The solutions to IT security are complex, one basic but effective tool is a security configuration checklist. A security checklist is a document that contains instructions for securely configuring an IT product for an operational environment or verifying that an IT product has already been securely configured. Whenever feasible, organizations should apply checklists to operating systems and applications to reduce the number of vulnerabilities that attackers can attempt to exploit and to lessen the impact of successful attacks. The use of checklists improves the consistency and predictability of system security. There is no checklist that can make a system or product 100% secure, and using checklists does not eliminate the need for ongoing security maintenance, such as patch installation. However, organizations can reduce the number of ways in which their systems can be attacked and achieve greater levels of product security and protection from future threats by using checklists that emphasize hardening of systems against software flaws (e.g., by applying patches and eliminating unnecessary functionality) and configuring systems securely.
To facilitate development of security configuration checklists for IT products and to make checklists more organized and usable, NIST established the National Checklist Program. The goals of the NCP are to—
The National Checklist Program (NCP) is the U.S. government repository of publicly available security checklists (or benchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and applications. NCP is migrating its repository of checklists to conform to the Security Content Automation Protocol (SCAP). SCAP enables standards based security tools to automatically perform configuration checking using NCP checklists.
Lead Organizational Unit:ITL
Related Programs and Projects:
For more information regarding the Security Configuration Checklists for Commercial IT Products, please visit the Computer Security Division's National Vulnerability Database (NVD) website.
100 Bureau Drive