About risk and compliance score calculation for SCAP assets
CCS uses the evaluation results of the assets against the SCAP benchmarks to calculate the compliance score and risk score for the assets. The compliance score of the assets determine the compliance adherence level of the assets with the SCAP benchmarks. The risk score of the assets determine the vulnerability or risk of those assets that have failed in the evaluations against the SCAP benchmarks.
The National Institute of Standards and Technology (NIST) defines the XCCDF's compliance scoring model that CCS implements. As per the recommendation from XCCDF, CCS uses the Default scoring model to calculate the weighted compliance scores of the assets.
CCS uses the Common Vulnerability Scoring System (CVSS) base scores to calculate the risk scores of the assets. The CVSS base scores let you prioritize the remediation of the known security-related software flaws in the assets. Whenever a new vulnerability is announced, a new CVE ID is created for the vulnerability. The software applications that are affected due to the vulnerability are identified using the CPE values. The CVSS base measures and scores are computed and added to the National Vulnerability Database (NVD).