Guidelines for Security Configuration Checklist Users and Developers

A security configuration checklist (also called a lockdown, hardening guide or benchmark) is a series of instructions for configuring a product to a particular operational environment. Checklists can comprise templates or automated scripts, patches or patch descriptions, Extensible Markup Language (XML) files and other procedures. Checklists are intended to be tailored by each organization to meet its particular security and operational requirements. Some checklists also contain instructions for verifying that the product has been configured properly. Typically, checklists are created by IT vendors for their own products; however, checklists are also created by other organizations with the necessary technical competence, such as academia, consortia and government agencies. The use of well-written, standardized checklists can markedly reduce the vulnerability exposure of IT products. Checklists can be particularly helpful to small organizations and to individuals with limited resources for securing their systems.

NIST maintains the National Checklist Repository, which is a publicly available resource that contains information on a variety of security configuration checklists for specific IT products or categories of IT products. The repository, which is located at http://checklists.nist.gov/, contains metadata that describes each checklist. The repository also hosts copies of some checklists, primarily those developed by the federal government, and has pointers to the other checklists’ locations. Users can browse and search the repository’s metadata to locate a particular checklist using a variety of criteria, including the product category, vendor name and submitting organization. Having a centralized checklist repository makes it easier for organizations to find the current, authoritative versions of security checklists and to determine which ones best meet their needs.

This document is intended for users and developers of security configuration checklists. For checklist users, this document makes recommendations for how they should select checklists from the NIST National Checklist Repository, evaluate and test checklists and apply them to IT products. The document also provides general information to users about threats and fundamental technical security practices for associated operational environments. For checklist developers, this document sets forth the policies, procedures and general requirements for participation in the NIST National Checklist Program (NCP).

The attached Zip file includes:

• Intro Page.doc
• Cover Sheet and Terms.pdf
• Guidelines for Security Configuration Checklist Users and Developers.pdf