Take a sneak peek at the new NIST.gov and let us know what you think!
(Please note: some content may not be complete on the beta site.).

View the beta site
NIST logo
Bookmark and Share

National Checklist Program


The National Checklist Program (NCP) is the U.S. government repository of publicly available security checklists (or benchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and applications. NCP is migrating its repository of checklists to conform to the Security Content Automation Protocol (SCAP). SCAP enables validated security tools to automatically perform configuration checking using SCAP expressed NCP checklists.


To facilitate development of security configuration checklists for IT products and to make checklists more organized and usable, NIST established the NCP as described in the NIST Special Publication 800-70. NIST maintains a checklist repository that contains descriptions of checklists. Users of this web site can browse the descriptions to locate a particular checklist using a variety of criteria, including the product category, vendor name, and submitting organization.

Goals for the NCP are as follows:

  • Facilitate development and sharing of checklists by providing a formal framework for vendors and other checklist developers to submit checklists to NIST
  • Provide guidance to developers to help them create standardized, high-quality checklists that conform to common operational environments
  • Help developers and users by providing guidelines for making checklists better documented and more usable
  • Encourage IT product vendors and other parties to develop checklists and to configure their products based on those checklists
  • Provide a managed process for the review, update, and maintenance of checklists
  • Provide an easy-to-use repository of checklists
  • Provide checklist content in a standardized format
  • Encourage the use of automation technologies for checklist application.

Major Accomplishments:

The National Checklist Program website is the centralized repository of security configuration setting guidance.  NIST derived this list of checklist In cooperation with Federal Agencies, private industry, and other organizations.

End Date:


Lead Organizational Unit:



 Steve Quinn

David Waltermire

Related Programs and Projects:

The Security Content Automation Protocol (SCAP)

To learn more about the National Checklist Program, please visit the National Checklist website at:


Stephen Quinn
(301) 975-6967

100 Bureau Drive
M/S 8930
Gaithersburg, MD  20899-8930