NIST Revises SP 800-70 | National Checklist Program for IT Products: Guidelines for Checklist Users and Developers

The final version of NIST Special Publication (SP) 800-70r5 (Revision 5), National Checklist Program for IT Products – Guidelines for Checklist Users and Developers, is now available.

NIST established the National Checklist Program (NCP) to facilitate the generation of security checklists from authoritative sources, centralize their location, and make them broadly accessible. SP 800-70r5 describes the uses, benefits, and management of checklists and checklist control catalogs, as well as the policies, procedures, and general requirements for participation in the NCP.

Why Security Configuration Checklists Matter

Security configuration checklists help organizations to securely configure an IT product to match an environment’s risk tolerance, verify proper configuration, and/or identify unauthorized changes. Using these checklists can minimize the attack surface, reduce vulnerabilities, lessen the impacts of successful attacks, and identify changes that might otherwise go undetected.

What’s New in Revision 5?

This revision introduces significant updates to improve usability, automation, and alignment with modern cybersecurity practices.

Key Highlights

• Traceability and Compliance: Enhanced mapping concepts between checklist settings, NIST Cybersecurity Framework (CSF) 2.0 outcomes, SP 800-53 controls, and Common Configuration Enumeration (CCE) identifiers for evidence-ready automation and reporting
• Expanded Coverage: Guidance that includes cloud platforms, IoT, and AI systems and reflects the latest NIST research and federal requirements
• Modernized Automation: Explicit support for a wide range of automated checklist formats
• Control Catalog Approach: Encourages developers to use catalogs of controls for rapid, consistent checklist generation and easier tailoring to different risk postures
• Operational Environment Tailoring: Detailed recommendations for customizing checklists to fit stand-alone, managed (enterprise), specialized security-limited functionality (SSLF), and legacy environments
• Checklist Life Cycle: Clear procedures for checklist development, testing, documentation, submission, public review, maintenance, and archival

Intended Audience

This document is intended for users and developers of security configuration.  

• For checklist users, this document makes recommendations on how they should select checklists from the NIST National Checklist Repository, evaluate and test checklists, and apply them to IT products.
• For checklist developers, this document sets forth the policies, procedures, and general requirements for participation in the NCP.