1. Security Content Automation Protocol.
2. SCAP policies can audit your systems against a given standard - for example the CIS Benchmarks discussed in this book, or the PCI-DSS (Payment Card Industry - Data Security Standard) requirements. There are many pre-written policies available, and with open source tools such as OpenSCAP, you can write your own policies with your own requirements. This is valuable to the enterprise in being able to run audits against Linux servers and ensure they remain compliant with a chosen standard.
3. You would most likely the OpenSCAP Daemon for this purpose.

4. At a fundamental level, the OVAL file contains the low level system checks the scanning engine should perform. The XCCDF file references the OVAL file (in fact it cannot be used without it) contains amongst other definitions, profiles which make use of scan definitions to audit against known policies (for example, PCI-DSS), and code to generate human readable reports from the scan output. 
5. In some environments, the vendor might only provide you with support if you use their policy files. An example of this is Red Hat Enterprise Linux 7, where Red Hat state that they will only support you if you use the SSG policies available from their own repos.
6. SCAP policies are highly specific to the operating system they are running on. Although in many scenarios, CentOS 7 and RHEL 7 can be treated as the same, there are fundamental differences. SCAP takes account of this and ensures that it differentiates between operating systems, even CentOS 7 and RHEL 7, and as such it will mark many if not all of the RHEL 7 audits as notapplicable when they are run against CentOS 7. The same would be true if a CentOS 7 specific policy was run against a RHEL 7 host.
7. Yes you can - a command such as the following would generate an HTML report from an XML results file: sudo oscap xccdf generate report --output /var/www/html/reportoscapd.html /var/lib/oscapd/results/1/1/results.xml
8. You must have set up passwordless (key based) SSH access to the server you wish to scan. It must also have passwordless sudo access unless you are using the root account over SSH (not recommended).