Tell me about the SCAP Scorecard Report

The SCAP Scorecard Report gives you a high-level summary of the current SCAP compliance status for a SCAP policy in your account.

At the top of the report you'll see a report summary with details like the policy selected for the report, the benchmark defined for the policy, the SCAP profile defined for the policy and the number of active hosts with SCAP compliance data.

You'll see the number of active hosts with SCAP compliance data for the selected policy on the report generation date.

An active host with scan data is a host that meets all these conditions: the host was a target of a SCAP scan, the host was found to be alive during the scan, the host scan completed successfully and returned scan data (results), and the host scan data was found during report generation.

Here are possible reasons why a host assigned to the SCAP policy is not counted as active: the host has never been scanned for SCAP compliance, authentication to the host failed, the host was the target of a SCAP scan however the operating system detected by the scanning engine did not match the benchmark technology defined in the SCAP policy, or the SCAP compliance scan data was purged after it was scanned.

You'll see the total number of active hosts that are in compliance with the SCAP policy and the number of active hosts that are not in compliance with the policy.

This is the base version of the selected SCAP policy as defined by NIST, when the policy is a NIST provided policy.

Compliance status by asset group

Each asset group in the policy is listed with its compliance status (Pass or Fail).

The number of active hosts in the asset group that are in compliance with the SCAP policy. A Host in Compliance is a host whose scan data identifies all rules were evaluated for compliance. Each rule was evaluated on the host and returned one of these XCCDF test results: "pass" or "fail".

The number of active hosts in the asset group that are not in compliance with the SCAP policy. A Host Not in Compliance is a host whose scan data identifies all rules have not been evaluated for compliance. One or more rules were not evaluated and did not return one of these XCCDF test results: "pass" or "fail".

Note - Hosts may be scanned successfully however the scanning engine did not evaluate all rules on the host for SCAP compliance. In this case, these hosts are counted as active hosts (because they were scanned successfully) but they are not counted in Hosts in Compliance or Hosts Not in Compliance. Rules in a SCAP policy that have one of these XCCDF test results on a host are not evaluated: "notapplicable", "notchecked", "notselected" or "informational".

Compliance status by rule

The number of active hosts in the SCAP policy that are in compliance with the rule. A Host in Compliance is a host whose scan data identifies all rules were evaluated for compliance. Each rule was evaluated on the host and returned one of these XCCDF test results: "pass" or "fail".

The number of active hosts in the SCAP policy that are not in compliance with the rule. A Host Not in Compliance is a host whose scan data identifies all rules have not been evaluated for compliance. One or more rules were not evaluated and did not return one of these XCCDF test results: "pass" or "fail".

How to view CCE information and mappings

In the Rules Summary section of your report, we'll show you current CCE IDs for each rule, as defined in the SCAP policy. Click on any CCE ID to get additional information, including mappings to NIST SP 800-53 control identifiers. These appear under References. Please note that CCE IDs will be displayed only if they are specified in the SCAP data stream.