Security Configuration Checklists Program

There are many threats to users’ computers, ranging from remotely launched network service exploits to malicious code spread through e-mails, malicious Web sites, and file downloads. Vulnerabilities in IT products are discovered on a daily basis and many ‘ready-to-use’ exploits are widely available on the Internet. Because IT products are often intended for a variety of audiences, restrictive security controls are usually not enabled by default by the product vendor, so many IT products are immediately vulnerable “out-of-the-box.” It is a complicated, arduous, and time-consuming task for even experienced system administrators to identify a reasonable set of security settings for many IT products.  While the solutions to IT security are complex, one basic and effective tool is the security configuration checklist.

The goals of the NIST Checklist Program are—

• To facilitate the development and sharing of security configuration checklists by providing a framework for checklist providers/developers to submit checklists to NIST;
• To assist checklist developers in generating content that conforms to common baseline levels of security;
• To assist checklist providers/developers and users by providing guidelines for enhancing the documentation and usability of security guidance;
• To provide a managed process for the review, update, and maintenance of security checklists;
• To provide checklists in standard XML format as per the Security Content Automation Protocol (SCAP) for use by commercial-off-the-shelf (COTS) security tools; and
• To provide an easy-to-use repository of checklists.

This program also assists product vendors by providing their vendor-developed checklists to users via a government Web site to secure “out-of-the-box” installations.  It is advisable for product users to consult the checklist repository for updates to pre-installed or vendor-supplied checklists.

A security configuration checklist (sometimes called a lockdown, hardening guide, or benchmark) is a series of instructions for configuring a product to a particular security level (or baseline).  Typically, checklists are created by IT vendors for their own products; however, checklists are also created by other organizations such as consortia, academia, and government agencies. The use of well-written, standardized checklists can markedly reduce the vulnerability exposure of IT products. Checklists have proven particularly helpful to small organizations and individuals that have limited resources for securing their systems.

A checklist might include any of the following:

• Configuration files that automatically set various security settings (standard XML format such as that utilized in the SCAP, executables, security templates that modify settings, and scripts);
• Documentation (for example, a text file) that instructs the checklist user how to interactively configure software to recommended security settings;
• Documentation explaining the recommended methods to securely install and configure a device; and
• Policy documents that set forth guidelines for such things as auditing, authentication security (for example, passwords), and perimeter security.

Checklists can also include administrative practices (such as management and operational controls) for an IT product that go hand-in-hand with improvements to the product’s security.

Many organizations and product vendors have created security checklists, and the checklists vary in terms of format, applicability, quality, and usability.  Many checklists have become “outdated” in the course of the product life cycle as software updates and upgrades were released.  The NIST Checklist Program established a centralized repository for checklist content and subsequent updates so that consumers could use this “one-stop-shop” to locate the most current security guidance documents. By defining applicable scenarios and distribution formats, the NIST Checklist program, in conjunction with the ISAP effort, assists organizations in securing their IT systems and determining ongoing compliance to legislation such as FISMA through the use of COTS products.

Although the use of security configuration checklists can greatly improve overall levels of security in organizations, checklists cannot ensure a system or a product is 100 percent secure. However, use of checklists that emphasize hardening of systems by reducing the attack surface, offer countermeasures against software flaws or “bugs” and suggest appropriate/current patches will result in greater levels of product security and protection from future threats.

We released the final version of SP 800-70, Security Configuration Checklists Program for IT Products – Guidance for Checklists Users and Developers, in May 2005; however, with the advent of the joint-agency ISAP, we are in the process of revising the SP 800-70 publication to encourage the production, submission, and maintenance of IT system-related checklists in standard XML format.  The NIST Beta Checklists repository, released in May 2005, contains checklists and descriptions for over 110 checklists addressing approximately 130 platforms, including but not limited to, database systems, Dynamic Host Configuration Protocol (DHCP) servers, directory services, Domain Name System (DNS) servers, firewalls, multi functional peripherals, network routers, network switches, operating systems, vulnerability management software, Web browsers, Web servers, and popular desktop and office automation products.

The NIST Checklist program was officially integrated into the FISMA Implementation Project by a charter document entitled SP 800-68, Guidance for Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist.  Although the principal goal of SP 800-68 was to recommend and explain tested, secure settings for Windows XP workstations, with the objective of simplifying the administrative burden of improving the security of Windows XP systems, the document also included mappings to the FISMA technical controls.  This mapping gave rise to the notion that we should continue to provide mappings from the lower-level security recommendations to higher-level documents (NIST SP 800-53, the Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs), NSA Guides, etc.) so as to realize the fact that security and compliance are interrelated at the lowest level.  By partnering with the NSA and DISA, the joint-agency effort quickly adopted a standard format for expressing both policy and system-level checklist content in standard XML format; specifically, XCCDF and OVAL.  As a result, checklists can now be expressed in a more usable and consistent format which is being adopted by COTS security tool providers for securing IT systems, monitoring compliance, and facilitating measurement.  The notion of partnering with vendors and private industry to produce original checklists and translate English-prose checklists into the standard format, associating compliance mappings among the various Federal agency security framework and guidance documents, is realized via the NIST Checklist’s companion program, the Information Security Automation Program (ISAP).  This comes at a time when organizations are concerned about ensuring that operationally deployed products (at least hundreds if not thousands) are updated with security patches and secure configuration.  The need to automate this laborious, costly, and resource-consuming process has never been greater. By offering this service, the NIST Checklist program, in conjunction with ISAP, can help reduce the level of effort required to perform vulnerability identification, remediation, and compliance reporting and allow organizations to refocus valuable personnel resources on other problems.

This program is in cooperation with checklist development activities at Federal agencies, including DISA and NSA, private industry, Federally Funded Research and Development Centers (FFRDCs), academia, and not-for-profit organizations.  Federal agencies continue to solicit participation agreements with product vendors and other checklist-producing organizations.  We gratefully recognize the Department of Homeland Security as the original sponsor of this program.