diff --git a/app/v2/broadcast/post_broadcast.py b/app/v2/broadcast/post_broadcast.py
index a1b483808..18fe37b64 100644
--- a/app/v2/broadcast/post_broadcast.py
+++ b/app/v2/broadcast/post_broadcast.py
@@ -8,6 +8,8 @@ from app.models import BROADCAST_TYPE, BroadcastMessage, BroadcastStatusType
 from app.schema_validation import validate
 from app.v2.broadcast import v2_broadcast_blueprint
 from app.v2.broadcast.broadcast_schemas import post_broadcast_schema
+from app.v2.errors import BadRequestError
+from app.xml_schemas import validate_xml
 
 
 @v2_broadcast_blueprint.route("", methods=['POST'])
@@ -21,7 +23,13 @@ def create_broadcast():
     if request.content_type == 'application/json':
         broadcast_json = request.get_json()
     elif request.content_type == 'application/cap+xml':
-        broadcast_json = cap_xml_to_dict(request.get_data(as_text=True))
+        cap_xml = request.get_data(as_text=True)
+        if not validate_xml(cap_xml, 'CAP-v1.2.xsd'):
+            raise BadRequestError(
+                message=f'Request data is not valid CAP XML',
+                status_code=400,
+            )
+        broadcast_json = cap_xml_to_dict(cap_xml)
     else:
         raise BadRequestError(
             message=f'Content type {request.content_type} not supported',
diff --git a/app/xml_schemas/CAP-v1.2.xsd b/app/xml_schemas/CAP-v1.2.xsd
new file mode 100644
index 000000000..ed97952be
--- /dev/null
+++ b/app/xml_schemas/CAP-v1.2.xsd
@@ -0,0 +1,218 @@
+<?xml version = "1.0" encoding = "UTF-8"?>
+<!-- Copyright OASIS Open 2010 All Rights Reserved -->
+<schema xmlns = "http://www.w3.org/2001/XMLSchema"
+   targetNamespace = "urn:oasis:names:tc:emergency:cap:1.2"
+   xmlns:cap = "urn:oasis:names:tc:emergency:cap:1.2"
+   xmlns:xs = "http://www.w3.org/2001/XMLSchema"
+   elementFormDefault = "qualified"
+   attributeFormDefault = "unqualified"
+   version = "1.2">
+  <element name = "alert">
+    <annotation>
+      <documentation>CAP Alert Message (version 1.2)</documentation>
+    </annotation>
+    <complexType>
+      <sequence>
+        <element name = "identifier" type = "xs:string"/>
+        <element name = "sender" type = "xs:string"/>
+        <element name = "sent">
+          <simpleType>
+            <restriction base = "xs:dateTime">
+              <pattern value = "\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d[-,+]\d\d:\d\d"/>
+            </restriction>
+          </simpleType>
+        </element>
+        <element name = "status">
+          <simpleType>
+            <restriction base = "xs:string">
+              <enumeration value = "Actual"/>
+              <enumeration value = "Exercise"/>
+              <enumeration value = "System"/>
+              <enumeration value = "Test"/>
+              <enumeration value = "Draft"/>
+            </restriction>
+          </simpleType>
+        </element>
+        <element name = "msgType">
+          <simpleType>
+            <restriction base = "xs:string">
+              <enumeration value = "Alert"/>
+              <enumeration value = "Update"/>
+              <enumeration value = "Cancel"/>
+              <enumeration value = "Ack"/>
+              <enumeration value = "Error"/>
+            </restriction>
+          </simpleType>
+        </element>
+        <element name = "source" type = "xs:string" minOccurs = "0"/>
+        <element name = "scope">
+          <simpleType>
+            <restriction base = "xs:string">
+              <enumeration value = "Public"/>
+              <enumeration value = "Restricted"/>
+              <enumeration value = "Private"/>
+            </restriction>
+          </simpleType>
+        </element>
+        <element name = "restriction" type = "xs:string" minOccurs = "0"/>
+        <element name = "addresses" type = "xs:string" minOccurs = "0"/>
+        <element name = "code" type = "xs:string" minOccurs = "0" maxOccurs = "unbounded"/>
+        <element name = "note" type = "xs:string" minOccurs = "0"/>
+        <element name = "references" type = "xs:string" minOccurs = "0"/>
+        <element name = "incidents" type = "xs:string" minOccurs = "0"/>
+        <element name = "info" minOccurs = "0" maxOccurs = "unbounded">
+          <complexType>
+            <sequence>
+              <element name = "language" type = "xs:language" default = "en-US" minOccurs = "0"/>
+              <element name = "category" maxOccurs = "unbounded">
+                <simpleType>
+                  <restriction base = "xs:string">
+                    <enumeration value = "Geo"/>
+                    <enumeration value = "Met"/>
+                    <enumeration value = "Safety"/>
+                    <enumeration value = "Security"/>
+                    <enumeration value = "Rescue"/>
+                    <enumeration value = "Fire"/>
+                    <enumeration value = "Health"/>
+                    <enumeration value = "Env"/>
+                    <enumeration value = "Transport"/>
+                    <enumeration value = "Infra"/>
+                    <enumeration value = "CBRNE"/>
+                    <enumeration value = "Other"/>
+                  </restriction>
+                </simpleType>
+              </element>
+              <element name = "event" type = "xs:string"/>
+              <element name = "responseType" minOccurs = "0" maxOccurs = "unbounded">
+                <simpleType>
+                  <restriction base = "xs:string">
+                    <enumeration value = "Shelter"/>
+                    <enumeration value = "Evacuate"/>
+                    <enumeration value = "Prepare"/>
+                    <enumeration value = "Execute"/>
+                    <enumeration value = "Avoid"/>
+                    <enumeration value = "Monitor"/>
+                    <enumeration value = "Assess"/>
+                    <enumeration value = "AllClear"/>
+                    <enumeration value = "None"/>
+                  </restriction>
+                </simpleType>
+              </element>
+              <element name = "urgency">
+                <simpleType>
+                  <restriction base = "xs:string">
+                    <enumeration value = "Immediate"/>
+                    <enumeration value = "Expected"/>
+                    <enumeration value = "Future"/>
+                    <enumeration value = "Past"/>
+                    <enumeration value = "Unknown"/>
