Security Checklists for IT Products

1
Security Checklists for IT Products
2
Agenda

• Overview of Checklist Program
• Discussion of Operational Procedures
• Current Status
• Next Steps

3
Cyber Security Research and Development Act of
2002

• Directs NIST to
• Develop, and revise as necessary, a checklist
  setting forth settings and option selections that
  minimize the security risks associated with each
  computer hardware or software system that is, or
  is likely to become widely used within the
  Federal Government.

4
In Response

• NIST is developing a method for IT vendors,
  consortia, industry, government organizations,
  and others in the public and private sectors to
  voluntarily submit checklists in a standardized
  format to be placed in a public web accessible
  database maintained by NIST
• NIST is
• Creating a checklist development and description
  framework
• Hosting a checklist web site for checklist users
• Facilitating user demand for checklists
• Becoming an ambassador to vendors for checklists

5
What is a Checklist?

• Often called lockdown guides, benchmark
  configurations, hardening guides, other terms
• In simple terms, a document or list of procedures
  to secure a system or application
• Checklists are implementation guides used to
  provide security controls to the information
  system
• Could include scripts, add-on templates, or
  executables

6
Why Checklists

• Most products are insecure out of the box
• Most users need assistance in configuring
  security controls due to complexity of the
  technology
• Demand for easy-to-understand checklists for
  improving security
• Demand for checklists tailored to different
  environments, such as home, small office,
  enterprise, or higher security
• Checklists can have a large impact on security
  with relatively small upfront investment

7
Goals of the Checklist Program

• To significantly improve out of the box security
• To be a portal for checklists in general
• To encourage primarily vendors to submit and
  support their checklists
• To encourage vendors to develop checklists as
  part of their products
• To leverage existing checklist development work

8
NIST Checklist Process
Producer
NIST
Consumer
Producer
NIST
Submit theChecklist
Review and Postas a Candidate
Provide Feedback and comments
Respond to Comments and Maintain
Review and Post the Checklist
Timeframe Goal 2 Weeks
9
NIST Checklist Template

• An XML template used to describe a checklist
• Fields include
• IT product name
• Environment (high security, enterprise, SOHO)
• How the checklist was tested
• Revision dates
• Cataloged in the web-searchable database
• A user searches the fields of the templates to
  locate appropriate checklists

10
Security Checklists for Commercial IT Products
About Checklists Search the Security
Checklist Database
Under the Cyber Security Research and Development
Act, NIST is charged with developing security
checklists. These checklists describe security
settings for commercial IT products. Security
Environment Security environments are SOHO,
Enterprise, High Security, or Custom. Checklists
can also be associated with the security as
contained in FIPS 199. Partners The checklists
provided on this website are provided by a wide
variety of vendors, government agencies,
consortia, non-profit organizations, and user
organizations. For a complete list, click here.
NIST gratefully acknowledges their contributions
and assistance in providing this security
service. Disclaimer The contents of each
checklist is the responsibility of the submitting
organization. We encourage users to send
comments on specific checklists to the
appropriate author.

Search By specific product name Microsoft
Windows 2000 By security environment High
Security By product type Operating
System Results (list of checklists) NIST
Windows 2000 Special Publication NSA Windows
2000 Security Guide DISA Windows 2000 Security
Configuration Guide CIS Windows 2000 Guide
Level 2
11
Checklist Categories

• Under review - out for public review
• Final completed review, issues addressed
• Supported support for the checklist available,
  e.g., from the submitter
• Non-supported no support available
• General non-product specific, applies to a
  technology or a class of products

12
Participation Requirements

• Create a checklist and submit the XML template
• Agree to respond checklist-related to
  questions/comments must provide a POC
• For certain checklists, agree to update the
  checklist on timely basis or else withdraw the
  checklist
• Agree to test the checklist and describe how the
  checklist was tested

13
Reviewing Checklists

• For all checklists, NIST will review for format,
  readability, general quality, requirements
• NIST will perform a limited technical review in
  cases where it has expertise in the technology
• NIST will post candidate checklists for public
  review
• Comments will be provided to the submitter
• Issues will be addressed by the submitter before
  final posting of the checklist

14
Current Status

• Workshop completed 9/03, enthusiastic response
  from attendees
• Workshop final report 2nd Qtr, FY04
• Drafting internal procedures, 2nd Qtr, FY04
• Checklist Special Pub 1st draft ready for public
  review 2nd Qtr, FY04
• Comments accepted for 30 days

15
Status Continued

• Workshop for common checklist formats with
  configuration vendors 3rd Qtr, FY04
• Final release of Checklist Special Pub, 3rd Qtr,
  FY04
• DISA STIG checklists mapped to checklist
  framework, 3rd, 4th Qtr, FY04
• Windows XP checklists 4th Qtr, FY04
• Commitment for some vendors to participate

16
Next Steps for FY05, FY06

• Continue working on common checklist formats
• Encourage vendors to support checklists on
  products as released
• Encourage other agencies, consortia, and forums
  to submit checklists
• Continue posting checklists and operating
  checklist web site

17
Contact Information

• Tim Grance
• Murugiah Souppaya
• John Wack
• NIST
• checklists_at_nist.gov
• http//csrc.nist.gov/checklists

18
Acknowledgements

• NIST gratefully acknowledges support for the
  checklist program from the Department of Homeland
  Security
• NIST also recognizes important contributions from
  civilian and DoD agencies, vendors, and
  organizations