The National Checklist Program is a resource for configuring IT products to help ensure a baseline of security is being met. A revised set of guidelines for using checklists is available for review.
Understanding and maintaining the configuration of IT systems and devices is a key part of IT security. But with scores or hundreds of devices and programs in an enterprise and thousands of possible configurations, maintaining a configuration for optimal performance and security in a dynamic environment is a serious challenge.
Security configuration checklists for products in specific operational environments can simplify the task, and the federal government has established a repository with more than 280 checklists to help administrators keep tabs on the systems under their authority.
The National Checklist Program was established by the National Institute of Standards and Technology, and is maintained by NIST and the Homeland Security Department in the National Vulnerability Database. Checklists are used to verify that a product has been configured properly and to identify changes—authorized or unauthorized. These checklists can help minimize the attack surface for systems, reduce the number of vulnerabilities, lessen the impact of successful attacks, and identify changes that might otherwise go undetected.
A revised set of guidelines is being developed by NIST to help administrators and developers use the checklists. Draft Special Publication 800-70 Revision 3, National Checklist Program for IT Products–Guidelines for Checklist Users and Developers, describes security configuration checklists and their benefits, and explains how to use the NCP. It also describes the policies, procedures, and general requirements for participation in the NCP.
Configuration management is a “complicated, arduous, and time-consuming task even for experienced system administrators,” NIST says in the guidelines. The checklist is a “simple yet effective tool” that can reduce the vulnerability exposure of IT products, particularly in small organizations with limited IT security resources.
Checklists also are called lockdown or hardening guides, benchmarks, and—particularly in government—a Security Technical Implementation Guide, or STIG. They can be in the form of a template or an automated script, Extensible Markup Language (XML) files and other formats. What they have in common is information on various security configurations for specific IT products or categories.
NCP brings together hundreds of templates for products commonly used in government, organizing them to make them more accessible and useable.
Because checklists are specific to the environment in which a product is being used, they should be tailored by each organization to meet particular needs, depending on its security and operational requirements. Security is almost always a trade-off—an increase in security generally means a reduction in functionality or usability, or greater complexity. So the appropriate baseline will vary with each organization, and sometimes with each user.
Revision 3 of the NIST guidelines, recently published in draft for public comment, updates the previous version, released in 2011, by streamlining the text, removing outdated content, and updating the requirements for U.S. Government Configuration Baselines (USGCB). Recommendations in this document include:
- Organizations should apply checklists to operating systems and applications to reduce the number of vulnerabilities and to lessen the impact of successful attacks. No checklist can provide complete security, but an appropriate checklist can improve it.
- When selecting checklists, users should carefully consider the source and the degree of automation it provides. Tier IV checklists have all security settings documented in machine-readable, standardized Security Content Automation Protocol (SCAP) formats.
- Users should customize and test checklists before applying them to production systems. A checklist that is not mandatory for an organization to adopt should be considered a starting point for customization.
- Users should take operational environments into account when selecting checklists and developers should target their checklists to specific operational environments. Checklists are significantly more useful when they can run in common operational environments.
- NIST strongly encourages IT product vendors to develop security configuration checklists for their products and contribute them to the NIST National Checklist Repository. Vendors have the most expertise on the possible security configuration settings and the best understanding of how the settings relate to and affect each other.
Comments on draft SP 800-70 Revision 3 should be sent by April 27 to 800-70comments@nist.gov with “Comments SP 800-70” in the subject line.