The Security Content Automation Protocol (SCAP), pronounced "S Cap," provides a method to use specific existing standards to enable automated vulnerability management, measurement, and policy compliance evaluation.
SCAP is a suite of selected open standards that together provide a consistent method to scan computer systems and automatically identify, measure, and evaluate potential security issues. SCAP enumerates software vulnerabilities, security-related configuration issues, and product names on computer systems. SCAP also provides mechanisms to measure and rank (score) scan results to evaluate the impact of any discovered security issues. For more information, visit the SCAP page of the National Institute of Standards and Technology (NIST) Web site at http://nvd.nist.gov/scap.cfm.
The Federal Desktop Core Configuration (FDCC) is a security configuration standard mandated by the U.S. Office of Management and Budget (OMB). The FDCC standard currently exists for Windows Vista® and Windows® XP operating systems. While not addressed specifically as the "Federal Desktop Core Configuration" at its inception, the FDCC was originally called for in a March 22, 2007 memorandum from the OMB issued to all Federal agencies and department heads, and a corresponding memorandum from the OMB issued to all Federal agency and department Chief Information Officers (CIOs). For more information, visit the NIST FDCC page at http://nvd.nist.gov/fdcc/.
Desired Configuration Management (DCM) is a feature in Microsoft® System Center Configuration Manager 2007 SP2. The DCM feature provides a set of tools and resources to assess and track the configuration compliance state of client and server computers in the enterprise.
The System Center Configuration Manager Extensions for SCAP make it possible to use the desired configuration management (DCM) feature in Microsoft System Center Configuration Manager 2007 SP2 for scanning computers to document their compliance with the Federal Desktop Core Configuration (FDCC) mandate. The extensions enable Configuration Manager 2007 SP2 to consume Security Content Automation Protocol (SCAP) data streams, assess systems for compliance, and generate report results in SCAP format by taking advantage of the compliance checking capabilities that are inherent in the DCM feature. Organizations can exploit their existing Configuration Manager 2007 SP2 infrastructure to ensure that the computers they manage meet the compliance requirements and generate the requisite FDCC reports for NIST and the OMB.
Download the System Center Configuration Manager Extensions for SCAP from Microsoft.com/fdcc.
The following operating systems and software support the extensions:
To install, configure, and run the System Center Configuration Manager Extensions for SCAP, you need a computer with the following software:
In addition to the computer running the System Center Configuration Manager Extensions for SCAP, you will also need the following:
The computers that you want to assess for SCAP compliance need the following software:
For procedural information about how to configure your database connection information, see the section "Configure the System Center Configuration Manager Extensions for SCAP" in the System Center Configuration Manager Extensions for SCAP User Guide.
Send any feedback or support questions you might have to System Center Configuration Manager Extensions for SCAP Feedback.
Yes. Microsoft has obtained validation from NIST for a SCAP validated tool with FDCC Scanner capability.
Yes. The System Center Configuration Manager Extensions for SCAP can achieve a 100 percent conversion rate for FDCC SCAP data stream files. The conversion rates calculated by the extensions include dropped definitions, but do not include skipped definitions.