NIST Security Configuration Checklists
SAINT is a NIST-Validated SCAP Solution

The Security Content Automation Protocol (SCAP) is a specification established by the U.S. National Institute of Standards and Technology (NIST) for expressing and manipulating security data in standardized ways. Currently, SCAP can enumerate product names and vulnerabilities (both software flaws and configuration issues); identify the presence of vulnerabilities; and assign severity scores to software flaw vulnerabilities. NIST SCAP validation.

March 2015 SC Magazine Awards SAINT 5 Stars
SC Magazine Awards SAINT 5 Stars

"Easy setup and rich feature set at a great price."

"One feature we really liked about the SAINT Security Suite was its support for the new NIST SCAP v1.2 standard. Federal customers should pay particular attention to SAINT because it can output vulnerability assessment data into easy-to-manipulate formats to simplify monthly reporting."

Contact SAINT Sales

Benefits of SAINT

  • First to market as a product validated using the v.1- (March 2014 release) NIST test suite

  • Agentless scanning – scan hosts from the Cloud or locally with no host plug-in, agent or applet

  • Access to over 20,000 definitive checks from MITRE's OVAL repository

  • Output can be used in SAINT 8's custom report capability, including charts, graphs and tables

  • Dynamic update of SCAP content ensures assessments respond to changing threats and standards

  • NIST validated product for latest SCAP standard v.1.2 for all supported platforms

  • SAINT Security Suite supports both the standard and Cyberscope reporting formats

  • Policy editor to customize industry benchmarks and assess hosts against custom configuration


How SAINT Supports SCAP

SAINT offers all assessment and reporting capabilities compliant with SCAP version 1.2, as an Authenticated Configuration Scanner (ACS), including Common Vulnerabilities and Exposures (CVE) for content published at Tier III and Tier IV, and the OVAL repository for each of the six mandated platforms including:

  • Microsoft Windows XP Professional with Service Pack 3
  • Microsoft Windows Vista with Service Pack 2
  • Microsoft Windows 7, 32- and 64-bit
  • Red Hat Enterprise Linux 5 Desktop, 32- and 64-bit

SAINT also extends customer value well beyond the six mandated platforms, offering assessment capabilities for many other platforms critical to today’s infrastructure, such as:

  • Windows 7, 8, 2008 R2, 2012 R2
  • Ubuntu, SUSE Linux
  • Red Hat
  • MAC OS X
  • and many others…













The SCAP v.1.2 capabilities include the following components:

OVAL Adopter Logo



Open Vulnerability and Assessment Language (OVAL®) is an international information security standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. SAINT provides support to the OVAL® Adoption Program as a Vulnerability Scanner, and provides the capabilities as both a Definition Evaluator and a System Characteristics Producer.


XCCDF security benchmark automation is a specification language for writing security checklists, benchmarks, and related types of documents, defined by NIST. Security checklists (or benchmarks) can be downloaded from; these data streams can then be downloaded into SAINT to run an XCCDF scan.



Common Platform Enumeration (CPE™) enumeration is a structured naming scheme for information technology systems, software, and packages.



Common Vulnerabilities and Exposures (CVE®) enumeration is a dictionary of publicly known information security vulnerabilities and other information security exposures.




Common Vulnerability Scoring System (CVSS) metric is a vulnerability scoring system designed to provide an open and standardized method for rating Information Technology vulnerabilities framework for communicating the characteristics and impacts of IT vulnerabilities.


Common Configuration Enumeration (CCE™) provides unique identifiers to system configuration issues in order to facilitate fast and accurate correlation of configuration data across multiple information sources and tools.


Asset Identification (AI) is a format for uniquely identifying assets based on known identifiers and/or known information about the assets. The SCAP specification describes the purpose of asset identification, a data model for identifying assets, methods for identifying assets, and guidance on how to use asset identification. It also identifies a number of known use cases for asset identification.


Asset Reporting Format (ARF) expresses the transport format of information about assets and the relationships between assets and reports. The SCAP specification prescribes the standardized data model to facilitate the reporting, correlating and fusing of asset information throughout and between organizations.


Trust Model for Security Automation Data (TMSAD) is a specification for using digital signatures in a common trust model applied to other security automation specifications. The SCAP specification prescribes the standardized data model for establishing trust for security automation data.