This note explains the common issue of "notapplicable" results when running openSCAP and SCAP-Security-Guide on CentOS.
SCAP seems like it should be easy because it is "just XML". Then you dig into looking for a test and it gets confusing fast. So it is good to have some background.
SCAP (Security Content Automation Protocol) is actually a set of multiple standards and specifications that are used together to enable automatically testing hundreds of nerd settings. Let me emphasize that: SCAP is not a single XML specification -- SCAP is multiple standards and specs. Whenever you give "SCAP Content" to a scanner to check a system configurations you are giving the scanner multiple XML files representing multiple standards.