Updating IT systems? These checklists help you do it right.
National program for security configurations evolves to keep pace with new platforms
- By William Jackson
- May 27, 2011
The National Checklist Program is evolving to help agencies find and use the proper security configurations as software platforms for federal IT systems are updated.
The program provides a repository of security checklists that can be used to automate the proper configuration and monitoring of IT systems, and also provides guidelines for the development of checklists by IT vendors and third parties. The National Institute of Standards and Technology, which maintains the checklist repository, recently updated guidance for using the checklists in a revision of Special Publication 800-70 and has released recommendations for checklist users and developers.
The checklist program dates to 2002, with a mandate for NIST to "develop, and revise as necessary, a checklist setting forth settings and option selections that minimize the security risks associated with each computer hardware or software system that is, or is likely to become, widely used within the federal government."
NIST aids the cause of real-time security
NIST releases guide to security automation protocol
The program has adapted to the need for automating IT security processes through the Security Content Automation Protocol to enable security tools to automatically check configuration by using the checklists. The checklists can include templates, automated scripts, patches or patch descriptions, Extensible Markup Language (XML) files, and other procedures to enable automation.
Baseline configuration requirements are set out in products such as the 2007 Federal Desktop Core Configuration (FDCC) for Windows XP and Vista, which has been updated in the US. Government Configuration Baseline (USGCB). USGCB checklists, released in September 2010, define required minimum sets of configurations for government IT systems and settings for Microsoft Windows 7 and Internet Explorer 8.
SP 800-70 Rev. 2, “Guidelines for Checklist Users and Developers,” updates the previous version of the document, released in 2009, primarily with new information on Security Content Automation Protocol content related to USGCB.
Changes in USGCB requirements for Windows 7 and IE8 from the original FDCC configuration settings include an increased focus on green IT, requiring that computers will go into “sleep” mode after 60 minutes of inactivity, for example. The monitor will go into sleep mode after 20 minutes of inactivity. The baselines also include conditional settings for features such as IPv6 and wireless connectivity, applicable only to agencies using such features. The USGCB settings will be harmonized with Windows Vista, XP, and IE 7, where appropriate to ensure a consistent baseline.
Key features of the USGCB for Windows 7 and IE 8 include:
- Settings that are the result of a collaborative effort between the Defense and Homeland Security departments, NIST, the Technology Infrastructure Subcommittee, and other members of the federal information security community.
- Reduced risk of exploit of yet-to-be discovered vulnerabilities as well as current security problems.
- Group Policy and virtual machine disk images to facilitate testing and deployment.
- SCAP Content to support compliance testing and reporting.
In its latest IT Laboratory Bulletin NIST recommends that checklist users and developers:
- Apply checklists to operating systems and applications to reduce the number of vulnerabilities that attackers can exploit as well as to lessen the effects of successful attacks. Checklists also can be used to verify configurations for FISMA compliance.
- Consider the degree of automation available and the source when selecting checklists. In general, users should search for NIST-produced checklists, which are tailored for civilian agency use. If a NIST-produced checklist is not available, agency-produced checklists from the Defense Information Systems Agency or the National Security Agency should be used if available. If government-authored checklists do not exist, then organizations are encouraged to use vendor-produced checklists. If vendor-produced checklists are not available, then other checklists that are posted on the NCP website may be used.
- Customize and test checklists before applying them to production systems, and consider customizing checklists that are not mandatory.
- Users should take operational environments into account when selecting checklists, and checklist developers should target their checklists to operational environments. Checklists are significantly more useful when they can run in common operational environments.
NIST also strongly encourages IT vendors to develop security configuration checklists for their products and contribute them to the National Checklist Repository because the vendors have the most expertise on the settings and the best understanding of how they relate to each other and affect the system.