The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization, including e.g., FISMA (Federal Information Security Management Act, 2002) compliance.
SCAP Compliance Checker: The SCAP Compliance Checker is an automated compliance scanning tool that leverages the DISA Security Technical Implementation Guidelines (STIGs) and operating system (OS) specific baselines to analyze and report on the security configuration of an information system. The tool can be run locally on the host system to be scanned, or scans can be conducted across a network from any machine on the domain.
In either scanning environment, the following requirement applies: The user conducting the scan must have administrative privileges on the machine to be scanned. If the machine to be scanned is not hosting the tool, domain-level administrative privileges (or individual local administrator accounts) are required to remotely scan other systems on the network.
STIGs vs SCAP: What’s the Difference?:
As for STIGs, look upon them as guidelines on what to do for a particular system to harden it against attacks and reduce the vulnerability footprint. Using STIG Viewer, a user can look up the latest information for a particular system, software package, etc. and use the information to manually make modifications, e.g. confirm that the latest version of TLS is being used.
As for SCAP, it is a process of basically automating STIGs. It is a protocol for programmatically checking systems for known vulnerabilities and situations that may open them to attack.
In more simpler terms, a STIG is specific technology implementation guidance to follow when hardening a piece of technology. They are specific to the system, operating system, software, or function being hardened. SCAP is a program that will scan a system using a STIG as the benchmark.
100 + NIST 800-53 Templates Available for Download for Cleared Industry
The solution for cleared industry is the Arlington Security Portal (ASP), an online repository of world-class, industry leading security and privacy policies & procedures, programs, plans – and other highly essential documents & templates developed specifically on NIST SP 800-53, Revision 5.
From Beginning to End, Complete Project Management for NIST RMF A&A within eMASS
With Arlington, we can manage your entire NIST RMF A&A process within eMASS from beginning to end (i.e., from the initial NIST RMF eMASS scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO. Core services and solutions offered include the following:
- Scoping & Gap (i.e., Readiness) Assessments
- Remediation Services (Policy and Procedures writing)
- Remediation Services (Technical and Operational)
- System Security Plan (SSP) Development
- Completion of eMASS Export Control Spreadsheets
- Continuous Monitoring (ConMon) Services
We are Arlington, a team of innovative, solution-oriented, highly agile, and well-versed professionals with decades of experience in working with America’s defense industry. From emerging cybersecurity regulations to helping our clients solve complex security & compliance solutions – and so much more – you can trust Arlington, the firm that’s Dedicated to Defense®. Learn more at arlingtonintel.com.