ISO/IEC 18180:2013

INTERNATIONAL ISO/IEC
STANDARD 18180
First edition
2013-06-15
Information technology — Specification
for the Extensible Configuration Checklist
Description Format (XCCDF) Version 1.2
Technologies de l'information — Spécification de XCCDF (Extensible
Configuration Checklist Description Format) version 1.2

Reference number
©
ISO/IEC 2013
©  ISO/IEC 2013
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any
means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission.
Permission can be requested from either ISO at the address below or ISO’s member body in the country of the requester.
ISO copyright office
Case postale 56  CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2013 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 18180 was prepared by the U.S. National Institute of Standards and Technology (as NIST IR 7275,
Revision 4) and was adopted, under a special “fast-track procedure”, by Joint Technical Committee
ISO/IEC JTC 1, Information technology, in parallel with its approval by the national bodies of ISO and IEC.
© ISO/IEC 2013 – All rights reserved iii

NIST Interagency Report 7275
Revision 4
Specification for the
Extensible Configuration
Checklist Description Format
(XCCDF) Version 1.2
David Waltermire
Charles Schmidt
Karen Scarfone
Neal Ziring
© ISO/IEC 2013 – All rights reserved

NIST Interagency Report 7275
Revision 4
Specification for the Extensible
Configuration Checklist Description

Format (XCCDF) Version 1.2
David Waltermire
Charles Schmidt
Karen Scarfone
Neal Ziring
C O M P U T E R   S E C U R I T Y

Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Gaithersburg, MD 20899-8930
September 2011
U.S. Department of Commerce
Rebecca M. Blank, Acting Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Under Secretary for
Standards and Technology and Director
© ISO/IEC 2013 – All rights reserved

SPECIFICATION FOR THE EXTENSIBLE CONFIGURATION CHECKLIST DESCRIPTION FORMAT (XCCDF) VERSION 1.2

Reports on Computer Systems Technology

The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology
(NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s
measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of
concept implementations, and technical analysis to advance the development and productive use of
information technology. ITL’s responsibilities include the development of technical, physical,
administrative, and management standards and guidelines for the cost-effective security and privacy of
sensitive unclassified information in Federal computer systems. This Interagency Report discusses ITL’s
research, guidance, and outreach efforts in computer security and its collaborative activities with industry,
government, and academic organizations.

National Institute of Standards and Technology Interagency Report 7275 Revision 4

80 pages (Sep. 2011)
Certain commercial entities, equipment, or materials may be identified in this

document in order to describe an experimental procedure or concept adequately.

Such identification is not intended to imply recommendation or endorsement by the

National Institute of Standards and Technology, nor is it intended to imply that the

entities, materials, or equipment are necessarily the best available for the purpose.

ii i
© ISO/IEC 2013 – All rights reserved

SPECIFICATION FOR THE EXTENSIBLE CONFIGURATION CHECKLIST DESCRIPTION FORMAT (XCCDF) VERSION 1.2

Acknowledgments
The authors of this report, David Waltermire of the National Institute of Standards and Technology
(NIST), Charles Schmidt of The MITRE Corporation, Karen Scarfone of Scarfone Cybersecurity, and
Neal Ziring of the National Security Agency (NSA), wish to thank all contributors to this revision of the
publication, particularly Adam Halbardier of Booz Allen Hamilton, Vladimir Giszpenc, Kent Landfield
and Richard Whitehurst of McAfee, Lisa Nordman of The MITRE Corporation, Joe Wolfkiel of DISA,
and Shane Shaffer and Matt Kerr of G2, Inc.
The authors would also like to acknowledge the following individuals who contributed to the initial
definition and development of the Extensible Configuration Checklist Description Format (XCCDF):
David Proulx, Mike Michnikov, Andrew Buttner, Todd Wittbold, Adam Compton, George Jones, Chris
Calabrese, John Banghart, Murugiah Souppaya, John Wack, Trent Pitsenbarger, and Robert Stafford.
Stephen D. Quinn, Peter Mell, and Matthew Wojcik contributed to Revisions 1, 2, and 3 of this report.
Ryan Wilson of Georgia Institute of Technology also made substantial contributions. Thanks also go to
the Defense Information Systems Agency (DISA) Field Security Office (FSO) Vulnerability Management
System (VMS)/Gold Disk team for extensive review and many suggestions.

