Rel 8) has over 266 line items. In order to help expedite the evaluation of
the product in question, the Department of Navy (DoN) Space and Naval Warfare
Systems Command (SPAWAR) created an application called Security Content
Automation Protocol (SCAP) Compliance Checker (SCC). SCC is an application that uses/references
STIGs for an automated vulnerability management, measurement and policy
compliance of systems in an organization.
The function of SCAP is to implement security protocol standards to
businesses/companies that are missing or have weak system currently in place.
SCAP will generate a report of any deviations.
Issued by the
National Institute of Standards and Technology (NIST), SCAP
is a combination of open security standards that were developed from
community participation. It is a methodology used to evaluate vulnerability
management, measurement, and policy compliance of security software
solutions. SCAP certification assures an organization that the security
solution they have invested in meets NIST’s and FISMA’s highest standards. In
particular, an SCAP certified security solution complies with the reporting
requirements of NIST and FISMA, and exports validated data in a standardized
XML format. 4
The issue with
SCAP is its availability to the general public.
As noted above, SCAP is a byproduct of the Department of Navy Space and
Naval Warfare Systems Command. And as
such, its full capability and ease of use is only available to government
use. Public offering of the product is
not as robust but it does provide the same level of functionality.
An alternative security
vulnerability scanning tool readily available to the public is NESSUS. Nessus is a security scanning tool created by
Tenable Network Security. It comes in
Home Use version as well as Enterprise Grade (Professional). The Home Use is free and for the most part
would be sufficient in small office use.
It uses policies to scan computers and raises alerts if it discovers any
vulnerability that hackers could use (such as password deficiency) to gain
access. Common compliance regulations
and guides such as the following could be loaded as a template that the scanner
will reference to identify security deficiency of the system (servers, PCs,
laptops, etc. – network and networking equipment) 12: