Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-70 Rev. 4 (Initial Public Draft)

National Checklist Program for IT Products: Guidelines for Checklist Users and Developers

Date Published: August 2017
Comments Due: August 30, 2017 (public comment period is CLOSED)
Email Questions to:


Stephen Quinn (NIST), Murugiah Souppaya (NIST), Melanie Cook (NIST), Karen Scarfone (Scarfone Cybersecurity)


NIST requests public comments on the release of Draft Special Publication 800-70 Revision 4, National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. Using security configuration checklists to verify the configuration of information technology (IT) products and identify unauthorized configuration changes can minimize product attack surfaces, reduce vulnerabilities, and lessen the impact of successful attacks. To facilitate development of checklists and to make checklists more organized and usable, NIST established the National Checklist Program (NCP). This publication explains how to use the NCP to find and retrieve checklists, and it also describes the policies, procedures, and general requirements for participation in the NCP. 



change detection; checklist; information security; National Checklist Program (NCP); security configuration checklist; Security Content Automation Protocol (SCAP); software configuration; vulnerability
Control Families

Audit and Accountability; Configuration Management; System and Communications Protection


Draft SP 800-70 Rev. 4 (pdf)

Supplemental Material:
None available

Document History:
08/01/17: SP 800-70 Rev. 4 (Draft)