Title: Security Checklists for IT Products
1Security Checklists for IT Products
2Agenda
- Overview of Checklist Program
- Discussion of Operational Procedures
- Current Status
- Next Steps
3Cyber Security Research and Development Act of
2002
- Directs NIST to
- Develop, and revise as necessary, a checklist
setting forth settings and option selections that
minimize the security risks associated with each
computer hardware or software system that is, or
is likely to become widely used within the
Federal Government.
4In Response
- NIST is developing a method for IT vendors,
consortia, industry, government organizations,
and others in the public and private sectors to
voluntarily submit checklists in a standardized
format to be placed in a public web accessible
database maintained by NIST - NIST is
- Creating a checklist development and description
framework - Hosting a checklist web site for checklist users
- Facilitating user demand for checklists
- Becoming an ambassador to vendors for checklists
5What is a Checklist?
- Often called lockdown guides, benchmark
configurations, hardening guides, other terms - In simple terms, a document or list of procedures
to secure a system or application - Checklists are implementation guides used to
provide security controls to the information
system - Could include scripts, add-on templates, or
executables
6Why Checklists
- Most products are insecure out of the box
- Most users need assistance in configuring
security controls due to complexity of the
technology - Demand for easy-to-understand checklists for
improving security - Demand for checklists tailored to different
environments, such as home, small office,
enterprise, or higher security - Checklists can have a large impact on security
with relatively small upfront investment
7Goals of the Checklist Program
- To significantly improve out of the box security
- To be a portal for checklists in general
- To encourage primarily vendors to submit and
support their checklists - To encourage vendors to develop checklists as
part of their products - To leverage existing checklist development work
8NIST Checklist Process
Producer
NIST
Consumer
Producer
NIST
Submit theChecklist
Review and Postas a Candidate
Provide Feedback and comments
Respond to Comments and Maintain
Review and Post the Checklist
Timeframe Goal 2 Weeks
9NIST Checklist Template
- An XML template used to describe a checklist
- Fields include
- IT product name
- Environment (high security, enterprise, SOHO)
- How the checklist was tested
- Revision dates
- Cataloged in the web-searchable database
- A user searches the fields of the templates to
locate appropriate checklists
10Security Checklists for Commercial IT Products
About Checklists Search the Security
Checklist Database
Under the Cyber Security Research and Development
Act, NIST is charged with developing security
checklists. These checklists describe security
settings for commercial IT products. Security
Environment Security environments are SOHO,
Enterprise, High Security, or Custom. Checklists
can also be associated with the security as
contained in FIPS 199. Partners The checklists
provided on this website are provided by a wide
variety of vendors, government agencies,
consortia, non-profit organizations, and user
organizations. For a complete list, click here.
NIST gratefully acknowledges their contributions
and assistance in providing this security
service. Disclaimer The contents of each
checklist is the responsibility of the submitting
organization. We encourage users to send
comments on specific checklists to the
appropriate author.
Search By specific product name Microsoft
Windows 2000 By security environment High
Security By product type Operating
System Results (list of checklists) NIST
Windows 2000 Special Publication NSA Windows
2000 Security Guide DISA Windows 2000 Security
Configuration Guide CIS Windows 2000 Guide
Level 2
11Checklist Categories
- Under review - out for public review
- Final completed review, issues addressed
- Supported support for the checklist available,
e.g., from the submitter - Non-supported no support available
- General non-product specific, applies to a
technology or a class of products
12Participation Requirements
- Create a checklist and submit the XML template
- Agree to respond checklist-related to
questions/comments must provide a POC - For certain checklists, agree to update the
checklist on timely basis or else withdraw the
checklist - Agree to test the checklist and describe how the
checklist was tested
13Reviewing Checklists
- For all checklists, NIST will review for format,
readability, general quality, requirements - NIST will perform a limited technical review in
cases where it has expertise in the technology - NIST will post candidate checklists for public
review - Comments will be provided to the submitter
- Issues will be addressed by the submitter before
final posting of the checklist
14Current Status
- Workshop completed 9/03, enthusiastic response
from attendees - Workshop final report 2nd Qtr, FY04
- Drafting internal procedures, 2nd Qtr, FY04
- Checklist Special Pub 1st draft ready for public
review 2nd Qtr, FY04 - Comments accepted for 30 days
15Status Continued
- Workshop for common checklist formats with
configuration vendors 3rd Qtr, FY04 - Final release of Checklist Special Pub, 3rd Qtr,
FY04 - DISA STIG checklists mapped to checklist
framework, 3rd, 4th Qtr, FY04 - Windows XP checklists 4th Qtr, FY04
- Commitment for some vendors to participate
16Next Steps for FY05, FY06
- Continue working on common checklist formats
- Encourage vendors to support checklists on
products as released - Encourage other agencies, consortia, and forums
to submit checklists - Continue posting checklists and operating
checklist web site
17Contact Information
- Tim Grance
- Murugiah Souppaya
- John Wack
- NIST
- checklists_at_nist.gov
- http//csrc.nist.gov/checklists
18Acknowledgements
- NIST gratefully acknowledges support for the
checklist program from the Department of Homeland
Security - NIST also recognizes important contributions from
civilian and DoD agencies, vendors, and
organizations