Mission and Overview
NVD is the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance (e.g. FISMA).
Resource Status
NVD contains:

Last updated: 5/24/2016 5:39:40 AM

CVE Publication rate: 19

Email List

NVD provides four mailing lists to the public. For information and subscription instructions please visit NVD Mailing Lists

Workload Index
Vulnerability Workload Index: 11.53
About Us
NVD is a product of the NIST Computer Security Division and is sponsored by the Department of Homeland Security's National Cyber Security Division. It supports the U.S. government multi-agency (OSD, DHS, NSA, DISA, and NIST) Information Security Automation Program. It is the U.S. government content repository for the Security Content Automation Protocol (SCAP).
National Checklist Program Glossary
The organization responsible for creating the checklist in its current format. In most cases an organization will represent both the author and authority of a checklist, but this is not always true.  For example, if an organization produces validated SCAP content for a NIST publication, the organization that created the SCAP content will be listed as the Author, but NIST will remain the Authority.
The organization responsible for producing the original security configuration guidance represented by the checklist. Authorities are ranked according to their "Authority Type." Within the NCP website authorities are grouped with their authority types through the syntax of Authority Type: Authority.

If it is not clear which checklists(s) should be analyzed, users from Federal civilian agencies should first search for checklists produced by authorities of type "Governmental Authority." If "Governmental Authority" produced checklists exist the user should first search for NIST-produced checklists, which are tailored for civilian agency use. If no NIST-produced checklist is available, then agency-produced checklists from the Defense Information Systems Agency (DISA) or the National Security Agency (NSA) should be used. If no "Governmental Authority" checklists exist the user should search for checklists produced by authorities of type "Software Vendor." If none of these checklists exist the user should search for checklists produced by authorities of type "Third Party."
Authority Type
Type of organization that lends its authority to the checklist. The three types are Governmental Authority, Software Vendor, and Third Party (e.g., security organizations).
Change History
Running log detailing any changes made to the checklist since its inclusion in the repository. This field is updated with each version of the checklist.
Checklist Group
Represents the grouping of checklists based on a common source material. Commonly used if an organization packages multiple sets of product guidance under the same name.
Checklist ID
Uniquely identifies the checklist in the NCP repository. This will be generated during the NCP submission process and assigned to the checklist.
Checklist Installation Tool
Describes the functional tools required to use the checklist to configure the system, if they are not included with the checklist.
Checklist Name
The name of the checklist.
Checklist Role
The primary use or function of the IT product as described by the checklist (e.g., client desktop host, web server, bastion host, network border protection, intrusion detection).
Checklist Summary
Summarizes the purpose of the checklist and its settings.
Checklist Revision
Represents a change to the checklist content that does not affect the underlying rule/value configuration guidance put forth by the content. A scenario that would require a new checklist revision would be when SCAP content is created for a prose checklist. This revision would change the checklist's Tier status from Tier I to either Tier III or IV. A new checklist revision would be created to accommodate this change, while still maintaining the Tier I checklist revision for interested parties.
Checklist Type
The type of checklist, such as Compliance, Vulnerability, and Specialized.
Any additional information that the checklist developer wishes to convey to users.
CCE Expressed
Whether the checklist has valid CCEs (yes or no). If yes, each configuration setting has an associated CCE.
CPE Expressed
Whether the checklist has valid CPEs (yes or no). If yes, the checklist expresses its applicability to systems using CPE.
CPE Name
The CPE representation of a specific Target Product.
CVE Expressed
Whether the checklist has valid CVEs (yes or no). If yes, each software flaw and patch has an associated CVE or CVEs.
CVSS Expressed
Whether the checklist has valid CVSSs (yes or no). If yes, each CVE identifier has an associated CVSS base score.
Indicate that another checklist or guide is required to properly use and implement the current checklist.
Legal notice pertaining to the checklist.
Entry Date
States the date when the checklist record is first listed in the NCP repository, in the format MM/DD/YYYY.
FIPS 140-2 Compliance
Whether the product can operate in a FIPS 140-2 validated mode (yes or no).
FIPS 140-2 Compliance Verification
Whether the checklist enumerates the required settings which must be configured on a product for the product to be FIPS 140-2 compliant.
The keyword search parameter will search across the name, and summary.
Known Issues
Summarizes issues that may arise after application of the checklist to help users pinpoint any functional and operational problems caused by the checklist.
Last Modified Date
States the date when the checklist record was last revised within the NCP repository, in the format MM/DD/YYYY.
States the license agreement, e.g. the checklist is copyrighted, open source, GPL, free software, shareware, etcOVAL Expressed
Whether the checklist is expressed in OVAL (yes or no). If yes, each OVAL definition must validate according to the OVAL reference implementation.
