NIST guidance on security checklists, PIV interfaces

Both documents update earlier publications from the Computer Security Division

The National Institute of Standards and Technology has updated two publications from its Computer Security Division, a draft revision of guidelines from its National Checklist Program released for public comment and the final version of revised specifications for interfaces for Personal Identity Verification cards.

The draft of Special Publication 800-70 Revision 1, 'National Checklist Programs for IT Products'Guidelines for Checklist Users and Developers' explains how to use NIST's National Checklist Program to find and retrieve checklists. I would replace the original document, published in 2005.

NIST established the NCP to help the development of security configuration checklists for IT products, both by product vendors and by third parties.

'A security configuration checklist (also called a lockdown, hardening guide, or benchmark) is a series of instructions for configuring a product to a particular operational environment,' the document explains. 'Checklists can comprise templates or automated scripts, patches or patch descriptions, XML files, and other procedures. Checklists are intended to be tailored by each organization to meet its particular security and operational requirements.'

Checklists are valuable because IT products intended for a wide market usually do not have restrictive security configuration controls enabled by default. Organizations can use the checklists to harden or lock down products according to their specific needs, simplifying what could be a complex and arduous task.

'Using checklists improves the consistency and predictability of system security,' the guide says. 'There is no checklist that can make a system or product 100 percent secure, and using checklists does not eliminate the need for ongoing security maintenance, such as patch installation. However, using checklists that emphasize both hardening of systems against software flaws and configuring systems securely will typically reduce the number of ways in which the systems can be attacked, resulting in greater levels of product security and protection from future threats.'

Because security checklists can vary in quality depending on their creators and can go out of date, NPC provides a central checklist repository to facilitate their use. NCP goals are to:

  • Facilitate development and sharing of checklists by providing a formal framework for checklist developers to submit checklists to NIST.
  • Provide guidance to developers to help them create standardized, high-quality checklists that conform to common operational environments.
  • Providing guidelines for developers for making checklists better documented and more usable.
  • Encourage IT product vendors and other parties to develop checklists and to configure their products based on those checklists.
  • Provide a managed process for the review, update, and maintenance of checklists.
  • Provide an easy-to-use repository of checklists.
  • Provide checklist content in a standardized format.
  • Encourage the use of automation technologies for checklist application.

Commends on SP 800-70 Revision 1 should be made by Oct. 31 via e-mail with 'Comments SP 800-70' in the subject line.

The final release of SP 800-73-2, 'Interfaces for Personal Identity Verification' specifies the PIV data model, command interface, client application programming interface and references to transitional interface specifications for the government's interoperable PIV cards. It is published in four separate volumes that replace the previous single document, published in 2006. The four-volumes can be downloaded separately or in a single zipped file [].

Major changes from the previous document include:
  • Resolving a possible PIN interoperability conflict by providing a PIN usage policy element for card readers.
  • Providing a procedure for readers to identify the cryptographic algorithm and key size for each PIV crypto key type.
  • Enhancing Global PIN access controls to avoid restricting their use.
  • Specifying the GET DATA and PUT DATA Application Protocol Data Units command specifically for the discovery object.
  • Adding a new middleware function call to the PIV client-application programming interface.
  • Adding new length arguments for function declarations of the PIV Client API.
  • Providing references to specifications of transitional middleware API and transitional card interfaces.

About the Author

William Jackson is a Maryland-based freelance writer.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected