Security Content Automation Protocol (SCAP) Compliance Checker (SCC)

SCC is a SCAP 1.2 Validated Scanner, with support for SCAP versions 1.0 and 1.1, and an Open Vulnerability Assessment Language (OVAL) adopter, capable of performing compliance verification using SCAP content, and authenticated vulnerability scanning using OVAL content.

Latest Software Release:

  • Version: 5.2​.1
  • Release Date: Release Date: August 29, 2019

Standards Supported

  • SCAP: 1.0, 1.1, 1.2
  • OVAL: 5.3, 5.4, 5.5, 5.6, 5.7, 5.8, 5.9, 5.10.1, 5.11, 5.11.1, 5.11.2
  • XCCDF: 1.1.4, 1.2
  • CPE: 2.2, 2.3
  • CCE: 5.0
  • OCIL: 2.0
  • ARF: 1.1
  • AI: 1.0
  • TMSAD: 1.0

SCAP 1.2 Validation:

Platforms Supported

  • Windows 2008, 7, 2008 R2, 8, 2012, 8.1, 2012 R2, 10 (x86 & x64), 2016
  • Red Hat Enterprise Linux 6 & 7
  • Solaris 10 & 11 (x86 and SPARC)
  • HPUX 11iv3 (IA64)
  • AIX 5.3, 6.1 (PowerPC)
  • Ubuntu (amd64)
  • Mac OS X (x86)

Primary Features:

  • No per seat license costs for Federal government/contractor computers
  • Performs compliance scanning using SCAP content
  • Performs vulnerability scanning using OVAL content
  • Performs manual interview checks using OCIL content
  • Creates XCCDF XML results
  • Creates OVAL XML results
  • Creates ARF XML results
  • Creates Cyberscope Autofeed XML results
  • Creates HTML and text based single computer reports
  • Creates HTML and spreadsheet based multi-computer summary reports
  • Allows for installation of custom SCAP and OVAL content
  • Allows for organizational deviations
  • Allows for organizationally defined compliance thresholds
  • Has graphical and command line interfaces
  • Native executables per platform (no runtime requirements such as Java)



  • The SCC was originally funded by the Internal Revenue Service (IRS) with later funding from the National Security Agency (NSA), and is currently funded by Defense Information Systems Agency (DISA).
  • OVAL, CPE, CVE and CCE are registered trademarks of the MITRE Corporation.

Obtaining the Software (DOD)

For Department of Defense (DOD) users with a valid Common Access Card (CAC), the software can be downloaded directly from DISA:

Then scroll down to "SCAP Tools"

Obtaining the Software (Non-DOD)

For US Government Employees and contractors with a .gov or .mil email address, the software can be obtained via the Office of Management and Budget (OMB) hosted website. Users will be required to self-activate an account in order to obtain the files.

After registration, the software can be downloaded from:

Alternate Method

SCC is available for any government employee or contractor to the US government; it is not available to the general public.

If you are unable to download SCC by one of the 2 primary methods above, the software can be requested by emailing: Please include the following in your request:

  1. US Federal agency you are supporting
  2. Government POC with .gov or .mil email address or Contract Number

Technical Support

To obtain technical support on the SCC application, please email:


pdf-icon SCAP Compliance Checker 5.2.1​​​​​​

​​​​​​​​​​​​​​​​​​​​ ​

SSC Atlantic
Skip to Navigation