SCAP, basically, is a checklist that relies on a handful of open standards for naming software flaw conventions and configurations in applications and systems. So, if your scanner is SCAP compliant, you can more swiftly check to see if your agency systems are FDCC compliant.
That's probably why, in another memo, the OMB mandated that federal CIOs must use SCAP-validated tools for FDCC software acceptance for all U.S. government systems.
And that's where trouble starts to enter this acronym paradise. This Friday, those federal agencies are supposed to submit to OMB a listing of all of their systems running XP and Vista, as well as how many are FDCC compliant (Though SCAP is not required for this deadline).
Here's the rub: as of today, no SCAP products have been validated. There's just this Web page listing no validated SCAP tools. However, the National Institute of Standards and Technology has promised a list by this Friday.
There's nothing like pushing a deadline.
In the long run, SCAP will no doubt will make it easier for agencies, vendors, and auditors to maintain more secure federal systems. A secure configuration that can be easily validated means fewer mistakes and easier enforcement of sound security practices.
For those agencies that don't want to wait until Friday to get started, here's a list of scanners that purport to have SCAP capabilities.