Abstract
This report specifies the data model and Extensible Markup Language (XML) representation for the
Extensible Configuration Checklist Description Format (XCCDF) Version 1.2. An XCCDF document is a
structured collection of security configuration rules for some set of target systems. The XCCDF
specification is designed to support information interchange, document generation, organizational and
situational tailoring, automated compliance testing, and scoring. The specification also defines a data
model and format for storing results of security guidance or checklist testing. The intent of XCCDF is to
provide a uniform foundation for expression of security checklists and other configuration guidance, and
thereby foster more widespread application of good security practices.

Audience
The primary audience of the XCCDF specification is government and industry security analysts, and
security management product developers.

Trademark Information
All names are registered trademarks or trademarks of their respective companies.
iv
© ISO/IEC 2013 – All rights reserved

SPECIFICATION FOR THE EXTENSIBLE CONFIGURATION CHECKLIST DESCRIPTION FORMAT (XCCDF) VERSION 1.2

Contents
1. INTRODUCTION . 1
1.1 PURPOSE AND SCOPE . 1
1.2 DOCUMENT STRUCTURE . 1
1.3 DOCUMENT CONVENTIONS . 1
2. NORMATIVE REFERENCES . 2
3. TERMS, DEFINITIONS, AND ABBREVIATIONS . 3
3.1 XCCDF TERMINOLOGY . 3
3.2 ACRONYMS AND ABBREVIATIONS . 3
4. CONFORMANCE . 4
4.1 PRODUCT CONFORMANCE . 4
4.2 BENCHMARK DOCUMENT CONFORMANCE . 4
5. XCCDF OVERVIEW. 5
5.1 INTRODUCTION . 5
5.2 CHECKLIST STRUCTURE AND TAILORING . 6
5.3 TEST RESULTS . 7
6. XCCDF DATA MODEL . 8
6.1 INTRODUCTION . 8
6.2 GENERAL XML INFORMATION . 9
6.2.1 XCCDF Namespace and XML Schema . 9
6.2.2 Element and Attribute Formatting . 9
6.2.3 Element Identifiers . 10
6.2.4 Element . 10
6.2.5 Platform Names . 11
6.2.6 Element . 12
6.2.7 Element . 13
6.2.8 Status Tracking . 13
6.2.9 Text Substitution . 13
6.2.10 @xml:lang Attribute . 14
6.3 . 15
6.3.1 Basics . 15
6.3.2 Properties . 16
6.4 ITEM ELEMENTS . 18
6.4.1 Properties . 18
6.4.2 Element. 20
6.4.3 Element . 21
6.4.4 Element . 21
6.4.5 Element . 30
6.5 ELEMENT . 34
6.5.1 Basics . 34
6.5.2 Properties . 34
6.5.3 Selectors . 35
6.6 ELEMENT . 37
6.6.1 Basics . 37
6.6.2 Properties . 38
v
© ISO/IEC 2013 – All rights reserved

