U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

NCP FAQs - Vendors and Checklist Developers

  1. Can my organization participate now?
  2. I would like to participate, what should I do now?
  3. What are the ABCs of checklist development and participation?
  4. How do I submit my existing checklist(s)?
  5. How do I create a checklist description for the checklist repository?
  6. What are the requirements for using the checklist program logo?
Q.
Can my organization participate now?
A.
Yes. You may begin participating by working with NIST on developing checklists for submission to the repository.
Q.
I would like to participate, what should I do now?
A.
If you are interested in participating, please contact NIST; you can be placed on a mailing list for announcements and NIST can answer any questions you have and provide assistance as necessary. Please see the Contact page for further information on contacting NIST or download the participation materials.
Q.
What are the ABCs of checklist development and participation?
A.

NIST Special Publication 800-70 Rev 4: National Checklist Program for IT Products – Guidelines for Checklist Users and Developers contains details and instructions for new checklist development. The basic steps for checklist development are as follows:

  1. Download and read checklist development information (contained in NIST Special Publication 800-70 Rev. 4: National Checklist Program for IT Products – Guidelines for Checklist Users and Developers) and checklist program participation information (found on the Participation Materials page).
  2. Select an operational environment (Standalone or SOHO, Managed or Enterprise, Customs such as Specialized Security-Limited Functionality or Legacy).
  3. Develop a checklist (targeted towards the selected operational environment from step two) and checklist documentation according to the recommendations and requirements of the program.
  4. Test the checklist and complete a checklist description form.
  5. Submit the checklist, the checklist description, and a participation agreement to NIST for review.
  6. Answer questions as a result of the public review and resolve remaining issues with checklist format or content.
  7. Maintain the checklist as changes to the IT product occur. 

The checklist documentation should contain the following:

  1. A statement of the checklist's security objectives, including the targeted operational environment and expected behavior of the product after applying the checklist.
  2. The target audience (e.g., end-user, system administrator) and the level of technical skill required to install the checklist.
  3. An explanation of the checklist settings, including each setting's effect on the operation of the product and any functionality the settings enable or disable.
  4. Backup procedures or any other initial steps required before applying the checklist.
  5. As appropriate, step-by-step instructions for applying the checklist (e.g., screen shots, illustrated procedures) and verifying that the installation is successful.
  6. Procedures for uninstalling the checklist (if applicable).
  7. Troubleshooting instructions or other information and references.

For more specific details and procedures, download and read NIST Special Publication 800-70 Rev 4: National Checklist Program for IT Products – Guidelines for Checklist Users and Developers or contact NIST.

Q.
How do I submit my existing checklist(s)?
A.
Existing checklists should be submitted to NIST along with a completed checklist description form (a blank version is available from this site; see the next question). Existing checklists that are created and supported by IT product vendors do not necessarily require a public review, however this will be determined on a case-by-case basis.
Q.
How do I create a checklist description for the checklist repository?
A.
The checklist description describes various aspects of a checklist; the descriptions fields are accessible via the checklist repository so that users can browse and select checklists. You can download a blank checklist description form, complete its fields, and then return it along with the checklist and other related material to NIST. Refer to the participation materials.
Q.
What are the requirements for using the checklist program logo?
A.
Checklist producers, e.g., vendors, will be able to use the checklist program logo on product literature or websites to show participation in the NIST program and ownership of a checklist on the repository. To use the logo, the producer must provide assistance or support to its product users (as per its customary support agreements) who use the checklist; i.e., use of the checklist cannot void product warranties or support agreements. The logo does not convey NIST endorsement or support of the checklist or IT product. See the participation and logo usage agreement for more details.