+                  </restriction>
+                </simpleType>
+              </element>
+              <element name = "severity">
+                <simpleType>
+                  <restriction base = "xs:string">
+                    <enumeration value = "Extreme"/>
+                    <enumeration value = "Severe"/>
+                    <enumeration value = "Moderate"/>
+                    <enumeration value = "Minor"/>
+                    <enumeration value = "Unknown"/>
+                  </restriction>
+                </simpleType>
+              </element>
+              <element name = "certainty">
+                <simpleType>
+                  <restriction base = "xs:string">
+                    <enumeration value = "Observed"/>
+                    <enumeration value = "Likely"/>
+                    <enumeration value = "Possible"/>
+                    <enumeration value = "Unlikely"/>
+                    <enumeration value = "Unknown"/>
+                  </restriction>
+                </simpleType>
+              </element>
+              <element name = "audience" type = "xs:string" minOccurs = "0"/>
+              <element name = "eventCode" minOccurs = "0" maxOccurs = "unbounded">
+                <complexType>
+                  <sequence>
+                    <element ref = "cap:valueName"/>
+                    <element ref = "cap:value"/>
+                  </sequence>
+                </complexType>
+              </element>
+              <element name = "effective" minOccurs = "0">
+                <simpleType>
+                  <restriction base = "xs:dateTime">
+                    <pattern value = "\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d[-,+]\d\d:\d\d"/>
+                  </restriction>
+                </simpleType>
+              </element>
+              <element name = "onset"  minOccurs = "0">
+                <simpleType>
+                  <restriction base = "xs:dateTime">
+                    <pattern value = "\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d[-,+]\d\d:\d\d"/>
+                  </restriction>
+                </simpleType>
+              </element>
+              <element name = "expires"  minOccurs = "0">
+                <simpleType>
+                  <restriction base = "xs:dateTime">
+                    <pattern value = "\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d[-,+]\d\d:\d\d"/>
+                  </restriction>
+                </simpleType>
+              </element>
+              <element name = "senderName" type = "xs:string" minOccurs = "0"/>
+              <element name = "headline" type = "xs:string" minOccurs = "0"/>
+              <element name = "description" type = "xs:string" minOccurs = "0"/>
+              <element name = "instruction" type = "xs:string" minOccurs = "0"/>
+              <element name = "web" type = "xs:anyURI" minOccurs = "0"/>
+              <element name = "contact" type = "xs:string" minOccurs = "0"/>
+              <element name = "parameter" minOccurs = "0" maxOccurs = "unbounded">
+                <complexType>
+                  <sequence>
+                    <element ref = "cap:valueName"/>
+                    <element ref = "cap:value"/>
+                  </sequence>
+                </complexType>
+              </element>
+              <element name = "resource" minOccurs = "0" maxOccurs = "unbounded">
+                <complexType>
+                  <sequence>
+                    <element name = "resourceDesc" type = "xs:string"/>
+                    <element name = "mimeType" type = "xs:string"/>
+                    <element name = "size" type = "xs:integer" minOccurs = "0"/>
+                    <element name = "uri" type = "xs:anyURI" minOccurs = "0"/>
+                    <element name = "derefUri" type = "xs:string" minOccurs = "0"/>
+                    <element name = "digest" type = "xs:string" minOccurs = "0"/>
+                  </sequence>
+                </complexType>
+              </element>
+              <element name = "area" minOccurs = "0" maxOccurs = "unbounded">
+                <complexType>
+                  <sequence>
+                    <element name = "areaDesc" type = "xs:string"/>
+                    <element name = "polygon" type = "xs:string" minOccurs = "0" maxOccurs = "unbounded"/>
+                    <element name = "circle" type = "xs:string" minOccurs = "0" maxOccurs = "unbounded"/>
+                    <element name = "geocode" minOccurs = "0" maxOccurs = "unbounded">
+                      <complexType>
+                        <sequence>
+                          <element ref = "cap:valueName"/>
+                          <element ref = "cap:value"/>
+                        </sequence>
+                      </complexType>
+                    </element>
+                    <element name = "altitude" type = "xs:decimal" minOccurs = "0"/>
+                    <element name = "ceiling" type = "xs:decimal" minOccurs = "0"/>
+                  </sequence>
+                </complexType>
+              </element>
+            </sequence>
+          </complexType>
+        </element>
+        <any minOccurs = "0" maxOccurs = "unbounded" namespace = "http://www.w3.org/2000/09/xmldsig#" processContents = "lax"/>
+      </sequence>
+    </complexType>
+  </element>
+  <element name = "valueName" type = "xs:string"/>
+  <element name = "value" type = "xs:string"/>
+</schema>
diff --git a/app/xml_schemas/__init__.py b/app/xml_schemas/__init__.py
new file mode 100644
index 000000000..4d8d11ef0
--- /dev/null
+++ b/app/xml_schemas/__init__.py
@@ -0,0 +1,19 @@
+from lxml import etree
+from pathlib import Path
+
+
+def validate_xml(document, schema_file_name):
+
+    path = Path(__file__).resolve().parent / schema_file_name
+    contents = path.read_text()
+
+    schema_root = etree.XML(contents.encode('utf-8'))
+    schema = etree.XMLSchema(schema_root)
+    parser = etree.XMLParser(schema=schema)
+
+    try:
+        etree.fromstring(document, parser)
+    except etree.XMLSyntaxError:
+        return False
+
+    return True
diff --git a/requirements-app.txt b/requirements-app.txt
index 8688b3922..cc017a729 100644
--- a/requirements-app.txt
+++ b/requirements-app.txt
@@ -24,6 +24,7 @@ strict-rfc3339==0.7
 rfc3987==1.3.8
 cachetools==4.2.0
 beautifulsoup4==4.9.3
+lxml==4.6.2
 