SPECIFICATION FOR THE EXTENSIBLE CONFIGURATION CHECKLIST DESCRIPTION FORMAT (XCCDF) VERSION 1.2

6.6.3 Element . 41
6.6.4 Element . 41
6.6.5 Element . 44
6.7 ELEMENT . 45
6.7.1 Basics . 45
6.7.2 Properties . 45
6.7.3 Profile Shadowing . 46
6.7.4 Tailoring Actions and Profile Selectors . 47
7. XCCDF PROCESSING . 48
7.1 INTRODUCTION . 48
7.2 LOADING AND TRAVERSAL . 48
7.2.1 Introduction . 48
7.2.2 Loading . 48
7.2.3 Traversal . 51
7.3 ASSESSMENT OUTPUTS . 63
7.3.1 Overview . 63
7.3.2 Scoring Models . 63
APPENDIX A— CONVERTING XCCDF 1.1.4 CONTENT TO XCCDF 1.2 . 66
A.1 CHANGES TO THE XCCDF XML NAMESPACE . 66
A.2 CONVERSION OF IDENTIFIERS . 66
A.3 CONVERSION OF ELEMENTS . 66
A.4 PROPERTIES REMOVED OR DEPRECATED SINCE XCCDF 1.1.4 . 67
APPENDIX B— CHANGE LOG . 68

Tables
TABLE 1: CONVENTIONAL XML MAPPINGS . 1
TABLE 2: RECOMMENDED CLASS VALUES . 9
TABLE 3: ELEMENT IDENTIFIER FORMAT CONVENTIONS . 10
TABLE 4: ELEMENT PROPERTIES . 16
TABLE 5: ITEM ELEMENT PROPERTIES . 18
TABLE 6: PROPERTIES SPECIFIC TO AND ELEMENTS . 20
TABLE 7: ELEMENT @CATEGORY ATTRIBUTE VALUES . 21
TABLE 8: ELEMENT PROPERTIES . 21
TABLE 9: ELEMENT PROPERTIES . 23
TABLE 10: ASSIGNED VALUES FOR THE @SYSTEM ATTRIBUTE OF AN ELEMENT . 24
TABLE 11: ELEMENT PROPERTIES . 25
TABLE 12: TRUTH TABLE FOR AND . 27
TABLE 13: TRUTH TABLE FOR OR . 27
TABLE 14: TRUTH TABLE FOR NEGATION . 27
TABLE 15: POSSIBLE PROPERTIES FOR ELEMENT . 28
TABLE 16: POSSIBLE PROPERTIES FOR ELEMENT . 29
vi
© ISO/IEC 2013 – All rights reserved

SPECIFICATION FOR THE EXTENSIBLE CONFIGURATION CHECKLIST DESCRIPTION FORMAT (XCCDF) VERSION 1.2

TABLE 17: PREDEFINED VALUES FOR @SYSTEM ATTRIBUTE OF ELEMENT . 30
TABLE 18: ELEMENT PROPERTIES . 31
TABLE 19: POSSIBLE PROPERTIES FOR ELEMENT . 32
TABLE 20: PERMITTED OPERATORS BY VALUE TYPE . 33
TABLE 21: ELEMENT PROPERTIES . 35
TABLE 22: SELECTORS . 36
TABLE 23: ELEMENT PROPERTIES . 39
TABLE 24: PREDEFINED @NAME ATTRIBUTE VALUES FOR ELEMENTS . 41
TABLE 25: ELEMENT PROPERTIES . 42
TABLE 26: POSSIBLE RESULTS FOR A SINGLE TEST . 43
TABLE 27: ELEMENT PROPERTIES . 44
TABLE 28: ELEMENT PROPERTIES . 45
TABLE 29: ELEMENT PROPERTIES . 46
TABLE 30: PROFILE SHADOWING BEHAVIOR . 47
TABLE 31: TAILORING ACTIONS AND PROFILE SELECTORS . 47
TABLE 32: LOADING PROCESSING SEQUENCE SUB-STEPS . 48
TABLE 33: INHERITANCE PROCESSING MODEL . 50
TABLE 34: BENCHMARK PROCESSING ALGORITHM SUB-STEPS . 51
TABLE 35: ITEM PROCESSING ALGORITHM SUB-STEPS . 52
TABLE 36: PROFILE SELECTOR EXAMPLE: INITIAL CONFIGURATION . 56
TABLE 37: PROFILE SELECTOR EXAMPLE: INITIAL BENCHMARK STATE . 56
TABLE 38: PROFILE SELECTOR EXAMPLE: FINAL BENCHMARK STATE. 58
TABLE 39: CHECK PROCESSING ALGORITHM SUB-STEPS . 59
TABLE 40: DEFAULT MODEL ALGORITHM SUB-STEPS . 64
TABLE 41: FLAT MODEL ALGORITHM SUB-STEPS . 65
TABLE 42: ALTERNATIVE OPERATIONS FOR REMOVED AND DEPRECATED XCCDF 1.1.4 CONSTRUCTS . 67
TABLE 43: MAPPING PREVIOUS RELEASE SECTIONS TO THIS RELEASE . 69

