One unique advantage to the SCAP family of specifications is that there is a significant amount of freely-available content (and even more commercially-available) that is written in compatible formats. A continuous monitoring solution that is SCAP-based has the advantage of being able to leverage these content sources, and avoid having to dedicate a team to content creation and migration activities. Most available content addresses the security compliance and known-vulnerability detection use-cases.
NIST is chartered with maintaining the baseline configuration guidance for products commonly used by US Government Federal agencies. This guidance is captured in the US Government Configuration Baseline (USGCB) XML benchmarks, which are published by NIST and available for royalty-free use.
The Defense Information Systems Agency is the IT department for the US Department of Defense. It maintains Secure Technical Implementation Guidelines in SCAP format for a wide variety of operating systems and applications. The STIGS are used as a source of authoritative secure configuration guidance by many auditors and security practitioners seeking to implement a variety of government and industry-mandated compliance policies. Many automated DISA STIGS are publicly available, and can be used royalty-free.
NIST maintains the National Checklist Program Repository page at the National Vulnerability Database (NVD) website. This searchable repository indexes freely-available security benchmarks from a variety of US-government sources.
RedHat maintains its own freely-available security guidelines in SCAP format, particularly for newer versions of RedHat Linux that are not explicitly covered by USGCB.
The Center for Internet Security is a non-profit organization focused on improving cybersecurity for public and private sector entities, which publishes security guidance on the configuration of a wide variety of software and operating systems. CIS members have access to automated benchmarks published in SCAP format.
ALTX-SOFT is a leading producer of SCAP content, offering PCI and Russian/FSTEC regulatory compliance benchmarks, security guides for multiple products and operating systems, and bespoke compliance benchmarks in multiple languages for resale to ISVs.
SecPod is a leading producer of commercially-available SCAP content, offering subscription-based access to its own XCCDF compliance benchmarks focused on HPIAA, PCI, NERC and other regulatory and industry frameworks.
The original OVAL repository, now hosted by CIS, contains community-maintained definitions for inventory, compliance, and importantly, every vulnerability known to the National Vulnerability Database (NVD).
Cisco publishes automatically-generated OVAL vulnerability content for IOS as part of their regular security guidance and vulnerability publishing process.
RedHat hosts an automatically-generated OVAL vulnerability feed for all the RPM-packaged software for the RedHat Linux distribution.
Canonical hosts an automatically-generated OVAL vulnerability feed for all Debian software packages available for Ubuntu Linux distributions.
Novell hosts automatically-generated OVAL vulnerability feeds for supported versions of SUSE Linux distributions.
Debian hosts automatically-generated OVAL vulnerability feeds for Debian packages, although the auto-generation process is currently broken.
ALTX-SOFT is the leading contributor of OVAL content to the CIS repository, who also maintain their own repository of OVAL vulnerability content for registered users.
SecPod, a leading producer of commercially-available SCAP content, maintains extensive OVAL definitions covering MacOS X vulnerabilities.