atsec's cryptographic and security testing laboratory accredited for SCAP testing by NIST's Computer Security Division and NVLAP

Austin, TX - atsec information security is proud to announce the successful accreditation of its cryptographic and security testing laboratory as a SCAP (Security Content Automation Protocol) test laboratory under the NVLAP (National Voluntary Laboratory Accreditation Program) supporting the Information Security Automation Program (ISAP); a U.S. government multi-agency initiative to enable automation and standardization of technical security operations. With this addition to the atsec IT security portfolio we will be able to test our customer's products against the SCAP standards using derived test requirements provided by the NIST Computer Security Division's Information Security Automation Program (ISAP) supported by the National Vulnerability Database (NVD) program.

Steve Weingart, Principal Consultant at atsec commented:"SCAP is a new standard that has been created to verify security configuration and vulnerability reporting, for computing systems and software. While the initial motivation is for government users to meet Federal requirements, we expect that the usefulness of this standard will promote its acceptance in industry and education as well."

The Security Content Automation Protocol (SCAP), pronounced "Ess-Cap", is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance). More specifically, SCAP is a suite of open standards that: enumerates software flaws, security related configuration issues, and product names; measures systems to determine the presence of vulnerabilities; and provides mechanisms to rank (score) the results of these measurements in order to evaluate the impact of the discovered security issues. SCAP defines how these standards are used in unison to accomplish these capabilities.

SCAP includes the following standards:

• Common Vulnerabilities and Exposures (CVE)
  
• Common Configuration Enumeration (CCE)
  
• Common Platform Enumeration (CPE)
  
• Common Vulnerability Scoring System (CVSS)
  
• eXtensible Configuration Checklist Description Format (XCCDF)
  
• Open Vulnerability and Assessment Language (OVAL)

atsec has longstanding experience with IT security testing, evaluation and validation of software and hardware products. We are accredited as a Common Criteria Evaluation Laboratory, Cryptographic Module Testing Laboratory for FIPS 140-2.

For more information on The Information Security Automation Program and The Security Content Automation Protocol please visit http://nvd.nist.gov/scap.cfm

About atsec information security
atsec information security is an independent, standards-based information technology security services company that combines a business-oriented approach to information security with in-depth technical knowledge and global experience. atsec was founded in Munich (Germany) in 2000 and has extensive international operations with offices in the U.S., Germany, Sweden, and China.
atsec offers evaluation and testing services leading to formal certification for IT security including evaluation under Common Criteria schemes in the U.S., Germany, and Sweden; cryptographic module and algorithm testing under the Cryptographic Module Validation Program of the National Institute of Standards and Technology (NIST) in the U.S. and Communications Security Establishment Canada (CSEC) in Canada; and compliance validation to the Payment Card Industry (PCI) Data Security Standard.
atsec also offers secure code review, ISO/IEC 27001 ISMS consulting, and penetration testing and scanning services.
atsec works with leading global companies such as IBM, HP, Oracle, Cray,BMW, SGI, Vodafone, Swisscom, RWE, and Wincor-Nixdorf. For more information please visit www.atsec.com.