NIST Special Publication 800-70 Rev 4: National Checklist Program for IT Products – Guidelines for Checklist Users and Developers contains details and instructions for new checklist development. The basic steps for checklist development are as follows:
- Download and read checklist development information (contained in NIST Special Publication 800-70 Rev. 4: National Checklist Program for IT Products – Guidelines for Checklist Users and Developers) and checklist program participation information (found on the Participation Materials page).
- Select an operational environment (Standalone or SOHO, Managed or Enterprise, Customs such as Specialized Security-Limited Functionality or Legacy).
- Develop a checklist (targeted towards the selected operational environment from step two) and checklist documentation according to the recommendations and requirements of the program.
- Test the checklist and complete a checklist description form.
- Submit the checklist, the checklist description, and a participation agreement to NIST for review.
- Answer questions as a result of the public review and resolve remaining issues with checklist format or content.
- Maintain the checklist as changes to the IT product occur.
The checklist documentation should contain the following:
- A statement of the checklist's security objectives, including the targeted operational environment and expected behavior of the product after applying the checklist.
- The target audience (e.g., end-user, system administrator) and the level of technical skill required to install the checklist.
- An explanation of the checklist settings, including each setting's effect on the operation of the product and any functionality the settings enable or disable.
- Backup procedures or any other initial steps required before applying the checklist.
- As appropriate, step-by-step instructions for applying the checklist (e.g., screen shots, illustrated procedures) and verifying that the installation is successful.
- Procedures for uninstalling the checklist (if applicable).
- Troubleshooting instructions or other information and references.
For more specific details and procedures, download and read NIST Special Publication 800-70 Rev 4: National Checklist Program for IT Products – Guidelines for Checklist Users and Developers or contact NIST.