Figures
FIGURE 1: TYPICAL STRUCTURE OF A BENCHMARK . 15
FIGURE 2: CHECK PROCESSING FLOWCHART (WHEN THE CHECK’S PARENT IS AN ) . 60
FIGURE 3: WORKFLOW FOR ASSESSING BENCHMARK COMPLIANCE. 63

vii
© ISO/IEC 2013 – All rights reserved

SPECIFICATION FOR THE EXTENSIBLE CONFIGURATION CHECKLIST DESCRIPTION FORMAT (XCCDF) VERSION 1.2

1. Introduction
1.1 Purpose and Scope
This report defines the specification for the Extensible Configuration Checklist Description Format
(XCCDF) version 1.2. The report also defines and explains the requirements that XCCDF 1.2 documents
and products (i.e., software) must meet to claim conformance with the specification. This report only
applies to XCCDF version 1.2. All other versions are outside the scope of this report.
1.2 Document Structure
The remainder of this report is composed of the following sections and appendices:
 Section 2 provides a list of normative references for the report.
 Section 3 defines selected terms and abbreviations used in the report.
 Section 4 provides the high-level requirements for claiming conformance with the XCCDF
version 1.2 specification.
 Section 5 gives an overview of XCCDF and its capabilities.
 Section 6 provides an introduction to the XCCDF data model and details additional requirements
and recommendations for XCCDF’s use.
 Section 7 discusses XCCDF processing requirements and recommendations.
 Appendix A explains how to convert XCCDF 1.1.4-specific properties to their XCCDF 1.2
counterparts.
 Appendix B provides a change log that documents significant changes to released drafts of this
specification. This includes a section-by-section mapping of how the document was reorganized
from the previous drafts to this draft. Readers who are familiar with any previous XCCDF
versions may find it helpful to review Appendix B first before the rest of the document.
1.3 Document Conventions
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”,
“SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be
interpreted as described in Request for Comment (RFC) 2119 [RFC2119].
Namespace prefixes used in this specification are listed in Table 1.
Table 1: Conventional XML Mappings
Prefix Namespace Schema
cpe2 http://cpe.mitre.org/language/2.0 Common Platform Enumeration (CPE) 2.3
Applicability Language
cpe2-dict http://cpe.mitre.org/dictionary/2.0 CPE 2.3 Dictionary
dc http://purl.org/dc/elements/1.1/ Simple Dublin Core elements
dsig http://www.w3.org/2000/09/xmldsig# Interoperable XML digital signatures
xccdf http://checklists.nist.gov/xccdf/1.2 XCCDF policy documents
xml http://www.w3.org/XML/1998/namespace Common XML attributes
xsd http://www.w3.org/2001/XMLSchema XML Schema
xsi http://www.w3.org/2001/XMLSchema-Instance XML Schema Instance
© ISO/IEC 2013 – All rights reserved

SPECIFICATION FOR THE EXTENSIBLE CONFIGURATION CHECKLIST DESCRIPTION FORMAT (XCCDF) VERSION 1.2

2. Normative References
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.

[DCES], DCMI (Dublin Core Metadata Initiative), Dublin Core Metadata Element Set, Version 1.1,
October 2010, available at
[DCXML], DCMI, Guidelines for Implementing Dublin Core in XML, April 2003, available at

[ILSR], IANA, IANA Language Subtag Registry (ILSR), available at

[IR7693], NIST, NIST IR 7693, Specification for Asset Identification 1.1, June 2011, available at

