The Security Content Automation Protocol (SCAP) provides a way to support automation of cybersecurity assessment activities in a standardized way. First published in 2011, the SCAP standards have seen significant adoption and use. However, time has also revealed numerous gaps and weaknesses in the SCAP 1.0 standards. This talk reviews lessons learned from almost 10 years of experience with the SCAP standards and briefly introduces a vision for the next generation of SCAP: SCAP 2.0.
The Security Content Automation Protocol (SCAP) is a set of standards that support automation of cybersecurity assessment activities. SCAP identifies a number of individual standards that focus on specific cybersecurity challenges and provides guidance on how these standards work together to support numerous operational use cases. SCAP 1.0 was published in April of 2011, with the most recent update (SCAP 1.3) published in February 2018.
SCAP has been, overall, a very successful effort, with dozens of compliant tools and many large organizations using SCAP as a central piece of their cybersecurity strategy. However, time has revealed a number of gaps and weaknesses in SCAP. Issues of complexity, lack of desired interoperability, and difficulty in maintaining content have repeatedly cropped up. This talk looks at the current (1.3) SCAP standards and makes some observations about what has worked and what has proved problematic. It concludes with a brief introduction to SCAP 2.0, a new revision of the SCAP framework proposed by NIST that is intended to continue the success of the SCAP program while addressing many of the weaknesses that have been seen in earlier SCAP specifications.
Key objectives: