Red Hat Adds New NIST Certification for OpenSCAP, Expands Footprint for Open IT Security Standards

Community-driven security compliance scanner certified for mission-critical deployments on Red Hat Enterprise Linux 6 and 7 by National Institute of Standards and Technology


Red Hat, Inc. (NYSE: RHT), the world's leading provider of open source solutions, today announced that OpenSCAP 1.2, an open source Security Content Automation Protocol (SCAP) scanner, has been certified by the National Institute of Standards and Technology as a U.S. government evaluated configuration and vulnerability scanner for Red Hat Enterprise Linux 6 and 7-based systems. This certification shows that OpenSCAP can analyze and evaluate security automation content correctly and has the functionality and documentation required by NIST to run in sensitive, security-conscious environments.


NIST’s new certification of OpenSCAP on the world’s leading enterprise Linux platform provides a flexible, powerful SCAP scanner built on open standards, making it easier for agencies and other organizations to add verifiable, repeatable security scanning to their repertoires.

David Egts

chief technologist, Public Sector, Red Hat

A synthesis of interoperable specifications based on in-depth community collaboration, SCAP provides an overarching security format that security vendors supporting the standard can use. The standard defines common operations for security scanners, providing for security content that can be written once and run on another certified scanner, enabling repeatable security assessments to be done more quickly and continuously for policy compliance. Created more than five years ago, OpenSCAP is an open source, joint initiative between the National Security Agency, Red Hat, and the broader open source community to address these standards.

In the U.S., the General Services Administration (GSA) requires that technologies included in blanket purchase agreements for vulnerability and configuration management products have formal NIST SCAP certification (Special Notice QTA0-08-HC-B-003). Recently, this requirement has been expressed in product requirements in support of the DHS Continuous Diagnostics and Mitigation (CDM) program.

With the new NIST certification, Red Hat customers required to use SCAP for regulatory reasons, or in support of DHS CDM, no longer need to request waivers or exemptions for their Red Hat environments. The OpenSCAP certification extends across the Red Hat portfolio and encompasses:

  • Red Hat Enterprise Linux: In addition to providing OpenSCAP as a system administration tool, OpenSCAP has been integrated directly into the Red Hat Enterprise Linux installer. Systems can now operate in continuous security compliance from deployment through end of their lifecycle.

  • Red Hat Satellite: A lifecycle management for Red Hat Enterprise Linux-based hosts,including enterprise configuration and vulnerability scanning.

  • Red Hat CloudForms: Red Hat’s award-winning hybrid cloud management platform, offering security insight across cloud deployments.

  • Atomic Scan: Delivered as part of Red Hat Enterprise Linux Atomic Host, Atomic Scan is the first NIST-certified configuration and vulnerability scanner for Linux Containers. Atomic Scan is capable of scanning container registries, even when containers are offline, using container introspection.

  • SCAP Workbench: A graphical utility built for system administrators and security officers to more easily tailor and customize SCAP-based security profiles, without requiring in-depth knowledge of the underlying SCAP standards.

In addition to natively providing OpenSCAP tooling in Red Hat Enterprise Linux and associated system management offerings, Red Hat provides the underlying development libraries for OpenSCAP. With these libraries, independent software vendors (ISVs) can embed NIST-certified configuration and vulnerability scanning into their applications built for Red Hat Enterprise Linux, extending these capabilities across bare metal, virtualized, and container deployments.

Security automation content, consumable by OpenSCAP and other SCAP-certified tools, is provided through the SCAP Security Guide package. Security compliance profiles are included in both Red Hat Enterprise Linux 6 and 7 for standards such as the Department of Defense Security Technical Implementation Guide (STIG), PCI compliance, and FBI Criminal Justice Information Systems (CJIS).

Supporting Quotes
David Egts, chief technologist, Public Sector, Red Hat
“Continuous, repeatable scanning processes are key to keeping modern, increasingly-complex computing environments more secure and safe, and open standards help to make these processes achievable. NIST’s new certification of OpenSCAP on the world’s leading enterprise Linux platform provides a flexible, powerful SCAP scanner built on open standards, making it easier for agencies and other organizations to add verifiable, repeatable security scanning to their repertoires.”

Alex Johns, security analyst, COACT, Inc.
“Red Hat’s OpenSCAP technology is a proven asset for organizations that must utilize a validated scanner to meet their security and compliance needs. OpenSCAP met all of the applicable SCAP 1.2 testing requirements and correctly implemented the features and functions available through SCAP for the Red Hat Enterprise Linux 6 32-bit, Red Hat Enterprise Linux 6 64-bit, and Red Hat Enterprise Linux 7 64-bit platforms. It was a pleasure working with such a proactive development team throughout the validation process.”

  • About Red Hat
  • Red Hat is the world's leading provider of open source software solutions, using a community-powered approach to provide reliable and high-performing cloud, Linux, middleware, storage and virtualization technologies. Red Hat also offers award-winning support, training, and consulting services. As a connective hub in a global network of enterprises, partners, and open source communities, Red Hat helps create relevant, innovative technologies that liberate resources for growth and prepare customers for the future of IT. Learn more at

  • Forward-Looking Statements
  • Certain statements contained in this press release may constitute "forward-looking statements" within the meaning of the Private Securities Litigation Reform Act of 1995. Forward-looking statements provide current expectations of future events based on certain assumptions and include any statement that does not directly relate to any historical or current fact. Actual results may differ materially from those indicated by such forward-looking statements as a result of various important factors, including: risks related to the ability of the Company to compete effectively; the ability to deliver and stimulate demand for new products and technological innovations on a timely basis; delays or reductions in information technology spending; the integration of acquisitions and the ability to market successfully acquired technologies and products; fluctuations in exchange rates; the effects of industry consolidation; uncertainty and adverse results in litigation and related settlements; the inability to adequately protect Company intellectual property and the potential for infringement or breach of license claims of or relating to third party intellectual property; risks related to data and information security vulnerabilities; the ability to meet financial and operational challenges encountered in our international operations; ineffective management of, and control over, the Company's growth and international operations; and changes in and a dependence on key personnel, as well as other factors contained in our most recent Quarterly Report on Form 10-Q (copies of which may be accessed through the Securities and Exchange Commission's website at ), including those found therein under the captions "Risk Factors" and "Management's Discussion and Analysis of Financial Condition and Results of Operations". In addition to these factors, actual future performance, outcomes, and results may differ materially because of more general factors including (without limitation) general industry and market conditions and growth rates, economic and political conditions, governmental and public policy changes and the impact of natural disasters such as earthquakes and floods. The forward-looking statements included in this press release represent the Company's views as of the date of this press release and these views could change. However, while the Company may elect to update these forward-looking statements at some point in the future, the Company specifically disclaims any obligation to do so. These forward-looking statements should not be relied upon as representing the Company's views as of any date subsequent to the date of this press release.