NIST makes lists

Draft NIST Special Publication 800-70, NIST Security Configuration Checklists Program

A program that experts have said is the missing piece in federal efforts to promote secure computing will be ready later this year.

Officials at the National Institute of Standards and Technology announced that a security configuration checklists program for information technology products, including a logo that vendors can put on their wares, is on track for completion before the end of 2004.

A security configuration checklist describes the software options and settings that users can choose to minimize the security risks associated with a particular type of hardware or software. More commonly referred to as lockdown guides or security benchmarks, security checklists are basically documents for securing IT hardware or software in different settings. Security checklists for home computer users, for example, would be different from those for federal computer users handling sensitive data.

A checklist could include scripts, templates and pointers to Web sites where users can download software updates or firmware upgrades to make products more secure from attack by viruses and other malicious code spread via the Web.

NIST officials said they plan to distribute the lists through a Web portal, checklists.nist.gov. The role of NIST employees will be to screen checklists to see that they meet the program's requirements, publish the checklists for public review and, finally, to add checklists to the repository and remove them when they become outdated.

NIST officials have already published two security checklists, one for Microsoft Corp.'s Windows 2000 and XP Professional. They can be downloaded from a NIST Web site: csrc.nist.gov/itsec.

NIST officials will work with other organizations that produce security checklists, including the Defense Information Systems Agency and National Security Agency, and the nonprofit Center for Internet Security. The checklist program, however, has no connection to the federal government's National Information Assurance Partnership, a security program for testing products in a laboratory setting.

The scope of the security checklist program is broad, officials said, and will include operating systems, database software, Web servers, e-mail servers, routers, intrusion-detection systems, virtual private networks, biometric devices, smart cards, telecommunications switches and Web browsers.

To locate a particular checklist, users will be able to search with at least 14 different fields, including checklist point of contact, product manufacturer name, product name, product version and platforms on which the checklist was tested.

NIST officials envision the portal being used by everyone, including product developers, government agencies, businesses and citizens.

NIST's authority for creating the security checklist program comes from a 2002 law, the Cyber Security Research and Development Act. The Homeland Security Department is listed on NIST's Web site as a program sponsor.