CCS adheres to the SCAP 1.0/1.1 and SCAP 1.2 specification to govern the risk and the compliance posture of the enterprise network.
Standards of SCAP 1.2 specification and their descriptions are as follows:
Extensible Configuration Checklist Description Format (XCCDF) 1.2
An Extensible Markup Language (XML) specification for structured collections of security configuration rules used by operating system (OS) and application platform.
Open Vulnerability and Assessment Language (OVAL®) 5.10.1
An XML specification for exchanging technical details on how to check systems for security-related software flaws, configuration issues, and software patches.
Common Configuration Enumeration (CCE™) 5
A dictionary of names for software security configuration issues (e.g., access control settings, password policy settings)
Common Platform Enumeration (CPE™) 2.3
A naming convention for hardware, OS, and application products.
Common Vulnerabilities and Exposures (CVE®)
A dictionary of names for publicly known security-related software flaws.
Common Vulnerability Scoring System (CVSS) 2.0
A method for classifying characteristics of software flaws and assigning severity scores based on these characteristics.
Asset Identification 1.1
A format for uniquely identifying assets based on known identifiers and/or known information about the assets.
Asset Reporting Format (ARF) 1.1
A format for expressing the transport format of information about assets and the relationships between assets and reports.
CCS allows import of data streams that include OCIL rules along with other definitions, however the OCIL rules are ignored as OCIL evaluation is not supported in CCS. In the exported evaluation results, the OCIL rules are marked as Not Checked. If a data stream contains only OCIL content then the data stream is not imported in CCS.