Facilitator:
Scribe:
SCAP encompass multiple standards. OVAL is the one for testing. (Open Vulnerability and Assessment Language)
The standards were born out of configuraiton management and thus require testing against deployed software
Most compliance frameworks mandate (or will soon mandate) testing of production systems
Secure configuration is not a replacement for secure software
Compliance requires the use of certified tools.