Information Security Automation Program

The Information Security Automation Program (ISAP, pronounced “I Sap”) is a U.S. government multi-agency initiative to enable automation and standardization of technical security operations. While a U.S. government initiative, its standards based design can benefit all information technology security operations. The ISAP high level goals include standards based automation of security checking and remediation as well as automation of technical compliance activities (e.g. FISMA). ISAP's low level objectives include enabling standards based communication of vulnerability data, customizing and managing configuration baselines for various IT products, assessing information systems and reporting compliance status, using standard metrics to weight and aggregate potential vulnerability impact, and remediating identified vulnerabilities.

ISAP's technical specifications are contained in the related Security Content Automation Protocol (SCAP). ISAP's security automation content is either contained within, or referenced by, the National Vulnerability Database.

ISAP is being formalized through a trilateral memorandum of agreement (MOA) between Defense Information Systems Agency (DISA), the National Security Agency (NSA), and the National Institute of Standards and Technology (NIST). The Office of the Secretary of Defense (OSD) also participates and the Department of Homeland Security (DHS) funds the operation infrastructure on which ISAP relies (i.e., the National Vulnerability Database).