responsible for creating the checklist in its current format. In
most cases an organization will represent both the author and
authority of a checklist, but this is not always true. For
example, if an organization produces validated SCAP content for a
NIST publication, the organization that created the SCAP content
will be listed as the Author, but NIST will remain the Authority.
The organization responsible for producing the original security
configuration guidance represented by the checklist. Authorities
are ranked according to their "Authority Type." Within the NCP
website authorities are grouped with their authority types
through the syntax of Authority Type: Authority.
If it is not clear which checklists(s) should be
analyzed, users from Federal civilian agencies should first
search for checklists produced by authorities of type
"Governmental Authority." If "Governmental Authority" produced
checklists exist the user should first search for NIST-produced
checklists, which are tailored for civilian agency use. If no
NIST-produced checklist is available, then agency-produced
checklists from the Defense Information Systems Agency (DISA) or
the National Security Agency (NSA) should be used. If no
"Governmental Authority" checklists exist the user should search
for checklists produced by authorities of type "Software Vendor."
If none of these checklists exist the user should search for
checklists produced by authorities of type "Third Party."
change to the checklist content that does not affect the
underlying rule/value configuration guidance put forth by the
content. A scenario that would require a new checklist revision
would be when SCAP content is created for a prose checklist. This
revision would add a resource with the SCAP 1.x Content Type. A
new checklist revision would be created to accommodate this
change, while still maintaining the previous revision for
address where questions, comments, suggestions, and problem
reports can be sent in reference to the checklist. The point of
contact should be an email address that the checklist developer
monitors for checklist problem reports.
accept support calls from users who have applied this checklist
on their IT product; warranty for the IT product has not been
affected. Required for usage of NCP logo if the submitter is
the product vendor. If the submitter is not the product vendor,
the submitter should describe any agreement that they may have
with the product vendor.
checklist is consistent with various regulations (e.g., Health
information Portability and Accountability Act [HIPAA],
Gramm-Leach-Bliley Act [GLBA], FISMA [such as mappings to NIST
SP 800-53 controls], ISO 27001, Sarbanes-Oxley, Department of
Defense [DoD] 8500).
The status of
the checklist within the internal NCP review process, a status
of "Final" signifies that NCP has reviewed the checklist and
has accepted it for publication within the program. Possible
status options are: Candidate, Final, Archived, or Under
A link to any
supporting information, or content, relating to the guidance.
This field can hold data ranging from an English prose
representation of the actual guidance, to configuration scripts
that apply guidance specific settings on a target product.
which the checklist was tested. Can include any additional
testing-related information such as summary of testing
procedures used. Should specify any operational testing
performed in production or mirrored production environments.