Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Projects

Security Content Automation Protocol Validation Program SCAPVP

Overview

End-of-Life Announcement: NIST SCAP Validation Program

The National Institute of Standards and Technology (NIST) announces the phased conclusion of the Security Content Automation Protocol (SCAP) Validation Program.

Since its inception in 2009, the SCAP Validation Program has played a crucial role in advancing standardized security automation and vulnerability management. Managed through the National Voluntary Laboratory Accreditation Program (NVLAP), the program enabled independent laboratories to test and validate products against SCAP standards, helping organizations worldwide strengthen their security posture.

Key Dates and Changes:

  • Effective Immediately: NVLAP will no longer accept new applications for SCAP accreditation or process renewals for SCAP scope. No new or renewal assessments will be conducted. (See NIST Lab Bulletin LB-160-2025)
  • Test Reports: NVLAP will continue to accept SCAP Validation Test reports from accredited laboratories until 12:00 AM (midnight) on September 2, 2024 EDT. Reports with major flaws that require re-testing will not be accepted for validation.

This transition marks the end of an era for NIST SCAP Validation Program, reflecting the field’s growth and changing needs in security automation. NIST is committed to transparency throughout this process and will share additional information about SCAP Validation Test Reports on the NIST SCAP website.

If you have questions about these changes, the NVLAP Security Testing, or SCAP Validation Test Reports, please contact us at: [email protected].

We thank all participating laboratories, vendors, and stakeholders for their dedication to SCAP and their ongoing commitment to advancing cybersecurity over the past decade.

SCAP Validation Program Overview

The SCAP Validation Program is designed to test the ability of products to use the features and functionality available through SCAP and its component standards.

Under the SCAP Validation Program, independent laboratories are accredited by the NIST National Voluntary Laboratory Accreditation Program (NVLAP). Accreditation requirements are defined in NIST Handbook 150, and NIST Handbook 150-17. Independent laboratories conduct the tests contained in the SCAP Validation Program Derived Test Requirements Document, on information technology (IT) security products and deliver the results to NIST. Based on the independent laboratory test report, the SCAP Validation Program then validates the product under test based on the independent laboratory test report. The validations awarded to vendor products will be publicly posted on the SCAP Validated Products and Modules web page.

SCAP validation will focus on evaluating specific versions of vendor products based on the platforms they support. Validations will be awarded on a platform-by-platform basis for the version of the product that was tested. Currently, products may seek validations on Red Hat Linux, Microsoft Windows and Apple Mac OS platforms.

Contacts

SCAP Validation Inquiries
[email protected]

Created November 06, 2017, Updated September 11, 2025