OVAL in Use

As the standard for determining vulnerability and configuration issues on computer systems, the OVAL Language and OVAL content are used in numerous information security products and services from around the world. OVAL also helps in Making Security Measurable.

Use of OVAL in information security products and services enhances these areas of enterprise security:

Sponsor: CS&C


Security Content Automation Protocol (SCAP)

OVAL is one of ten existing standards the U.S. National Institute of Standards and Technology’s (NIST) SCAP to enable automated vulnerability management, measurement, and policy compliance evaluation.

Extensible Configuration Checklist Description Format (XCCDF)

XCCDF’s default configuration checking technology is OVAL.

DoD Contracts

U.S. Defense Information Systems Agency (DISA) issued Task Order 232 in June 2004 for information assurance applications for the Department of Defense (DoD) that requires the use of products that use OVAL.

Databases Including OVAL-IDs


Platforms Incorporating the OVAL Interpreter

Databases and Advisories Including OVAL-IDs

Common Announcement Interchange Format (CAIF)

RUS-CERT’s CAIF documents are able to incorporate OVAL Definitions.

Service Oriented Architecture (SOA)

PatchLink Corporation’s SOA is built around OVAL in order to encourage cooperative development and interoperability between vendor products.

Back to top

Page Last Updated: May 07, 2013