System Center Configuration Manager Extensions for SCAP Frequently Asked Questions

What is SCAP?

The Security Content Automation Protocol (SCAP), pronounced "S Cap," provides a method to use specific existing standards to enable automated vulnerability management, measurement, and policy compliance evaluation.

SCAP is a suite of selected open standards that together provide a consistent method to scan computer systems and automatically identify, measure, and evaluate potential security issues. SCAP enumerates software vulnerabilities, security-related configuration issues, and product names on computer systems. SCAP also provides mechanisms to measure and rank (score) scan results to evaluate the impact of any discovered security issues. For more information, visit the SCAP page of the National Institute of Standards and Technology (NIST) Web site at http://nvd.nist.gov/scap.cfm.

What is FDCC?

The Federal Desktop Core Configuration (FDCC) is a security configuration standard mandated by the U.S. Office of Management and Budget (OMB). The FDCC standard currently exists for Windows Vista® and Windows® XP operating systems. While not addressed specifically as the "Federal Desktop Core Configuration" at its inception, the FDCC was originally called for in a March 22, 2007 memorandum from the OMB issued to all Federal agencies and department heads, and a corresponding memorandum from the OMB issued to all Federal agency and department Chief Information Officers (CIOs). For more information, visit the NIST FDCC page at http://nvd.nist.gov/fdcc/.

What is DCM?

Desired Configuration Management (DCM) is a feature in Microsoft® System Center Configuration Manager 2007 SP2. The DCM feature provides a set of tools and resources to assess and track the configuration compliance state of client and server computers in the enterprise.

What are the System Center Configuration Manager Extensions for SCAP?

The System Center Configuration Manager Extensions for SCAP make it possible to use the desired configuration management (DCM) feature in Microsoft System Center Configuration Manager 2007 SP2 for scanning computers to document their compliance with the Federal Desktop Core Configuration (FDCC) mandate. The extensions enable Configuration Manager 2007 SP2 to consume Security Content Automation Protocol (SCAP) data streams, assess systems for compliance, and generate report results in SCAP format by taking advantage of the compliance checking capabilities that are inherent in the DCM feature. Organizations can exploit their existing Configuration Manager 2007 SP2 infrastructure to ensure that the computers they manage meet the compliance requirements and generate the requisite FDCC reports for NIST and the OMB.

Where can I obtain the System Center Configuration Manager Extensions for SCAP?

Download the System Center Configuration Manager Extensions for SCAP from Microsoft.com/fdcc.

What are the requirements for using the System Center Configuration Manager Extensions for SCAP?

The following operating systems and software support the extensions:

To install, configure, and run the System Center Configuration Manager Extensions for SCAP, you need a computer with the following software:

  • One of the following 32-bit or 64-bit operating systems:
    • Windows Vista® release version or later.
    • Windows® XP with Service Pack 2 (SP2) or later.
    • Windows Server® 2008 release version or later.
    • Windows Server® 2003 with SP2 or later.
  • Microsoft .NET Framework version 2.0 or later.

In addition to the computer running the System Center Configuration Manager Extensions for SCAP, you will also need the following:

  • A System Center Configuration Manager 2007 SP2 infrastructure running Configuration Manager 2007 SP2 or later.

The computers that you want to assess for SCAP compliance need the following software:

  • The Desired Configuration Management client enabled.
  • One of the following 32-bit operating systems:
    • Windows Vista release version or later.
    • Windows XP with SP2 or later.

How do I provide the database connection with my organizational information to make the System Center Configuration Manager Extensions for SCAP work correctly?

For procedural information about how to configure your database connection information, see the section "Configure the System Center Configuration Manager Extensions for SCAP" in the System Center Configuration Manager Extensions for SCAP User Guide.

Who do I contact to provide feedback or troubleshoot any issues that I might have with the System Center Configuration Manager Extensions for SCAP?

Send any feedback or support questions you might have to System Center Configuration Manager Extensions for SCAP Feedback.

Has NIST approved the System Center Configuration Manager Extensions for SCAP?

Yes. Microsoft has obtained validation from NIST for a SCAP validated tool with FDCC Scanner capability.

Can the System Center Configuration Manager Extensions for SCAP achieve a 100 percent conversion rate?

Yes. The System Center Configuration Manager Extensions for SCAP can achieve a 100 percent conversion rate for FDCC SCAP data stream files. The conversion rates calculated by the extensions include dropped definitions, but do not include skipped definitions.