Draft Special Publication 800-70 Revision 2, National Checklist Program for IT Products--Guidelines for Checklist Users and Developers It describes security configuration checklists and their benefits, and it explains how to use the NIST National Checklist Program (NCP) to find and retrieve checklists. The publication also describes the policies, procedures, and general requirements for participation in the NCP. SP 800-70 Revision 2 updates the previous version of the document, which was released in 2009, primarily by adding additional SCAP-oriented guidance and content related to the United States Government Configuration Baseline (USGCB).
NIST Interagency Report 7502 Describes a specification for the Common Configuration Scoring System (CCSS), a set of standardized measures for the severity of software security configuration vulnerabilities. NISTIR 7502 also provides examples of how CCSS measures and scores can be determined. Once CCSS measures for products are available, organizations can use CCSS to help them make security decisions based on standardized, quantitative vulnerability data.