The Technical Specification for the Security Content Automation Protocol (SCAP)

Security products and checklist authors assemble content from SCAP data repositories to create viable SCAP-expressed security guidance. A security configuration checklist that documents desired security configuration settings, installed patches, and other system security elements using a standardized SCAP format is known as an SCAP-expressed checklist.

Such a checklist would use XCCDF to describe the checklist, CCE to identify security configuration settings to be addressed or assessed, and CPE to identify platforms for which the checklist is valid.

The use of CCE and CPE entries within XCCDF checklists is an example of an SCAP convention—a requirement for valid SCAP usage.

These conventions are considered part of the definition of SCAP 1.1. Organizations producing SCAP content should adhere to these conventions to ensure the highest degree of interoperability. NIST provides an SCAP Content Validation Tool that organizations can use to help validate the correctness of their SCAP content.

The tool checks that SCAP content is well-formed, all cross references are valid, and required values are appropriately set.


SCAP content can be used to scan operating systems and applications to look for known software flaws 
that introduce security exposures. The content enables consistent detection and reporting of these flaws.
The SCAP source data stream component that MUST be included for vulnerability scanning is the 
XCCDF Benchmark, which expresses the checklist of the flaws to be checked for. 
Each rule in the XCCDF Benchmark SHALL reference one of the following:
  • An OVAL vulnerability definition. This definition SHALL be contained in an OVAL Vulnerability component, which holds the definitions of the vulnerability checks used by the checklist. The OVAL Vulnerability component SHALL have at least one OVAL definition of class vulnerability, MAY have one or more additional OVAL definitions of classes vulnerability and/or inventory, and SHALL NOT have any other classes of OVAL definitions. An XCCDF Benchmark‘s rules MAY reference one or more OVAL vulnerability definitions in an OVAL Vulnerability component.
  • An OCIL questionnaire. This questionnaire SHALL be contained in an OCIL Questionnaire component, which holds the questionnaires that collect information that OVAL is not being used to collect, such as giving a system administrator step-by-step directions for manually examining a system for a vulnerability that cannot be detected with OVAL, and then collecting information on the results of that manual examination. An XCCDF Benchmark‘s rules MAY reference one or more OCIL questionnaires in an OCIL Questionnaire component. 
  • An OVAL Patch component. The OVAL Patch component holds definitions for patch compliance checks. These checks may be needed if an organization includes patch verification in its vulnerability scanning activities. The OVAL Patch component SHALL have at least one OVAL definition of class patch, MAY have one or more additional OVAL definitions of classes compliance and/or inventory, and SHALL NOT have any other classes of OVAL definitions. An XCCDF Benchmark MAY reference an OVAL Patch component through a patches up-to-date rule in a manner consistent with Section
Each XCCDF Benchmark SHALL have at least one rule that references either an OVAL vulnerability definition in the OVAL Vulnerability component or an OCIL questionnaire in the OCIL Questionnaire component.
All OVAL Vulnerability, OCIL Questionnaire, and OVAL Patch components referenced by the XCCDF Benchmark SHALL be included in the SCAP source data stream.
If the XCCDF Benchmark component references any CPE names, then the SCAP source data stream 
MUST include the following components, in addition to those already mentioned:
  • CPE Dictionary: specifies the products or platforms of interest.
  • CPE Inventory: contains the technical procedures for determining whether or not a specific target asset has a product or platform of interest. The CPE Inventory component SHALL have one or more OVAL definitions of class inventory and SHALL NOT have any other classes of OVAL definitions
Read the full pdf here: