Press Release | Jan. 24, 2005

NSA and NIST Announce Public Availability of the Extensible Configuration Checklist Description Format (XCCDF)

The National Security Agency (NSA) and the National Institute of Standards and Technology (NIST) jointly announce the public availability of the specification for the Extensible Configuration Checklist Description Format (XCCDF). To promote the use, standardization, and sharing of effective security checklists, the NSA and NIST collaborated with representatives of private industry to develop the XCCDF specification.

The specification is vendor-neutral, flexible, and suited for a wide variety of checklist applications. The intent of the XCCDF is to provide a uniform foundation for expression of security checklists, benchmarks, and other configuration guidance, thereby fostering a more widespread application of good security practices. Such checklists can markedly reduce the vulnerability exposure of an organization when combined with well-developed guidance, accompanied with tools, and leveraged with high quality security expertise, vendor product knowledge, and operational experience.

The Cyber-Security Research and Development Act of 2002 tasked NIST to "develop and revise, as necessary, a checklist setting forth settings and option selections that minimize the security risks associated with each computer hardware or software system that is, or is likely to become, widely used within the Federal Government." The XCCDF effort was born out of this mandate. A uniform and widely used format for security benchmarks, checklists, and related documents will help to improve security of government and private IT installations by enabling more timely and effective knowledge sharing and by fostering automated security testing and monitoring. NSA and NIST offer the XCCDF format to the public and the security community as such a format, and are prepared to work with the community to improve the specification.

The XCCDF specification document is available for download from the NIST security checklists web site. The site also offers access to a mailing list where industry and the public can make suggestions and comments about the specification. NSA and NIST look forward to working with the security community to make XCCDF a practical and useful data format for the security needs of the public and private sectors.

About the Organizations:

As a non-regulatory agency of the U.S. Department of Commerce's Technology Administration, the NIST develops and promotes measurement, standards and technology to enhance productivity, facilitate trade and improve the quality of life.

NSA has served as America's codemakers and codebreakers for over 50 years. Under its mandate to protect national security communications, the agency conducts research and development activities in the area of information technology and network security.