NCP - Glossary

Glossary National Checklist Program

This glossary has been updated to reflect terms present in 800-70 R4

Audience: The intended audience that should be able to install, test, and use the checklist, including suggested minimum skills and knowledge required to correctly use the checklist.

Author: The organization responsible for creating the checklist in its current format. In most cases an organization will represent both the author and authority of a checklist, but this is not always true. For example, if an organization produces validated SCAP content for a NIST publication, the organization that created the SCAP content will be listed as the Author, but NIST will remain the Authority.

Authority: The organization responsible for producing the original security configuration guidance represented by the checklist. Authorities are ranked according to their "Authority Type." Within the NCP website authorities are grouped with their authority types through the syntax of Authority Type: Authority.

If it is not clear which checklists(s) should be analyzed, users from Federal civilian agencies should first search for checklists produced by authorities of type "Governmental Authority." If "Governmental Authority" produced checklists exist the user should first search for NIST-produced checklists, which are tailored for civilian agency use. If no NIST-produced checklist is available, then agency-produced checklists from the Defense Information Systems Agency (DISA) or the National Security Agency (NSA) should be used. If no "Governmental Authority" checklists exist the user should search for checklists produced by authorities of type "Software Vendor." If none of these checklists exist the user should search for checklists produced by authorities of type "Third Party."

Authority Type: Type of organization that lends its authority to the checklist. The three types are Governmental Authority, Software Vendor, and Third Party (e.g., security organizations).

Change History: Running log detailing any changes made to the checklist since its inclusion in the repository. This field is updated with each version of the checklist.

Checklist Group: Represents the grouping of checklists based on a common source material. Commonly used if an organization packages multiple sets of product guidance under the same name.

Checklist ID: Uniquely identifies the checklist in the NCP repository. This will be generated during the NCP submission process and assigned to the checklist.

Checklist Installation Tool: Describes the functional tools required to use the checklist to configure the system, if they are not included with the checklist.

Checklist Name: The name of the checklist.

Checklist Role: The primary use or function of the IT product as described by the checklist (e.g., client desktop host, web server, bastion host, network border protection, intrusion detection).

Checklist Summary: Summarizes the purpose of the checklist and its settings.

Checklist Revision: Represents a change to the checklist content that does not affect the underlying rule/value configuration guidance put forth by the content. A scenario that would require a new checklist revision would be when SCAP content is created for a prose checklist. This revision would add a resource with the SCAP 1.x Content Type. A new checklist revision would be created to accommodate this change, while still maintaining the previous revision for interested parties.

Checklist Type: The type of checklist, such as Compliance, Vulnerability, and Specialized.

Comments/Warnings/Miscellaneous: Any additional information that the checklist developer wishes to convey to users.

Content Type: The format of the resource. Examples include SCAP Content, Prose, GPOs, Security Templates, etc.

CPE Name: The CPE representation of a specific Target Product.

Dependency/Requirements: Indicate that another checklist or guide is required to properly use and implement the current checklist.

Disclaimer: Legal notice pertaining to the checklist.

Entry Date: States the date when the checklist record is first listed in the NCP repository, in the format MM/DD/YYYY.

FIPS 140-2 Compliance: Whether the product can operate in a FIPS 140-2 validated mode (yes or no).

FIPS 140-2 Compliance Verification: Whether the checklist enumerates the required settings which must be configured on a product for the product to be FIPS 140-2 compliant.

Keyword: The keyword search parameter will search across the name, and summary.

Known Issues: Summarizes issues that may arise after application of the checklist to help users pinpoint any functional and operational problems caused by the checklist.

Last Modified Date: States the date when the checklist record was last revised within the NCP repository, in the format MM/DD/YYYY.

Licensing: States the license agreement, e.g. the checklist is copyrighted, open source, GPL, free software, shareware, etc.

Point of Contact: An email address where questions, comments, suggestions, and problem reports can be sent in reference to the checklist. The point of contact should be an email address that the checklist developer monitors for checklist problem reports.

Product Support: Vendor will accept support calls from users who have applied this checklist on their IT product; warranty for the IT product has not been affected. Required for usage of NCP logo if the submitter is the product vendor. If the submitter is not the product vendor, the submitter should describe any agreement that they may have with the product vendor.

Product Category: The main product category of the IT product (e.g., firewall, IDS, operating system, web server).

Publication Date: States the date when the actual checklist document was published, in the format MM/DD/YYYY.

References: Any supporting references chosen by the developer that were used to produce the checklist or checklist documentation.

Regulatory Compliance: Whether the checklist is consistent with various regulations (e.g., Health information Portability and Accountability Act [HIPAA], Gramm-Leach-Bliley Act [GLBA], FISMA [such as mappings to NIST SP 800-53 controls], ISO 27001, Sarbanes-Oxley, Department of Defense [DoD] 8500).

Resource Description: A prose description of the resource.

Resources: Provides a logical grouping of the two content types within the National Checklist Program. Content found under this column includes SCAP Content and Supporting Resources .

Review Status: The status of the checklist within the internal NCP review process, a status of "Final" signifies that NCP has reviewed the checklist and has accepted it for publication within the program. Possible status options are: Candidate, Final, Archived, or Under Review.

Rollback Capability: Whether the changes in product configuration made by applying the checklist can be rolled back and, if so, how to roll back the changes.

SCAP Content: A link to the machine-readable content representing the configuration guidance. This guidance is expressed using SCAP.

SHA-256: The SHA-256 hash for the resource.

Sponsor: States the name of the IT product manufacturer organization and individuals who sponsor the submitted checklist if it is submitted by a third-party entity.

Supporting Resources: A link to any supporting information, or content, relating to the guidance. This field can hold data ranging from an English prose representation of the actual guidance, to configuration scripts that apply guidance specific settings on a target product.

Target: The set of specific IT systems or applications that the checklist provides guidance for.

Target Operational Environment: The IT product's operational environment, such as Standalone, Managed, or Custom (with description, such as Specialized Security-Limited Functionality, Legacy, or Federal Desktop Core Configuration).

Tested By: Some SCAP content checklists have been vetted with at least one governance organization authority. These SCAP checklists are known to run on SCAP-enabled tools and include low-level security setting mappings (for example, standardized identifiers for individual security configuration issues) that can be externally mapped to high-level security requirements as represented in various security frameworks (e.g., SP 800-53 controls for FISMA). The USGCB checklists are examples of vetted SCAP content checklists.

Testing Information: Platforms on which the checklist was tested. Can include any additional testing-related information such as summary of testing procedures used. Should specify any operational testing performed in production or mirrored production environments.

Tool Compatibility: Refers to SCAP content that should be compatible with SCAP products that have been validated against a specific version of the SCAP specification (SP 800-126 Rev. 2 and Rev. 3).

Version: The version or release number of the checklist.

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Glossary National Checklist Program