National Institute of Standards and Technology (NIST) - Information technology Laboratory (ITL)

XCCDF - The eXtensible Configuration Checklist Description Format

XCCDF Logo

XCCDF is a specification language for writing security checklists, benchmarks, and related kinds of documents. An XCCDF document represents a structured collection of security configuration rules for some set of target systems. The specification is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance scoring. The specification also defines a data model and format for storing results of benchmark compliance testing. The intent of XCCDF is to provide a uniform foundation for expression of security checklists, benchmarks, and other configuration guidance, and thereby foster more widespread application of good security practices.

XCCDF documents are expressed in XML, and may be validated with an XML Schema-validating parser.

Development of the XCCDF specification is being led by NSA, with contributions from other agencies and organizations. The current public draft of the specification document and related files can be downloaded below. A mailing list for XCCDF developers is available, please subscribe to participate in discussions. A publicly available archive of the XCCDF mailing list is also available.

XCCDF Specification Resources

XCCDF 1.1.4 Resources

Documents:
XCCDF Specification 1.1.4 (PDF) - January 2008
Changes to XCCDF Specification since 1.1.3 (DOC)
XML Schema Files: [what is a schema?]
XCCDF 1.1.4 Schema (XSD 1.0)
Complete 1.1.4 Schema Bundle (Zip)
Check Implementations:
Open Checklist Interactive Language (OCIL)
Open Vulnerability and Assessment Language (OVAL)

XCCDF 1.1.3 Resources

Documents:
XCCDF Specification 1.1.3 draft (PDF)
XML Schema Files: [what is a schema?]
XCCDF 1.1.3 Schema (XSD 1.0)
Complete 1.1.3 Schema Bundle (Zip)
Samples:
Example XCCDF 1.1.3 Benchmark (XCCDF, raw XML)

XCCDF 1.1.2 Resources

Documents:
XCCDF Specification 1.1.2 (PDF)
XML Schema Files: [what is a schema?]
XCCDF 1.1.2 Schema (XSD 1.0)
Complete 1.1.2 Schema Bundle (Zip)

XCCDF 1.1 Resources

Documents:
XCCDF Specification 1.1 (PDF)
XML Schema Files: [what is a schema?]
XCCDF 1.1 Schema (XSD 1.0)
XCCDF-P 1.1 Schema (XSD 1.0)
Complete 1.1 Schema Bundle (Zip)
Samples:
Example XCCDF 1.1 Benchmark (XCCDF, raw XML)
[note: sample uses XCCDF-P 1.0 specification which will be subsumed by XCCDF-P 1.1]

XCCDF 1.0 Resources

Documents:
XCCDF Specification 1.0 (PDF)
XML Schema Files: [what is a schema?]
XCCDF 1.0 Schema (XSD 1.0)
CIS Platform Schema (XSD 1.0)
Complete 1.0 Schema Bundle (Zip)
Samples:
Example XCCDF 1.0 Benchmark (XCCDF, raw XML)
Example XCCDF->XHTML stylesheet(XSLT)
Stylesheet output samples:
XHTML (pre-transformed)
XML (transform at browser)

Additional Notes:

XCCDF was designed to support integration with multiple underlying configuration checking 'engines'. The expected or default checking technology is MITRE's OVAL(™). More information about OVAL maybe found at The MITRE Corporation OVAL web site.

For document and reference metadata, XCCDF uses the Dublin Core Metadata element set. For more information about Dublin Core Metadata, visit the DCMI web site.

Validating an XCCDF document against the XCCDF schema requires several supplementary schema and DTD files. To download all of the required files, select 'Complete Schema Bundle' above.