Naval Information Warfare Center (NIWC) Atlantic recently released the Security Content Automation Protocol (SCAP) Compliance Checker (SCC) software, an application designed to automate security compliance checking using open source SCAP specifications, free for public use.
“Since 2008, our team has designed, developed and maintained the application updating SCAP feature support and adding feature requests based on end user feedback,” said Jack Vander Pol, SCC team lead.
The software, which was originally developed in 2008 by NIWC Atlantic for another government agency, was used to validate their computers to ensure they were compliant with National Institute of Standards and Technology’s (NIST) U.S. Government Configuration Baseline (USGCB). The USGCB provides security configuration for information technology products across the federal government.
In 2010, National Security Agency (NSA) offered to fund the research and development to enable the SCC to be more feature rich and production ready. Once the final steps were completed, Defense Information Systems Agency’s (DISA) Cyber Standards Branch took over the funding of SCC and has been funding SCC’s development and technical support since 2013.
SCAP is a method used to guard against cybersecurity threats by using a set of Extensible Markup language (XML) standards, primarily Extensible Configuration Checklist Description Format (XCCDF) and Open Vulnerability and Assessment Language (OVAL), which includes policy settings and technical instructions to perform automated checking. XML is a method of defining data, similar to html, so that different programs can read the same file.
Due to the critical function the software performs, it is highly requested for use by other government agencies and contractors. To date, the SCC has nearly 3,000 registered end users from more than 200 different government agencies, and is used to review millions of computers to ensure they meet DISA’s Security Implementation Guide (STIG) requirements.
In the past, each request was reviewed and tracked, then the software was packaged and uploaded to a secure Department of Defense file exchange where the requestor could download it for use.
“It’s a time consuming process to release the software for every single request,” said Vander Pol. “So, in an effort to decrease the time and labor cost involved, DISA has requested we make the SCC application publicly available. Additionally, by providing the SCC for free to the public, we are providing a more secure cyber environment for everyone.”
DISA creates and publishes SCAP content to automate the verification of their STIGs, and DISA’s SCAP content is the primary content used with SCC, but it can be customized so that any user could install their SCAP content into SCC.
Brian Snodgrass from DISA cyber standards branch said, “The SCAP Compliance Checker has proved to be a valuable tool for DoD to improve and maintain its cybersecurity posture on multiple platforms across the DoD Information Network [DoDIN].”
To learn more about SCC, visit https://www.niwcatlantic.navy.mil/scap/.
As a part of Naval Information Warfare Systems Command, NIWC Atlantic provides systems engineering and acquisition to deliver information warfare capabilities to the naval, joint and national warfighter through the acquisition, development, integration, production, test, deployment, and sustainment of interoperable command, control, communications, computer, intelligence, surveillance, and reconnaissance, cyber and information technology capabilities.