Educational CyberPlayGround ®

NIST - Security Configuration check list


National Institute of Standards and Technology
Technology Administration
U.S. Department of Commerce

The National Institute of Standards and Technology (NIST) is cooperating with other federal agencies, IT vendors, and with industry to advance the development and use of security configuration checklists. A security configuration checklist (sometimes called a security configuration guide, lockdown guide, hardening guide, security technical implementation guide, or benchmark) is basically a series of instructions for configuring an information technology (IT) product to an operational environment. Checklists can be useful tools for reducing vulnerabilities to systems, especially for small organizations with limited resources. IT vendors often create checklists for their own products, but other organizations such as consortia, academic groups, and government agencies have also developed them.

Checklists can be used to counter threats to computers, such as remotely launched attacks through networks and the spread of malicious code through e-mails, malicious websites, and file downloads. Vulnerabilities in IT products are discovered almost daily. Because many IT products are designed to serve a wide variety of users, they may not provide needed restrictive security controls routinely. As a result, computers can be vulnerable to threats when the products are installed. Even experienced system administrators may find it difficult and time-consuming to identify the right set of security settings for many IT products.

The NIST checklists program, described in this ITL Bulletin, includes over fifty checklists.

Why Checklists Are Needed

The Cyber Security Research and Development Act of 2002 (Public Law 107-305)
designates NIST to "develop, and revise as necessary, a checklist setting forth settings and option selections that minimize the security risks associated with each computer hardware or software system that is, or is likely to become, widely used within the Federal Government."

What are Checklists

A security checklist in its simplest form can be a document that contains instructions or procedures for configuring an IT product to a baseline level of security. Checklists are also commonly referred to as lockdown guides, hardening guides, security technical
implementation guides (STIGS), or benchmarks. A checklist could contain scripts, templates, and pointers to patches, or updates or firmware upgrades that can be applied to a product. A checklist might include any of the following:

* Configuration files that automatically set various security settings (e.g., executables, security templates that modify settings, scripts);

* Documentation (e.g., text file) that guides the checklist user to configure software manually;

* Documents that explain the recommended methods for the secure installation and configuration of a device; and/or

* Policy documents that set forth guidelines for activities such as audits, authentication security (e.g., passwords), and perimeter security.

The instructions in a security configuration checklist can apply to administrative practices as well as security settings for an IT product to support improvements to the product's security. Often, successful attacks on systems are the direct result of poor administrative practices such as not changing default passwords or failure to apply new patches.

The NIST program provides a consistent process for
the development, review, and use of checklists. Examples of IT product technology areas that are included are: operating systems, database systems, web servers, e-mail servers, firewalls, routers, intrusion detection systems, virtual private networks, biometric devices, smart cards, telecommunication switching devices, and web browsers.

The NIST Checklists Program

NIST is currently working with other checklist-producing organizations including the Defense Information Systems Agency (DISA), the National Security Agency (NSA), and the Center for Internet Security (CIS), as well as IT product vendors and vendors of configuration and management

NIST checklist repository

NIST welcomes comments on all aspects of the checklists program. Comments may be submitted to

Elizabeth B. Lennon
Information Technology Laboratory
National Institute of Standards and Technology
100 Bureau Drive, Stop 8900
Gaithersburg, MD 20899-8900
Telephone (301) 975-2832
Fax (301) 840-1357


Software insecurity: Plenty of blame to go around

The reason software so often is not secure is the fault either of developers or of users.
[ ... Stuart Katzke of the National Institute of Standards and Technology said that standards and guidelines developed by NIST could help provide that methodology. He said the suite of documents produced for the Federal Information Security Management Act effectively establish a level of due diligence for government IT systems. "It is likely to become due diligence for the private sector as well,"
he said. The NIST publications establish requirements for agencies to comply with FISMA. Development of the standards and supporting guidelines are the first phase of FISMA implementation, he said. "We're completing the last document now," Katzke said. That is Special Publication 800-53A, a security control assessment guide. NIST has
begun the second phase of implementation, which is an accreditation program for security assessment providers. A third phase, development of a system to validate FISMA compliance tools, is "out in he future." "The framework that we have established for federal agencies is really applicable to any environment," Katzke said. He said NIST is working with the IEEE to standardize its suite of documents that would help any organization go through the categorization, assessment and accreditation process required of government systems by FISMA.]

UCITA - BAD SOFTWARE - The Right Of Return - Warranties for "Free" Software - It does not require software publishers to reveal known defects

[ ... Evaluation can take months or years and can cost from
hundreds-of-thousands to millions of dollars. One person said theCommon Criteria evaluation was not worth the $150,000 "entry fee" a vendor could expect to pay unless the vendor had a government contract in hand that would justify the process.