Guide to Adopting and Using the Security Content Automation Protocol (SCAP) (Draft): Recommendations of the National Institute of Standards and Technology [open pdf - 158KB]
"Managing the security of systems throughout an enterprise is challenging for several reasons. Most organizations have many systems to patch and configure securely, with numerous pieces of software (operating systems and applications) to be secured on each system. This is extremely time-consuming and error-prone because there has been no standardized, automated way of securing software. Organizations also need to periodically verify the security of each system, which is also much more difficult to do without standardized, automated checking tools. [...]. Organizations need a comprehensive, standardized approach to overcoming these challenges, and the Security Content Automation Protocol (SCAP) has been developed to help provide such an approach. SCAP comprises a suite of specifications for organizing and expressing security-related information in standardized ways, as well as related reference data, such as identifiers for software flaws and security configuration issues. SCAP can be used for maintaining the security of enterprise systems, such as automatically verifying the installation of patches, checking system security configuration settings, and examining systems for signs of compromise. This document defines SCAP and the component specifications that comprise it. It describes common uses of SCAP and makes recommendations for SCAP users. The document also provides insights to IT product and service vendors about adopting SCAP in their offerings. SCAP does not replace existing security software; rather, support for it can be embedded into existing software."
Special Publication 800-117 (Draft)
Government Printing Office, Catalog of the U.S. Government Publications: http://catalog.gpo.gov/