You'll need a SCAP policy in order to evaluate hosts for SCAP compliance. SCAP content is compliant with SCAP 1.0 and 1.2 specifications defined by NIST.
Tell me about user permissions
The SCAP application must be enabled for the subscription. Managers and Auditors have permissions to create and edit SCAP policies.
SCAP 1.2 content consists of a single file: SCAP source data stream collection.
Go to PC > Policies and select New > SCAP Policy. Select the option "SCAP version 1.2" and then browse to the data stream collection file. Click Next and we'll perform schema validation. Please resolve any content errors reported online. After passing schema validation you'll see SCAP benchmark details. Use the drop-downs to select the source data stream ID, the benchmark ID and the profile title (that corresponds to the profile ID) intended for evaluation. Important - Once you save your policy, you cannot modify these selections for the policy. You can, however, create new policies with different selections. When you're done making your selections, click Create to save your new policy. It'll be saved with the type SCAP.
SCAP 1.1/1.0 content consists of these files: XCCDF Content, CPE OVAL Definitions, CPE 2.0 Dictionary, OVAL Compliance Definitions. This file is optional: OVAL Patch Definitions.
Go to PC > Policies and select New > SCAP Policy. Select the option "SCAP version 1.1/1.0" and then select the XCCDF content file plus additional data files. Click Next and we'll perform schema validation. Please resolve any content errors reported online. Once you pass schema validation, select a SCAP benchmark - you can customize the details if you want. Click Create to save your new policy. It'll be saved with the type SCAP.
Go to PC > Policies and select New > SCAP Policy. Select the option "Custom OVAL definitions & external variables" and select content to be uploaded. You'll select an OVAL definition file and optionally an OVAL external variable file. Click Next. The benchmark is automatically generated for your policy. Click Create to save your new policy. It'll be saved with the type OVAL.
It's recommended that you assign assets to your policy at this time. These are the hosts you want to scan against this policy. Be sure to assign relevant hosts (for example assign Windows 7 hosts to a Windows 7 policy). Tip - At least one asset group must be assigned to scan against the policy.
Is my new policy ready to use?
Once your policy is in your list and you've assigned assets to it, you're ready to start scanning. You'll notice when you launch a SCAP scan, you can select the policy from the SCAP Policy menu. To view policy information, select Info from the Quick Actions menu.
Tell me about Schematron Validation
If using SCAP 1.0, you have the option to Perform Schematron Validation if you would like the service to perform this validation in addition to Schema validation. We recommend this validation unless you have already performed it using another tool - it will increase the time it takes to validate the policy content files.
Are there policies I can import?
Yes. You can import a policy that has been validated by the NIST standards. Learn more
Where can I see the published date for SCAP content?
Select a policy on your policies list and check out the preview pane. You'll see the generated date (when the content was originally created/officially published) and the last updated date (when the policy was created/modified).