[IR7695], NIST, NIST IR 7695, Common Platform Enumeration: Naming Specification Version 2.3,
August 2011, available at
[IR7698], NIST, NIST IR 7698, Common Platform Enumeration: Applicability Language Specification
Version 2.3, August 2011, available at
[PCRE], Perl Compatible Regular Expressions (PCRE), available at
[RFC2119], IETF, RFC 2119, Key words for use in RFCs to Indicate Requirement Levels, March 1997,
available at
[RFC5646], IETF, RFC 5646, Tags for Identifying Languages, September 2009, available at

[UNICODE], Unicode Technical Recommendation No. 18, Unicode Regular Expressions, version 9,
January 2004, available at
[XHTML], W3C (World Wide Web Consortium), XHTML Basic, December 2000, available at

[XINCLUDE], W3C, XML Inclusions (XInclude) Version 1.0 (Second Edition), November 2006,
available at
[XMLDSIG], W3C, XML Signature Syntax and Processing (Second Edition), June 2008, available at

[XMLNAME], W3C, Namespaces in XML 1.0 (Third Edition), December 2009, available at

[XMLSCHEMA], W3C, XML Schema Part 2: Datatypes Second Edition, October 2004, available at

[XPATH], W3C, XML Path Language (XPath) Version 1.0, November 1999, available at

© ISO/IEC 2013 – All rights reserved

SPECIFICATION FOR THE EXTENSIBLE CONFIGURATION CHECKLIST DESCRIPTION FORMAT (XCCDF) VERSION 1.2

3. Terms, Definitions, and Abbreviations
For the purposes of this document, the following terms, definitions, and abbreviations apply.
3.1 XCCDF Terminology
Benchmark: The root node of an XCCDF benchmark document; may also be the root node of an
XCCDF results document (the results of evaluating the XCCDF benchmark document).
Benchmark Consumer: A product that accepts an existing XCCDF benchmark document, processes it,
and produces an XCCDF results document.
Benchmark Producer: A product that generates XCCDF benchmark documents.
Checklist: An organized collection of rules about a particular kind of system or platform.
Group: An item that can hold other items; allows an author to collect related items into a common
structure and provide descriptive text and references about them.
Item: A named constituent of a benchmark. The three types of items are groups, rules, and values.
Profile: A named tailoring of a benchmark.
Rule: An element that holds check references and may also hold remediation information.
Tailoring: An element that specifies profiles to modify the behavior of a benchmark; the top-level
element of a tailoring document.
TestResult: The container for XCCDF results. May be the root node of an XCCDF results document.
Value: A named data value that can be substituted into other items’ properties or into checks.
3.2 Acronyms and Abbreviations
CCE Common Configuration Enumeration
CPE Common Platform Enumeration
CVE Common Vulnerabilities and Exposures
DCMI Dublin Core Metadata Initiative
DNS Domain Name System
IANA Internet Assigned Numbers Authority
IR Interagency Report
NIST National Institute of Standards and Technology
OCIL Open Checklist Interactive Language
OVAL Open Vulnerability and Assessment Language
PCRE Perl Compatible Regular Expression
RFC Request for Comments
SCAP Security Content Automation Protocol
SP Special Publication
W3C World Wide Web Consortium
XCCDF Extensible Configuration Checklist Description Format
XHTML Extensible Hypertext Markup Language
XML Extensible Markup Language

