Mission and Overview
NVD is the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance (e.g. FISMA).
Resource Status
NVD contains:

Last updated: 3/27/2015 6:11:40 AM

CVE Publication rate: 14.27

Email List

NVD provides four mailing lists to the public. For information and subscription instructions please visit NVD Mailing Lists

Workload Index
Vulnerability Workload Index: 6.57
About Us
NVD is a product of the NIST Computer Security Division and is sponsored by the Department of Homeland Security's National Cyber Security Division. It supports the U.S. government multi-agency (OSD, DHS, NSA, DISA, and NIST) Information Security Automation Program. It is the U.S. government content repository for the Security Content Automation Protocol (SCAP).

Security Content Automation Protocol Validated Products

This webpage contains a list of products that have been validated by NIST as conforming to the Security Content Automation Protocol (SCAP) and its component standards. Click on the vendor or product name to see a full description of the products validation information and status.

Please visit the SCAP validation program webpage for a description of the validation process and information on the SCAP capabilities referenced in the table below. For more information relating to SCAP please visit http://scap.nist.gov.

Support for U.S. Government Programs
Federal Desktop Core Configuration Initiative

The U.S. Office of Management and Budget has required, in the August 11, 2008, M-08-22 memorandum to Federal CIOs, that "Both industry and government information technology providers must use SCAP validated tools with FDCC Scanner capability to certify their products operate correctly with FDCC configurations and do not alter FDCC settings. Agencies will use SCAP tools to scan for both FDCC configurations and configuration deviations approved by department or agency accrediting authority. Agencies must also use these tools when monitoring use of these configurations as part of FISMA continuous monitoring."

Situational Awareness and Incident Response SmartBUY

The General Services Administration is requiring SCAP validation within blanket purchase agreements for vulnerability and configuration management products (Solicitation Number: Reference-Number-QTA0-08-HC-B-0003).

Security Content Automation Protocol (SCAP) 1.2 Validated Products
Product Vendor Product Name SCAP 1.2 Validations Tested Platforms Validation Date
Qualys SCAP Auditor 1.2 February 26, 2015
SAINT Security Suite 8 January 27, 2015
BMC Server Automation 8.6 December 30, 2014
IBM Endpoint Manager 9 October 24, 2014
BMC Client Management 12.0.0 September 26, 2014
Policy Auditor 6.2 September 17, 2014
OpenSCAP 1.0 April 17, 2014
Configuration Assessment Tool (CIS-CAT) 3 March 24, 2014
Tripwire Enterprise 8 November 7, 2013

NOTE: All SCAP 1.0 Validated Products Expired December 31, 2013.

Laboratories Accredited to do SCAP Testing

The labs listed below have been accredited by the NIST National Voluntary Laboratory Accreditation Program (NVLAP) to perform SCAP validation testing. Click on the lab name to see a full listing of the lab's accredited scopes

NVLAP Accredited Independent SCAP Testing Laboratories
Laboratory Name Accredited Testing Scopes
Booz Allen Hamilton
EWA - Canada