National Checklist Program for IT Products Guidelines for Checklist Users and Developers. Recommendations of the National Institute of Standards and Technology. Revision 1

摘要

A security configuration checklist (also called a lockdown, hardening guide, or benchmark) is a series of instructions for configuring a product to a particular operational environment. Checklists can comprise templates or automated scripts, patches or patch descriptions, Extensible Markup Language (XML) files, and other procedures. Checklists are intended to be tailored by each organization to meet its particular security and operational requirements. Some checklists also contain instructions for verifying that the product has been configured properly. Typically, checklists are created by IT vendors for their own products; however, checklists are also created by other organizations with the necessary technical competence, such as academia, consortia, and government agencies. The use of well-written, standardized checklists can markedly reduce the vulnerability exposure of IT products. Checklists can be particularly helpful to small organizations and to individuals with limited resources for securing their systems. NIST maintains the National Checklist Repository, which is a publicly available resource that contains a variety of security configuration checklists for specific IT products or categories of IT products. The repository, which is located at http://checklists.nist.gov/, contains metadata that describes each checklist. Users can browse and search the metadata to locate a particular checklist using a variety of criteria, including the product category, vendor name, and submitting organization. Having a centralized checklist repository makes it easier for organizations to find the current, authoritative versions of security checklists and to determine which ones best meet their needs.