Publications
July 19, 2023: URLs for CSRC publication details pages have changed. Legacy URLs should automatically redirect to the new URLs. However, links to the actual publications have NOT changed (e.g., DOIs and PDFs on nvlpubs.nist.gov). Please send inquiries to
csrc-inquiry@nist.gov.
Further development of this draft has ceased (February 15, 2018).
National Checklist Program for IT Products: Guidelines for Checklist Users and Developers
Documentation
Topics
Date Published: August 2017
Comments Due:
Email Questions to:
Author(s)
Stephen Quinn (NIST), Murugiah Souppaya (NIST), Melanie Cook (NIST), Karen Scarfone (Scarfone Cybersecurity)
Announcement
NIST requests public comments on the release of Draft Special Publication 800-70 Revision 4, National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. Using security configuration checklists to verify the configuration of information technology (IT) products and identify unauthorized configuration changes can minimize product attack surfaces, reduce vulnerabilities, and lessen the impact of successful attacks. To facilitate development of checklists and to make checklists more organized and usable, NIST established the National Checklist Program (NCP). This publication explains how to use the NCP to find and retrieve checklists, and it also describes the policies, procedures, and general requirements for participation in the NCP.
A security configuration checklist is a document that contains instructions or procedures for configuring an information technology (IT) product to an operational environment, for verifying that the product has been configured properly, and/or for identifying unauthorized changes to the product. Using these checklists can minimize the attack surface, reduce vulnerabilities, lessen the impact of successful attacks, and identify changes that might otherwise go undetected. To facilitate development of checklists and to make checklists more organized and usable, NIST established the National Checklist Program (NCP). This publication explains how to use the NCP to find and retrieve checklists, and it also describes the policies, procedures, and general requirements for participation in the NCP.
A security configuration checklist is a document that contains instructions or procedures for configuring an information technology (IT) product to an operational environment, for verifying that the product has been configured properly, and/or for identifying unauthorized changes to the product....
See full abstract
A security configuration checklist is a document that contains instructions or procedures for configuring an information technology (IT) product to an operational environment, for verifying that the product has been configured properly, and/or for identifying unauthorized changes to the product. Using these checklists can minimize the attack surface, reduce vulnerabilities, lessen the impact of successful attacks, and identify changes that might otherwise go undetected. To facilitate development of checklists and to make checklists more organized and usable, NIST established the National Checklist Program (NCP). This publication explains how to use the NCP to find and retrieve checklists, and it also describes the policies, procedures, and general requirements for participation in the NCP.
Hide full abstract
Keywords
change detection; checklist; information security; National Checklist Program (NCP); security configuration checklist; Security Content Automation Protocol (SCAP); software configuration; vulnerability
Control Families
Audit and Accountability; Configuration Management; System and Communications Protection
Documentation
Publication:
Draft SP 800-70 Rev. 4 (pdf)
Supplemental Material:
None available
Document History:
08/01/17: SP 800-70 Rev. 4 (Draft)
) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)
