comply with SCAP, which falls under FISMA, it may be sanctioned via a budget cut. Contractors that exchange data with federal information systems must comply with FISMA-mandated initiatives such as SCAP or risk termination from a contract. Non-compliance may preclude contractors from bidding on future federal contracts.
How Qualys Solutions Help Meet SCAP Requirements
The QualysGuard Federal Desktop Core Configuration (FDCC) Scanner is the first certified cloud-based solution meeting SCAP requirements. The QualysGuard FDCC Scanner allows federal agencies to scan and report compliance with standardized desktop security configuration requirements using a centralized, integrated solution featuring the QualysGuard Software-as-a-Service (SaaS) architecture. The QualysGuard Scanner Appliances support FDCC scanning for internal systems on a global basis.
|Certifications for QualysGuard include:|
Audit and assess a target system to determine its compliance with the FDCC requirements.
Audit and assess a target system to determine its compliance with a defined set of configuration requirements using target system logon privileges.
Scan a target system to locate and identify the presence of known vulnerabilities and evaluate the software patch status to determine compliance with a defined patch policy using target system logon privileges.
Contains a catalog of security related software flaw issues labeled with CVEs where applicable. Also presents general knowledge about vulnerabilities independent of a particular environment.
Determines the presence of known vulnerabilities by evaluating the target system over the network.
Qualys solutions in the QualysGuard IT Security and Compliance Suite also enable immediate compliance with other key FISMA requirements by allowing subscribers to automatically discover and manage all devices and applications on the network, identify and remediate network security vulnerabilities, measure and manage overall security exposure and risk, and ensure compliance with internal and external FISMA policies.