© ISO/IEC 2013 – All rights reserved

SPECIFICATION FOR THE EXTENSIBLE CONFIGURATION CHECKLIST DESCRIPTION FORMAT (XCCDF) VERSION 1.2

4. Conformance
Products and organizations may want to claim conformance with this specification for a variety of
reasons. For example, a software vendor may want to assert that its product generates and/or processes
XCCDF benchmark documents properly. Another example is a policy mandating that an organization use
XCCDF for documenting and executing its security configuration checklists.
This section provides the high-level requirements that a product or benchmark document MUST meet for
conformance with this specification. Most of the requirements listed in this section reference other
sections in the report that fully define the requirements.
Other specifications that use XCCDF MAY define additional requirements and recommendations for
XCCDF’s use. Such requirements and recommendations are outside the scope of this publication.
4.1 Product Conformance
There are two types of XCCDF products: benchmark producers and benchmark consumers. Benchmark
producers are products that generate XCCDF benchmark documents, while benchmark consumers are
products that accept an existing XCCDF benchmark document, process it, and produce an XCCDF results
document. Products claiming conformance with this specification SHALL adhere to the following
requirements:
1. For benchmark producers, generate well-formed XCCDF benchmark documents. This includes
following the benchmark document requirements specified in Section 4.2 and all of the pertinent
processes defined in Sections 6 and 7.

2. For benchmark consumers, consume and process well-formed XCCDF benchmark documents,
and generate well-formed XCCDF results documents. This includes following all of the pertinent
processes defined in Sections 6 and 7.

3. Make an explicit claim of conformance to this specification in any documentation provided to end
users.
4.2 Benchmark Document Conformance
XCCDF benchmark documents claiming conformance with this specification SHALL follow these
requirements:
1. Adhere to the official XCCDF schema as explained in Section 6.

2. Adhere to the syntax, structural, and other XCCDF benchmark document requirements defined in
Sections 6 and 7.
© ISO/IEC 2013 – All rights reserved

SPECIFICATION FOR THE EXTENSIBLE CONFIGURATION CHECKLIST DESCRIPTION FORMAT (XCCDF) VERSION 1.2

5. XCCDF Overview
5.1 Introduction
XCCDF was created to document technical and non-technical security checklists using a standardized
format. The general objective is to allow security analysts and IT experts to create effective, interoperable
automated checklists, and to support the use of these checklists with a wide variety of tools. A checklist is
an organized collection of rules about a particular kind of system or platform. Automation is necessary for
consistent and rapid verification of system security because of the sheer number of things to check and
the number of hosts within an organization that need to be assessed (often many thousands).

XCCDF enables easier, more uniform creation of security checklists, which in turn helps to improve
system security by more consistent and accurate application of sound security practices. Adoption of
XCCDF lets security professionals, security tool vendors, and system auditors exchange information
more quickly and precisely, and also permits greater automation of security testing and configuration
assessment. Additional capabilities provided by XCCDF include the following:
 Ensure compliance to multiple policies (systems subject to the Federal Information Security
Management Act [FISMA], Security Technical Implementation Guide [STIG], Health Insurance
Portability and Accountability Act [HIPAA], etc.)
 Permit faster, more cooperative, and more automated definition of security rules, procedures,
guidance documents, alerts, advisories, and remediation measures
 Permit fast, uniform, manageable administration of security checks and audits
 Permit composition of security rules and tests from different community groups and vendors
 Facilitate scoring, reporting, and tracking of security status and checklist conformance for
systems
The XCCDF specification, which is vendor-neutral, is suited for a wide variety of checklist applications.
XCCDF has an open, standardized format, amenable to generation by and editing with a variety of tools.
In addition, because it is expressed using XML, an XCCDF document is embeddable inside other
documents. XCCDF also includes provisions for incorporating other data formats, and it is extensible to
include new functionality, features, and data stores without hindering the functionality of existing
XCCDF tools.
Since XCCDF’s creation, various commercial, government, and community developers have created tools
that support XCCDF, allowing a single XCCDF checklist to be used by many organizations and many
tools. These tools read an XCCDF checklist and follow it to perform the necessary checks and ask the
necessary questions to measure conformance with the checklist and generate corresponding reports.
A common use case for an XCCDF checklist is normalizing security configuration content through
automated tools. Such tools accept one or more XCCDF checklists along with supporting system test
definitions, and determine whether the specified rules are satisfied by a target system. The XCCDF
checklist supports generation of a report, including a weighted score. XCCDF checklists can also be used
to test whether or not a system is vulnerable to a particular kind of attack. For this purpose, the XCCDF
checklist plays the role of a vulnerability alert, but with the ability to describe the problem, drive
automated verification of its presence, and convey recommendations for corrective actions.
© ISO/IEC 2013 – All rights reserved

