National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Security Content Automation Protocol Validated Products and Modules

This webpage contains a list of products and modules that have been validated by NIST as conforming to the Security Content Automation Protocol (SCAP) and its component standards. SCAP validated products and modules have completed formal testing at an NVLAP accredited laboratory and meet all requirements as defined in NIST IR 7511. A module is defined as a software component that may be embedded in another product. If an SCAP module is a component of another product, contact the module vendor to identify products that integrate the SCAP validated module.

Follow the links from the table below to see a full description of the products validation information, tested platforms, and status. Please visit the SCAP validation program and the SCAP Validation FAQ webpages for a description of the validation process and information about SCAP capabilities, validated products and modules. For more information related to SCAP, please visit https://scap.nist.gov

Please visit the SCAP validation program webpage for a description of the validation process and information on the SCAP capabilities referenced in the table below. For more information relating to SCAP please visit https://scap.nist.gov.

Support for U.S. Government Programs

The U.S. Office of Management and Budget has required, in the August 11, 2008, M-08-22 memorandum to Federal CIOs, that "Both industry and government information technology providers must use SCAP validated tools with FDCC Scanner capability to certify their products operate correctly with FDCC configurations and do not alter FDCC settings. Agencies will use SCAP tools to scan for both FDCC configurations and configuration deviations approved by department or agency accrediting authority. Agencies must also use these tools when monitoring use of these configurations as part of FISMA continuous monitoring."

The General Services Administration is requiring SCAP validation within blanket purchase agreements for vulnerability and configuration management products (Solicitation Number: Reference-Number-QTA0-08-HC-B-0003).

Only products listed on this page hold current SCAP validations that were awarded after passing rigorous test requirements introduced with the SCAP 1.2 program.

Security Content Automation Protocol (SCAP) 1.2 Validated Products

Product Vendor Product Name SCAP 1.2 Validation Validation Date
Rapid7

Nexpose 6

Validation Record

Vendor Product

SCAP Capabilities:
ACS
CVE
OCIL

Product Validation

View Tested Platforms

03/29/2017
Red Hat®, Inc.

OpenSCAP 1

Validation Record

Vendor Product

SCAP Capabilities:
ACS
CVE
OCIL

Product Validation

View Tested Platforms

02/22/2017
ThreatGuard

Secutor Compliance Automation Toolkit (S-CAT) 5

Validation Record

Vendor Product

SCAP Capabilities:
ACS
CVE
OCIL

Module Validation

View Tested Platforms

12/13/2016
SPAWAR Systems Center Atlantic

SCAP Compliance Checker 4

Validation Record

Vendor Product

SCAP Capabilities:
ACS
CVE
OCIL

Product Validation

View Tested Platforms

08/26/2016
IBM

IBM BigFix Compliance 9.2

Validation Record

Vendor Product

SCAP Capabilities:
ACS
CVE
OCIL

Product Validation

View Tested Platforms

06/09/2016
Rapid7

Nexpose 6

Validation Record

Vendor Product

SCAP Capabilities:
ACS
CVE
OCIL

Product Validation

View Tested Platforms

05/09/2016
Microsoft Corporation

SCAP Extensions for Microsoft System Center Configuration Manager 3.0

Validation Record

Vendor Product

SCAP Capabilities:
ACS
CVE
OCIL

Product Validation

View Tested Platforms

09/28/2015
Tenable

SecurityCenter 5

Validation Record

Vendor Product

SCAP Capabilities:
ACS
CVE
OCIL

Product Validation

View Tested Platforms

08/25/2015
ThreatGuard

Secutor Prime 5

Validation Record

Vendor Product

SCAP Capabilities:
ACS
CVE
OCIL

Product Validation

View Tested Platforms

04/21/2015
Qualys

Qualys SCAP Auditor 1.2

Validation Record

Vendor Product

SCAP Capabilities:
ACS
CVE
OCIL

Product Validation

View Tested Platforms

02/26/2015
SAINT Corporation

SAINT Security Suite 8

Validation Record

Vendor Product

SCAP Capabilities:
ACS
CVE
OCIL

Product Validation

View Tested Platforms

01/27/2015
BMC Software

BMC Server Automation 8.6

Validation Record

Vendor Product

SCAP Capabilities:
ACS
CVE
OCIL

Product Validation

View Tested Platforms

12/30/2014
IBM

IBM Endpoint Manager 9

Validation Record

Vendor Product

SCAP Capabilities:
ACS
CVE
OCIL

Product Validation

View Tested Platforms

10/24/2014
BMC Software

BMC Client Management 12.0.0

Validation Record

Vendor Product

SCAP Capabilities:
ACS
CVE
OCIL

Product Validation

View Tested Platforms

09/26/2014
McAfee

Policy Auditor 6.2

Validation Record

Vendor Product

SCAP Capabilities:
ACS
CVE
OCIL

Product Validation

View Tested Platforms

09/17/2014
Red Hat®, Inc.

OpenSCAP 1.0

Validation Record

Vendor Product

SCAP Capabilities:
ACS
CVE
OCIL

Product Validation

View Tested Platforms

04/17/2014
Center for Internet Security

CIS-CAT Pro Assessor (formerly Configuration Assessment Tool (CIS-CAT)) 3

Validation Record

Vendor Product

SCAP Capabilities:
ACS
CVE
OCIL

Product Validation

View Tested Platforms

03/24/2014
Tripwire

Tripwire Enterprise 8

Validation Record

Vendor Product

SCAP Capabilities:
ACS
CVE
OCIL

Product Validation

View Tested Platforms

11/07/2013

NOTE: All SCAP 1.0 Validated Products Expired December 31, 2013.

Laboratories Accredited to do SCAP Testing

The labs listed below have been accredited by the NIST National Voluntary Laboratory Accreditation Program (NVLAP) to perform SCAP validation testing.

  • Acumen Security
  • AEGISOLVE
  • Atsec
  • BAH Testing Lab
  • COACT
  • Electronic Warfare Associates (EWA) Canada
  • Leidos

To locate more information about a specific Laboratory:

  1. Navigate to the NVLAP Serach page by going to https://www-s.nist.gov/niws/index.cfm?event=directory.search
  2. From the Program dropdown box select ITST: "Cryptographic and Security Testing"
  3. Click in the Area of Accreditation box to launch a search, and select "Security Content Automation Protocol Testing", then click the Search button
  4. Click on the Lab Code to view additional information about the lab, such as PoC, Phone, Email, etc.