How to create a custom SCAP policy

You'll need a SCAP policy in order to evaluate hosts for SCAP compliance. SCAP content is compliant with SCAP 1.0 and 1.2 specifications defined by NIST.

Tell me about user permissions

How to create a policy with SCAP 1.2 content

SCAP 1.2 content consists of a single file: SCAP source data stream collection.

Go to PC > Policies and select New > SCAP Policy. Select the option "SCAP version 1.2" and then browse to the data stream collection file. Click Next and we'll perform schema validation.  Please resolve any content errors reported online. After passing schema validation you'll see SCAP benchmark details. Use the drop-downs to select the source data stream ID, the benchmark ID and the profile title (that corresponds to the profile ID) intended for evaluation. Important - Once you save your policy, you cannot modify these selections for the policy. You can, however, create new policies with different selections. When you're done making your selections, click Create to save your new policy. It'll be saved with the type SCAP.

How to create a policy with SCAP 1.1/1.0 content

SCAP 1.1/1.0 content consists of these files: XCCDF Content, CPE OVAL Definitions, CPE 2.0 Dictionary, OVAL Compliance Definitions. This file is optional: OVAL Patch Definitions.

Go to PC > Policies and select New > SCAP Policy. Select the option "SCAP version 1.1/1.0" and then select the XCCDF content file plus additional data files. Click Next and we'll perform schema validation. Please resolve any content errors reported online. Once you pass schema validation, select a SCAP benchmark - you can customize the details if you want. Click Create to save your new policy. It'll be saved with the type SCAP.

How to create a policy with OVAL content

Go to PC > Policies and select New > SCAP Policy. Select the option "Custom OVAL definitions & external variables" and select content to be uploaded. You'll select an OVAL definition file and optionally an OVAL external variable file. Click Next. The benchmark is automatically generated for your policy. Click Create to save your new policy. It'll be saved with the type OVAL.

How to assign assets to your policy

It's recommended that you assign assets to your policy at this time. These are the hosts you want to scan against this policy. Be sure to assign relevant hosts (for example assign Windows 7 hosts to a Windows 7 policy). Tip - At least one asset group must be assigned to scan against the policy.

Looking for something else?

Is my new policy ready to use?

Tell me about Schematron Validation

Are there policies I can import?

Where can I see the published date for SCAP content?