Mission and Overview
NVD is the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance (e.g. FISMA).
Resource Status
NVD contains:

Last updated: 4/17/2014

CVE Publication rate: 20.43

Email List

NVD provides four mailing lists to the public. For information and subscription instructions please visit NVD Mailing Lists

Workload Index
Vulnerability Workload Index: 8.88
About Us
NVD is a product of the NIST Computer Security Division and is sponsored by the Department of Homeland Security's National Cyber Security Division. It supports the U.S. government multi-agency (OSD, DHS, NSA, DISA, and NIST) Information Security Automation Program. It is the U.S. government content repository for the Security Content Automation Protocol (SCAP).

Security Content Automation Protocol Validated Products

This webpage contains a list of products that have been validated by NIST as conforming to the Security Content Automation Protocol (SCAP) and its component standards. Click on the vendor or product name to see a full description of the products validation information and status.

Please visit the SCAP validation program webpage for a description of the validation process and information on the SCAP capabilities referenced in the table below. For more information relating to SCAP please visit http://scap.nist.gov.

Support for U.S. Government Programs
Federal Desktop Core Configuration Initiative

The U.S. Office of Management and Budget has required, in the August 11, 2008, M-08-22 memorandum to Federal CIOs, that "Both industry and government information technology providers must use SCAP validated tools with FDCC Scanner capability to certify their products operate correctly with FDCC configurations and do not alter FDCC settings. Agencies will use SCAP tools to scan for both FDCC configurations and configuration deviations approved by department or agency accrediting authority. Agencies must also use these tools when monitoring use of these configurations as part of FISMA continuous monitoring."

Situational Awareness and Incident Response SmartBUY

The General Services Administration is requiring SCAP validation within blanket purchase agreements for vulnerability and configuration management products (Solicitation Number: Reference-Number-QTA0-08-HC-B-0003).

 

Security Content Automation Protocol (SCAP) 1.2 Validated Products
Product Vendor Product Name SCAP 1.2 Validations Tested Platforms Validation Date
CIS-CAT 3
  • Microsoft Windows 7 64 bit
  • Microsoft Windows 7 32 bit
  • Microsoft Windows Vista, SP2
  • Microsoft Windows XP Pro, SP3
  • Red Hat Enterprise Linux 5 Desktop, 64 bit
  • Red Hat Enterprise Linux 5, 32 bit
March 24, 2014
Tripwire Enterprise 8
  • Microsoft Windows 7 64 bit
  • Microsoft Windows 7 32 bit
  • Red Hat Enterprise Linux 5 Desktop, 64 bit
  • Red Hat Enterprise Linux 5, 32 bit
November 7, 2013




Security Content Automation Protocol (SCAP) 1.0 Validated Products
NOTE: All SCAP 1.0 Validated Products Expire December 31, 2013
Content Automation Protocol (SCAP) Validated Products
Product Vendor Product Name SCAP Validations
Security Analysis Solution
Security Configuration and Vulnerability Management Pack
BMC Automation Server
BMC BladeLogic Client Automation
CA IT Client Manager
IT Client Manager
Core IMPACT Professional
Dell KACE K1000 System Management Appliance
Frontline Vulnerability Manager
Retina
SecureVue
Greenbone Security Manager
SCAP Scanner
Tivoli Endpoint Manager for Security and Compliance
LANDesk Patch Manager 9.0 Extensions for Federal Desktops
LANDesk Security Suite 9.0 Extensions for Federal Desktops
Endpoint Management and Security Suite
PatchLink Security Configuration Manager for Scan
PatchLink Security Configuration Manager for Scan
Policy Auditor
Vulnerability Manager
System Center Configuration Manager Extensions for SCAP
Configuration Compliance Manager
IP 360
NetIQ Secure Configuration Manager
EventTracker Enterprise
QualysGuard FDCC Module
NeXpose
Nexpose
Vulnerability Scanner
Vulnerability Scanner
Shavlik Security Suite: Shavlik NetChk Configure (with SCAP Processor)
Shavlik Security Suite: Shavlik NetChk Protect (with SCAP Processor)
Shavlik Security Suite: Shavlik NetChk Protect (with SCAP Processor)
Enterprise Trust Server
SCAP Compliance Checker
Control Compliance Suite
Symantec Risk Automation Suite
Xacta IA Manager (Xacta HostInfo)
Xacta IA Manager Continuous Assessment
Security Center
CIS - Configuration Audit Tool
S-CAT
Secutor Magnus with ThreatView
Secutor Prime
Tripwire Enterprise
Resolution Manager
vCenter Protect Essentials Government Edition (with SCAP Processor)
VMware vCenter Configuration Manager

Laboratories Accredited to do SCAP Testing

The labs listed below have been accredited by the NIST National Voluntary Laboratory Accreditation Program (NVLAP) to perform SCAP validation testing. Click on the lab name to see a full listing of the lab's accredited scopes

NVLAP Accredited Independent SCAP Testing Laboratories
Laboratory Name
Accredited Testing Scopes
AEGISOLVE, Inc.
ATSEC
BAH
COACT
EWA - Canada
ICSA Labs
SAIC