Date Published: December 9, 2025
Comments Due:
Email Questions to:
Author(s)
Stephen Quinn (NIST), Blair Heiserman (NIST)
Announcement
NIST established the National Checklist Program (NCP) to facilitate the generation of security checklists from authoritative sources, centralize the location of checklists, and make checklists broadly accessible. SP 800-70r5 ipd describes the uses, benefits, and management of checklists and checklist control catalogs, as well as the policies, procedures, and general requirements for participation in the NCP.
Why Security Configuration Checklists Matter
A security configuration checklist is a document or technical content that contains instructions or procedures for securely configuring an IT product to match an operational environment’s risk tolerance, verifying that the product has been configured properly, and/or identifying unauthorized changes to the product. Using these checklists can minimize the attack surface, reduce vulnerabilities, lessen the impacts of successful attacks, and identify changes that might otherwise go undetected.
What’s New in Revision 5?
This revision introduces significant updates to improve usability, automation, and alignment with modern cybersecurity practices.
Key Highlights
- Traceability and Compliance: Enhanced mapping concepts between checklist settings, NIST Cybersecurity Framework (CSF) 2.0 outcomes, SP 800-53 controls, and Common Configuration Enumeration (CCE) identifiers for evidence-ready automation and reporting
- Expanded Coverage: Guidance that includes cloud platforms, IoT, and AI systems and reflects the latest NIST research and federal requirements
- Modernized Automation: Explicit support for a wide range of automated checklist formats
- Control Catalog Approach: Encourages developers to use catalogs of controls for rapid, consistent checklist generation and easier tailoring to different risk postures
- Operational Environment Tailoring: Detailed recommendations for customizing checklists to fit stand-alone, managed (enterprise), specialized security-limited functionality (SSLF), and legacy environments
- Checklist Life Cycle: Clear procedures for checklist development, testing, documentation, submission, public review, maintenance, and archival
Intended Audience
This document is intended for users and developers of security configuration.
- For checklist users, this document makes recommendations on how they should select checklists from the NIST National Checklist Repository, evaluate and test checklists, and apply them to IT products.
- For checklist developers, this document sets forth the policies, procedures, and general requirements for participation in the NCP.
A security configuration checklist is a document or technical content that contains instructions or procedures for securely configuring an IT product to match an operational environment’s risk tolerance, verifying that the product has been configured properly, and/or identifying unauthorized changes to the product. Using these checklists can minimize the attack surface, reduce vulnerabilities, lessen the impact of successful attacks, and identify changes that might otherwise go undetected. NIST established the National Checklist Program (NCP) to facilitate the generation of security checklists from authoritative sources, centralize the location of checklists, and make checklists broadly accessible. This publication explains how to use the NCP to find and retrieve checklists and describes the policies, procedures, and general requirements for participation in the NCP.
A security configuration checklist is a document or technical content that contains instructions or procedures for securely configuring an IT product to match an operational environment’s risk tolerance, verifying that the product has been configured properly, and/or identifying unauthorized changes...
See full abstract
A security configuration checklist is a document or technical content that contains instructions or procedures for securely configuring an IT product to match an operational environment’s risk tolerance, verifying that the product has been configured properly, and/or identifying unauthorized changes to the product. Using these checklists can minimize the attack surface, reduce vulnerabilities, lessen the impact of successful attacks, and identify changes that might otherwise go undetected. NIST established the National Checklist Program (NCP) to facilitate the generation of security checklists from authoritative sources, centralize the location of checklists, and make checklists broadly accessible. This publication explains how to use the NCP to find and retrieve checklists and describes the policies, procedures, and general requirements for participation in the NCP.
Hide full abstract
Keywords
benchmark; change detection; checklist; information security; National Checklist Program (NCP); Security Automation; secure configuration; security configuration checklist; Security Content Automation Protocol (SCAP); software configuration; vulnerability
Control Families
None selected
