National Checklist Program

The National Checklist Program (NCP) is the U.S. government repository of publicly available security checklists (or benchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and applications.

NCP is migrating its repository of checklists to conform to the Security Content Automation Protocol (SCAP). SCAP enables standards based security tools to automatically perform configuration checking using NCP checklists.

NCP Resources:

Congressional Authority for NCP

The Cyber Security Research and Development Act of 2002 tasks the National Institute of Standards and Technology (NIST) to "develop, and revise as necessary, a checklist setting forth settings and option selections that minimize the security risks associated with each computer hardware or software system that is, or is likely to become widely used within the Federal Government." Such checklists, when combined with well-developed guidance, leveraged with high-quality security expertise, vendor product knowledge, operational experience, and accompanied with tools, can markedly reduce the vulnerability exposure of an organization.


NCP contains checklists (and pointers to tools) for performing configuration checking of systems implementing United States Government Configuration Baselines (USGCB) and Federal Desktop Core Configuration settings using the Security Content Automation Protocol (SCAP). USGCB and FDCC Checklists are available here (to be used with SCAP validated tools).