Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST IR 7275 Rev. 4

Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.2

Date Published: March 2012

Supersedes: IR 7275 Rev. 4 (09/30/2011)


David Waltermire (NIST), Charles Schmidt (MITRE), Karen Scarfone (Scarfone Cybersecurity), Neal Ziring (DoD)



eXtensible Configuration Checklist Description Format; FISMA; security controls; vulnerabilities; XCCDF; benchmarks; checklists
Control Families

Audit and Accountability; Configuration Management; Maintenance


NISTIR 7275 Rev. 4 (pdf)

Supplemental Material:
NISTIR 7275 Rev. 4 (markup) (pdf)

Related NIST Publications:
SP 800-70 Rev. 4
SP 800-179 Rev. 1 (Draft)
SP 800-179
SP 800-179 (Draft)
IR 7188
IR 7275
IR 7275 Rev. 2
IR 7275 Rev. 3

Document History:
03/01/12: IR 7275 Rev. 4 (Final)