 notifications-python-client==5.7.1
 
diff --git a/requirements.txt b/requirements.txt
index bb5c70107..f9390d13e 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -26,6 +26,7 @@ strict-rfc3339==0.7
 rfc3987==1.3.8
 cachetools==4.2.0
 beautifulsoup4==4.9.3
+lxml==4.6.2
 
 notifications-python-client==5.7.1
 
@@ -39,18 +40,18 @@ prometheus-client==0.9.0
 gds-metrics==0.2.4
 
 ## The following requirements were added by pip freeze:
-alembic==1.4.3
+alembic==1.5.0
 amqp==1.4.9
 anyjson==0.3.3
 attrs==20.3.0
-awscli==1.18.215
+awscli==1.18.216
 bcrypt==3.2.0
 billiard==3.3.0.23
 bleach==3.2.1
 blinker==1.4
 boto==2.49.0
-boto3==1.16.55
-botocore==1.19.55
+boto3==1.16.56
+botocore==1.19.56
 certifi==2020.12.5
 chardet==4.0.0
 click==7.1.2
diff --git a/tests/app/v2/broadcast/test_post_broadcast.py b/tests/app/v2/broadcast/test_post_broadcast.py
index 587fe489b..e38918add 100644
--- a/tests/app/v2/broadcast/test_post_broadcast.py
+++ b/tests/app/v2/broadcast/test_post_broadcast.py
@@ -122,3 +122,25 @@ def test_valid_post_cap_xml_broadcast_returns_201(
     assert response_json['template_name'] is None
     assert response_json['template_version'] is None
     assert response_json['updated_at'] is None
+
+
+def test_invalid_post_cap_xml_broadcast_returns_400(
+    client,
+    sample_broadcast_service,
+):
+    auth_header = create_authorization_header(service_id=sample_broadcast_service.id)
+
+    response = client.post(
+        path='/v2/broadcast',
+        data="<alert>Oh no</alert>",
+        headers=[('Content-Type', 'application/cap+xml'), auth_header],
+    )
+
+    assert response.status_code == 400
+    assert json.loads(response.get_data(as_text=True)) == {
+        'errors': [{
+            'error': 'BadRequestError',
+            'message': 'Request data is not valid CAP XML'
+        }],
+        'status_code': 400,
+    }