U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

PUBLICATIONS

NIST Special Publication NIST SP 800-70r5 National Checklist Program for IT Products - Guidelines for Checklist Users and Developers

Published

Author(s)

Stephen Quinn, Blair Heiserman

Abstract

A security configuration checklist is a document that contains instructions, procedures, or machine-readable and executable content to configure an IT product to a specific risk posture for an operational environment, verify that the product has been configured properly, identify unauthorized configuration changes to the product, and/or produce artifacts that show the security posture of the product. Using these checklists can minimize the attack surface, reduce vulnerabilities, lessen the impact of successful attacks, and identify changes that might otherwise go undetected. NIST established the National Checklist Program (NCP) to facilitate the generation of security checklists from authoritative sources, centralize the location of checklists, and make checklists broadly accessible. This publication explains how to use the NCP to find and retrieve checklists and describes the policies, procedures, and general requirements for participation in the NCP.
Citation
Special Publication (NIST SP) - 800-70r5
Report Number
800-70r5
NIST Pub Series
Special Publication (NIST SP)
Pub Type
NIST Pubs

Download Paper

https://doi.org/10.6028/NIST.SP.800-70r5
Local Download

Keywords

benchmark, change detection, checklist, information security, National Checklist Program (NCP), Security Automation, secure configuration, security configuration checklist, Security Content Automation Protocol (SCAP), software configuration, vulnerability.
Securing emerging technologies and Cybersecurity measurement

Citation

Quinn, S. and Heiserman, B. (2026), NIST Special Publication NIST SP 800-70r5 National Checklist Program for IT Products - Guidelines for Checklist Users and Developers, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.SP.800-70r5, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=961991 (Accessed May 9, 2026)
Additional citation formats

Issues

If you have any questions about this publication or are having problems accessing it, please contact [email protected].

Created May 8, 2026
Was this page helpful?