Mission and Overview
NVD is the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance (e.g. FISMA).
Resource Status
NVD contains:

Last updated: 5/30/2016 11:52:32 AM

CVE Publication rate: 19.97

Email List

NVD provides four mailing lists to the public. For information and subscription instructions please visit NVD Mailing Lists

Workload Index
Vulnerability Workload Index: 12.42
About Us
NVD is a product of the NIST Computer Security Division and is sponsored by the Department of Homeland Security's National Cyber Security Division. It supports the U.S. government multi-agency (OSD, DHS, NSA, DISA, and NIST) Information Security Automation Program. It is the U.S. government content repository for the Security Content Automation Protocol (SCAP).

Security Content Automation Protocol Validated Products

This webpage contains a list of products that have been validated by NIST as conforming to the Security Content Automation Protocol (SCAP) and its component standards. Click on the vendor or product name to see a full description of the products validation information and status.

Please visit the SCAP validation program webpage for a description of the validation process and information on the SCAP capabilities referenced in the table below. For more information relating to SCAP please visit http://scap.nist.gov.

Support for U.S. Government Programs
Federal Desktop Core Configuration Initiative

The U.S. Office of Management and Budget has required, in the August 11, 2008, M-08-22 memorandum to Federal CIOs, that "Both industry and government information technology providers must use SCAP validated tools with FDCC Scanner capability to certify their products operate correctly with FDCC configurations and do not alter FDCC settings. Agencies will use SCAP tools to scan for both FDCC configurations and configuration deviations approved by department or agency accrediting authority. Agencies must also use these tools when monitoring use of these configurations as part of FISMA continuous monitoring."

Situational Awareness and Incident Response SmartBUY

The General Services Administration is requiring SCAP validation within blanket purchase agreements for vulnerability and configuration management products (Solicitation Number: Reference-Number-QTA0-08-HC-B-0003).

Security Content Automation Protocol (SCAP) 1.2 Validated Products
Product Vendor Product Name SCAP 1.2 Validations Tested Platforms Validation Date
Nexpose 6 May 9, 2016
SCAP Extensions for Microsoft System Center Configuration Manager 3.0 August 28, 2015
SecurityCenter 5 August 25, 2015
Secutor Prime 5 April 21, 2015
Qualys SCAP Auditor 1.2 February 26, 2015
SAINT Security Suite 8 January 27, 2015
BMC Server Automation 8.6 December 30, 2014
IBM Endpoint Manager 9 October 24, 2014
BMC Client Management 12.0.0 September 26, 2014
Policy Auditor 6.2 September 17, 2014
OpenSCAP 1.0 April 17, 2014
Configuration Assessment Tool (CIS-CAT) 3 March 24, 2014
Tripwire Enterprise 8 November 7, 2013

NOTE: All SCAP 1.0 Validated Products Expired December 31, 2013.

NVLAP Accredited Independent SCAP Testing Laboratories

The labs listed below have been accredited by the NIST National Voluntary Laboratory Accreditation Program (NVLAP) to perform SCAP validation testing.

  • Acumen Security
  • Atsec
  • BAH Testing Lab
  • Electronic Warfare Associates (EWA) Canada
  • Leidos

To locate more information about a specific Laboratory:

1.  Navigate to the NVLAP Serach page by going to https://www-s.nist.gov/niws/index.cfm?event=directory.search
2.  From the Program dropdown box select ITST: "Cryptographic and Security Testing"
3.  Click in the Area of Accreditation box to launch a search, and select "Security Content Automation Protocol Testing", then click the Search button
4.  Click on the Lab Code to view additional information about the lab, such as PoC, Phone, Email, etc.