Security Configuration Checklists for Commercial IT Products

The solutions to IT security are complex, one basic but effective tool is a security configuration checklist. A security checklist is a document that contains instructions for securely configuring an IT product for an operational environment or verifying that an IT product has already been securely configured. Whenever feasible, organizations should apply checklists to operating systems and applications to reduce the number of vulnerabilities that attackers can attempt to exploit and to lessen the impact of successful attacks. The use of checklists improves the consistency and predictability of system security. There is no checklist that can make a system or product 100% secure, and using checklists does not eliminate the need for ongoing security maintenance, such as patch installation. However, organizations can reduce the number of ways in which their systems can be attacked and achieve greater levels of product security and protection from future threats by using checklists that emphasize hardening of systems against software flaws (e.g., by applying patches and eliminating unnecessary functionality) and configuring systems securely.

To facilitate development of security configuration checklists for IT products and to make checklists more organized and usable, NIST established the National Checklist Program. The goals of the NCP are to—

• Facilitate development and sharing of checklists by providing a formal framework for vendors and other checklist developers to submit checklists to NIST
   
• Provide guidance to developers to help them create standardized, high quality checklists that conform to common operational environments
   
• Help developers and users by providing guidelines for making checklists better documented and more usable
   
• Encourage software vendors and other parties to develop checklists
   
• Provide a managed process for the review, update, and maintenance of checklists
   
• Provide an easy-to-use repository of checklists
   
• Provide checklist content in a standardized format
   
• Encourage the use of automation technologies for checklist application such as the Security Content Automation Protocol (SCAP).

The National Checklist Program (NCP) is the U.S. government repository of publicly available security checklists (or benchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and applications. NCP is migrating its repository of checklists to conform to the Security Content Automation Protocol (SCAP). SCAP enables standards based security tools to automatically perform configuration checking using NCP checklists.