OVAL Expressed
Whether the checklist is expressed in OVAL (yes or no). If yes, each OVAL definition must validate according to the SCAP Content Validation Tool (SCAPVal).
OCIL Expressed
Whether the checklist is expressed in OCIL (yes or no). If yes, must validate according to the SCAP Content Validation Tool (SCAPVal).
Point of Contact
An email address where questions, comments, suggestions, and problem reports can be sent in reference to the checklist. The point of contact should be an email address that the checklist developer monitors for checklist problem reports.
Product Support
Vendor will accept support calls from users who have applied this checklist on their IT product; warranty for the IT product has not been affected. Required for usage of NCP logo if the submitter is the product vendor. If the submitter is not the product vendor, the submitter should describe any agreement that they may have with the product vendor.
Product Category
The main product category of the IT product (e.g., firewall, IDS, operating system, web server).
Publication Date
States the date when the actual checklist document was published, in the format MM/DD/YYYY.
Any supporting references chosen by the developer that were used to produce the checklist or checklist documentation.
Regulatory Compliance
Whether the checklist is consistent with various regulations (e.g., Health information Portability and Accountability Act [HIPAA], Gramm-Leach-Bliley Act [GLBA], FISMA [such as mappings to NIST SP 800-53 controls], ISO 27001, Sarbanes-Oxley, Department of Defense [DoD] 8500).
Resource Description
A prose description of the resource.
Resource Type
The format of the resource. Examples include SCAP Content, Prose, GPOs, Security Templates, etc.
Provides a logical grouping of the two content types within the National Checklist Program. Content found under this column includes SCAP Content and Supporting Resources .
Review Status
The status of the checklist within the internal NCP review process, a status of "Final" signifies that NCP has reviewed the checklist and has accepted it for publication within the program. Possible status options are: Candidate, Final, Archived, or Under Review.
Rollback Capability
Whether the changes in product configuration made by applying the checklist can be rolled back and, if so, how to roll back the changes.
SCAP Content
A link to the machine-readable content representing the configuration guidance. This guidance is expressed using SCAP.
SCAP Expressed
Checklists that are designed to be processed by SCAP-validated products. For more details regarding the definition of SCAP Expressed, see NIST SP 800-126.
The SHA-1 hash for the resource.
The SHA-256 hash for the resource.
States the name of the IT product manufacturer organization and individuals who sponsor the submitted checklist if it is submitted by a third-party entity.
Supporting Resources
A link to any supporting information, or content, relating to the guidance. This field can hold data ranging from an English prose representation of the actual guidance, to configuration scripts that apply guidance specific settings on a target product.
Target Audience
The intended audience that should be able to install, test, and use the checklist, including suggested minimum skills and knowledge required to correctly use the checklist.
Target Operational Environment
The IT product's operational environment, such as Standalone, Managed, or Custom (with description, such as Specialized Security-Limited Functionality, Legacy, or Federal Desktop Core Configuration).
Target Product
The set of specific IT systems or applications that the checklist provides guidance for.
Testing Information
Platforms on which the checklist was tested. Can include any additional testing-related information such as summary of testing procedures used. Should specify any operational testing performed in production or mirrored production environments.
The checklist tier (Tier I, II, III, or IV):
  • Tier I checklists are prose-based, such as narrative descriptions of how a person can manually alter a product's configuration.
  • Tier II checklists document their security settings in a machine-readable but non-standard format, such as a proprietary format or a product-specific configuration script. These checklists may include some elements of SCAP (for example, they may contain CCE identifiers), but do not meet the Tier III requirements.
  • Tier III checklists use SCAP to document their security settings in machine-readable standardized SCAP formats that meet the definition of "SCAP Expressed" specified in NIST SP 800-126. Tier III checklists can be processed by SCAP-validated tools, which are products that have been validated by an accredited independent testing laboratory as conforming to applicable SCAP specifications and requirements. When evaluated using the NIST SCAP Content Validation Tool (SCAPVal), a Tier III checklist passes through with no errors.
  • Tier IV checklists include all properties of Tier III checklists. Tier IV checklists also include low-level security setting mappings (for example, standardized identifiers for individual security configuration issues) that can be externally mapped to high-level security requirements as represented in various security frameworks (e.g., SP 800-53 controls for FISMA). These mappings must be vetted with at least one governance organization authoritative for the security compliance framework.
The version or release number of the checklist.
XCCDF Expressed
Whether the checklist is expressed in XCCDF (yes or no). If yes, the checklist is expressed in XCCDF and validates against the published version of the XCCDF schema. The checklist also validates against the NIST-provided XCCDF reference implementation.