SPECIFICATION FOR THE EXTENSIBLE CONFIGURATION CHECKLIST DESCRIPTION FORMAT (XCCDF) VERSION 1.2

The scenarios below illustrate some uses of XCCDF security checklists and tools.
 Scenario 1 – An industry consortium, in conjunction with a product vendor, wants to produce a
security checklist for an application server. The core security settings are the same for all OS
platforms on which the server runs, but a few settings are OS-specific. The consortium crafts one
checklist for the core settings and writes several OS-specific ones that supplement the core
settings. Users download the core checklist and the OS-specific checklists that apply to their
installations, and then run an assessment tool to score their compliance with the checklists.
 Scenario 2 – An academic group produces a checklist for secure configuration of a particular
server operating system version. A government agency issues a set of rules extending the
academic checklist to meet more stringent user authorization criteria imposed by statute. A
medical enterprise downloads both the academic checklist and the government extension, tailors
them to fit their internal security policy, and uses them for an enterprise-wide audit using a
commercial security audit tool. Reports outputted by the tool include remediation measures which
the IT staff can use to bring their systems into full internal policy compliance. (Note that
remediation processes should be carefully planned and implemented.)
These scenarios demonstrate some of XCCDF’s range of capabilities. XCCDF can represent complex
conditions and relationships about the systems to be assessed, and it can incorporate descriptive material
and remediative measures. It is also designed to be modular; for example, XCCDF benchmarks acquire
programmatically ascertainable information through lower-level check system languages.
5.2 Checklist Structure and Tailoring
The basic unit of structure for a checklist is a rule. A rule simply describes a state or condition which the
target of the document should exhibit. A simple checklist might consist of a list of rules, but richer ones
require additional structure. XCCDF allows checklist authors to impose organization within the checklist,
such as putting related rules into named groups and designating the order for processing rules and groups.
Checklist users can employ tailoring tools to customize a checklist’s rules for their local environment or
policies. For example, an auditor might need to set the password policy requirement to be more stringent
than the default recommendation. Another example is that an organization may have trouble applying
particular settings because of legacy systems or conflicts with other software. In cases such as these, the
checklist users may need to tailor the checklist. The following customization options are available:
 Selectability – A tailoring action selects or deselects a rule or group of rules. For example, an
entire group of rules that relate to physical security might not apply to a network scan, so that
group could be deselected. In the case of NIST Special Publication (SP) 800-53, certain rules
apply according to the impact rating of the system. For example, systems that have an impact
rating of low might not have all of the same access control requirements as a system with a high
impact rating, so the rules that are not applicable for the low system can be deselected.
 Value Modification – A tailoring action substitutes a locally-significant value for a general value
in an XCCDF variable (). This locally-significant value then gets used
wherever the variable is referenced. For example, at a site where all logs are sent to a single host,
the address of that log server could be substituted into an audit configuration variable. Using the
NIST SP 800-53 example, a system with a moderate impact rating might require a 12-character
impact rating might only require an 8-character password.
password, whereas a system with a low
 Property Modification – A tailoring action modifies a property for an element not addressed by
selectability or value modification. For example, an author could alter the relative weight of
particular rules or groups of rules.
© ISO/IEC 2013 – All rights reserved

SPECIFICATION FOR THE EXTENSIBLE CONFIGURATION CHECKLIST DESCRIPTION FORMAT (XCCDF) VERSION 1.2

XCCDF 1.2 supports the creation and use of tailoring documents, which define tailoring profiles available
for use with a particular benchmark document. Having a tailoring document allows sets of checklist
customizations to be recorded in a consistent manner.
XCCDF allows checklists to include descriptive and interrogative text to help checklist users make
tailoring decisions, even directing users through the process. Some combinations of rules within the same
checklist might conflict or be mutually exclusive. To avert problems, the checklist author can identify
particular tailor
...