Updated Draft Guidelines for National Checklist Program for IT Products

NIST Special Publication (SP) 800-70r5 ipd (Revision 5, initial public draft), National Checklist Program for IT Products – Guidelines for Checklist Users and Developers, is now available for public comment through January 16, 2026, at 11:59 PM (EST). 

NIST established the National Checklist Program (NCP) to facilitate the generation of security checklists from authoritative sources, centralize the location of checklists, and make checklists broadly accessible. SP 800-70r5 ipd describes the uses, benefits, and management of checklists and checklist control catalogs, as well as the policies, procedures, and general requirements for participation in the NCP.

Why Security Configuration Checklists Matter

A security configuration checklist is a document or technical content that contains instructions or procedures for securely configuring an IT product to match an operational environment’s risk tolerance, verifying that the product has been configured properly, and/or identifying unauthorized changes to the product. Using these checklists can minimize the attack surface, reduce vulnerabilities, lessen the impacts of successful attacks, and identify changes that might otherwise go undetected.

What’s New in Revision 5?

This revision introduces significant updates to improve usability, automation, and alignment with modern cybersecurity practices.

Key Highlights

• Traceability and Compliance: Enhanced mapping concepts between checklist settings, NIST Cybersecurity Framework (CSF) 2.0 outcomes, SP 800-53 controls, and Common Configuration Enumeration (CCE) identifiers for evidence-ready automation and reporting
• Expanded Coverage: Guidance that includes cloud platforms, IoT, and AI systems and reflects the latest NIST research and federal requirements
• Modernized Automation: Explicit support for a wide range of automated checklist formats
• Control Catalog Approach: Encourages developers to use catalogs of controls for rapid, consistent checklist generation and easier tailoring to different risk postures
• Operational Environment Tailoring: Detailed recommendations for customizing checklists to fit stand-alone, managed (enterprise), specialized security-limited functionality (SSLF), and legacy environments
• Checklist Life Cycle: Clear procedures for checklist development, testing, documentation, submission, public review, maintenance, and archival

Intended Audience

This document is intended for users and developers of security configuration.  

• For checklist users, this document makes recommendations on how they should select checklists from the NIST National Checklist Repository, evaluate and test checklists, and apply them to IT products.
• For checklist developers, this document sets forth the policies, procedures, and general requirements for participation in the NCP.

Submit Comments

The comment period for SP 800-70r5 ipd is open through January 16, 2026, at 11:59 PM (EST). Email comments to: checklists [at] nist.gov (checklists[at]nist[dot]gov).