The SCAP application provides support for eXtensible Configuration Checklist Document Format (XCCDF). XCCDF is an XML specification language for writing security checklists, benchmarks, and related kinds of compliance documents. An XCCDF document represents a structured collection of security configuration rules for a set of target systems. XCCDF describes the system characteristics to be checked or validated.
The SCAP application evaluates the XCCDF rules based on SCAP policies defined in the user's account. Users can import policies from the SCAP Policies Library, which is provided by the service. Also users can create custom policies by uploading user-defined SCAP content. Users can upload SCAP content for a SCAP policy based on their own checklists, benchmarks or compliance documents. XML validation of the uploaded XCCDF content is done when uploading the SCAP content for a policy, before the user performs compliance scans. During a SCAP scan a scanner appliance that has the SCAP option enabled interprets the OVAL and XCCDF rules using the OVAL definition interpreter and evaluates the checks and marks these compliance class CCE rule IDs results as compliant or not compliant.