Government releases specs for security checklists

The National Institute of Standards and Technology and the National Security Agency have released a specification to standardize IT security checklists.

NIST and NSA collaborated with representatives from industry to develop the Extensible Configuration Checklist Description Format (XCCDF) as a way to provide a uniform format for security checklists, benchmarks and other configuration guidance.

In their document, NIST and NSA noted that the use of such checklists "can markedly reduce the vulnerability exposure of an organization." By developing a single format for use in government, there is the added benefit that agencies can easily share checklist information, NIST and NSA said.

The Cyber-Security R&D Act of 2002 directed NIST to create and maintain a checklist of settings and option selections that will minimize security risks for hardware and software used within the federal government.

"A uniform and widely used format for security benchmarks, checklists and related documents will help to improve security of government and private IT installations by enabling more timely and effective knowledge sharing and by fostering automated security testing and monitoring," according to an NSA statement.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above.

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here

Washington Technology Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.


contracts DB