"The Cyber Security Research and Development Act of 2002 tasks National Institute of Standards and Technology (NIST) to “develop, and revise as necessary, a checklist setting forth settings and option selections that minimize the security risks associated with each computer hardware or software system that is, or is likely to become widely used within the Federal Government.” Various Federal organizations (NIST, NSA, DISA, etc.), consortia (e.g., Center for Internet Security), and some commercial vendors produce these checklists. Such checklists when combined with well-developed guidance, leveraged with high-quality security expertise, vendor product knowledge, operational experience, and accompanied with tools can markedly reduce the vulnerability exposure of an organization. To meet this challenging requirement to produce checklists for the spectrum of IT products widely used in the government, NIST has developed a proposal to solicit from IT vendors, consortia, industry and government organizations, and others in the public and private sector to produce additional checklists and associated guidance material to NIST. These materials would then be made available for display and downloading from the NIST Computer Security Resource Center (CSRC) Web site (http://csrc.nist.rip). To gather feedback on the proposed approach, NIST is announcing a workshop to identify current and planned Federal government checklist activities and related needs, existing and planned voluntary efforts for building security checklists, and current industry capabilities for the development of checklists and the associated templates that describe sets of security configurations for IT products widely used in the United States Government (USG).
It is anticipated that the workshop will support the development of a standard Extensible Markup Language (XML) template for security configuration checklist descriptions, and a guideline on producing consensus checklists that can be searched, compared, shared freely, and used by the USG and Internet community at large. The goal of this initial workshop is to collect suggestions from organizations that have already developed or are involved in the development of such checklists to gain their input on key items that should be included within the template. The detailed draft agenda and supporting documentation for the workshop will be available prior to the workshop from the NIST CSRC Web site at http://csrc.nist.rip/checklists by July 31, 2003."