SCAP — Security Content Automation Protocol



The Security Content Automation Protocol (SCAP) is a U.S. Government standard for automating vulnerability management and policy compliance with mandated security configurations for personal computers used by federal agencies. Vulnerability scanners used by federal agencies must be validated for SCAP compliance.



About SCAP

SCAP incorporates six open standards for finding vulnerabilities and misconfigurations related to security. It focuses on automating these processes, scoring results, and prioritizing their impact. The goal is to automatically check the security configuration status of an agency's installed base of personal computers against the NIST Special Publication 800-53 controls framework to ensure secure computing. This framework was created by the National Institute of Standards and Technology under mandate of FISMA — the Federal Information Security and Management Act.


SCAP plays a central role in the Federal Desktop Core Configuration (FDCC) Initiative, which, since February 1, 2008, has mandated standard security configurations for agencies using, or planning upgrades to Microsoft Windows XP and VISTA operating systems. The Office of Management and Budget issued this statement to federal Chief Information Officers on July 31, 2007: "Information technology providers must use SCAP validated tools, as they become available, to certify their products do not alter these configurations, and agencies must use these tools when monitoring use of these configurations."



Why SCAP Matters to Your Organization

Threats to federal systems and critical cyber infrastructure come from sovereign states, terrorists, criminals, lone hackers, and mistakes committed by staff and contractors. A successful exploit would be disastrous if it stopped vital functions of government and critical services. If a federal agency fails to comply with SCAP, which falls under FISMA, it may be sanctioned via a budget cut. Contractors that exchange data with federal information systems must comply with FISMA-mandated initiatives such as SCAP or risk termination from a contract. Non-compliance may preclude contractors from bidding on future federal contracts.



How Qualys Solutions Help Meet SCAP Requirements

The QualysGuard Federal Desktop Core Configuration (FDCC) Scanner is the first certified cloud-based solution meeting SCAP requirements. The QualysGuard FDCC Scanner allows federal agencies to scan and report compliance with standardized desktop security configuration requirements using a centralized, integrated solution featuring the QualysGuard Software-as-a-Service (SaaS) architecture. The QualysGuard Scanner Appliances support FDCC scanning for internal systems on a global basis.


Certifications for QualysGuard include:
FDCC Scanner

Audit and assess a target system to determine its compliance with the FDCC requirements.

Authenticated Configuration Scanner

Audit and assess a target system to determine its compliance with a defined set of configuration requirements using target system logon privileges.

Authenticated Vulnerability and Patch Scanner

Scan a target system to locate and identify the presence of known vulnerabilities and evaluate the software patch status to determine compliance with a defined patch policy using target system logon privileges.

Vulnerability Database

Contains a catalog of security related software flaw issues labeled with CVEs where applicable. Also presents general knowledge about vulnerabilities independent of a particular environment.

Unauthenticated Vulnerability Scanner

Determines the presence of known vulnerabilities by evaluating the target system over the network.


Qualys solutions in the QualysGuard IT Security and Compliance Suite also enable immediate compliance with other key FISMA requirements by allowing subscribers to automatically discover and manage all devices and applications on the network, identify and remediate network security vulnerabilities, measure and manage overall security exposure and risk, and ensure compliance with internal and external FISMA policies.

Qualys Solutions
Qualys Community
Free Tools & Trials
Free Trial

Nothing to install or download!

1 (800) 745 4355