Security Checklists for IT Products

Agenda Overview of Checklist Program Discussion of Operational Procedures Current Status Next Steps

Cyber Security Research and Development Act of 2002 Directs NIST to: –Develop, and revise as necessary, a checklist setting forth settings and option selections that minimize the security risks associated with each computer hardware or software system that is, or is likely to become widely used within the Federal Government.

In Response… NIST is developing a method for IT vendors, consortia, industry, government organizations, and others in the public and private sectors to voluntarily submit checklists in a standardized format to be placed in a public web accessible database maintained by NIST NIST is –Creating a checklist development and description framework –Hosting a checklist web site for checklist users –Facilitating user demand for checklists –Becoming an ambassador to vendors for checklists

What is a Checklist? Often called lockdown guides, benchmark configurations, hardening guides, other terms In simple terms, a document or list of procedures to secure a system or application Checklists are implementation guides used to provide security controls to the information system Could include scripts, add-on templates, or executables

Why Checklists Most products are insecure out of the box Most users need assistance in configuring security controls due to complexity of the technology Demand for easy-to-understand checklists for improving security Demand for checklists tailored to different environments, such as home, small office, enterprise, or higher security Checklists can have a large impact on security with relatively small upfront investment

Goals of the Checklist Program To significantly improve out of the box security To be a portal for checklists in general To encourage primarily vendors to submit and support their checklists To encourage vendors to develop checklists as part of their products To leverage existing checklist development work

NIST Checklist Process Submit the Checklist Review and Post as a Candidate Provide Feedback and comments Respond to Comments and Maintain Review and Post the Checklist ProducerNISTConsumerProducerNIST Timeframe Goal = 2 Weeks

NIST Checklist Template An XML template used to describe a checklist Fields include: –IT product name –Environment (high security, enterprise, SOHO) –How the checklist was tested –Revision dates Cataloged in the web-searchable database A user searches the fields of the templates to locate appropriate checklists

Security Checklists for Commercial IT Products About Checklists Search the Security Checklist Database Under the Cyber Security Research and Development Act, NIST is charged with developing security checklists. These checklists describe security settings for commercial IT products. Security Environment Security environments are SOHO, Enterprise, High Security, or Custom. Checklists can also be associated with the security as contained in FIPS 199. Partners The checklists provided on this website are provided by a wide variety of vendors, government agencies, consortia, non-profit organizations, and user organizations. For a complete list, click here. NIST gratefully acknowledges their contributions and assistance in providing this security service. Disclaimer The contents of each checklist is the responsibility of the submitting organization. We encourage users to send comments on specific checklists to the appropriate author. Search By specific product name Microsoft Windows 2000 By security environment High Security By product type Operating System Results (list of checklists) NIST Windows 2000 Special Publication NSA Windows 2000 Security Guide DISA Windows 2000 Security Configuration Guide CIS Windows 2000 Guide – Level 2

Checklist Categories Under review - out for public review Final – completed review, issues addressed Supported – support for the checklist available, e.g., from the submitter Non-supported – no support available General – non-product specific, applies to a technology or a class of products

Participation Requirements Create a checklist and submit the XML template Agree to respond checklist-related to questions/comments – must provide a POC For certain checklists, agree to update the checklist on timely basis or else withdraw the checklist Agree to test the checklist and describe how the checklist was tested

Reviewing Checklists For all checklists, NIST will review for format, readability, general quality, requirements NIST will perform a limited technical review in cases where it has expertise in the technology NIST will post candidate checklists for public review Comments will be provided to the submitter Issues will be addressed by the submitter before final posting of the checklist

Current Status Workshop completed 9/03, enthusiastic response from attendees Workshop final report 2 nd Qtr, FY04 Drafting internal procedures, 2 nd Qtr, FY04 Checklist Special Pub 1 st draft ready for public review 2 nd Qtr, FY04 Comments accepted for 30 days

Status Continued Workshop for common checklist formats with configuration vendors 3 rd Qtr, FY04 Final release of Checklist Special Pub, 3 rd Qtr, FY04 DISA STIG checklists mapped to checklist framework, 3 rd, 4 th Qtr, FY04 Windows XP checklists 4 th Qtr, FY04 Commitment for some vendors to participate

Next Steps for FY05, FY06 Continue working on common checklist formats Encourage vendors to support checklists on products as released Encourage other agencies, consortia, and forums to submit checklists Continue posting checklists and operating checklist web site

Contact Information Tim Grance Murugiah Souppaya John Wack NIST

Acknowledgements NIST gratefully acknowledges support for the checklist program from the Department of Homeland Security NIST also recognizes important contributions from civilian and DoD agencies, vendors, and organizations