What is XCCDF (Extensible Configuration Checklist Description Format)? - Definition from WhatIs.com


XCCDF (Extensible Configuration Checklist Description Format)

Part of the Compliance glossary:

XCCDF (Extensible Configuration Checklist Description Format) is a specification language for writing security checklists, benchmarks and related types of documents. XCCDF is supported by the US National Security Agency’s Information Assurance Directorate, the Center for Internet Security and MITRE.

The specification is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing and compliance scoring. It also defines a data model and format for storing results of benchmark compliance testing. XCCDF documents are expressed in XML and can be validated with an XML validating parser.

According to Chris Calabrese from the Center for Internet Security:

Every system administrator has local policies and standards that their systems are supposed to comply with, and there are many security-audit tools to check compliance. However, many of these tools don’t allow easy customization to local policy, or to drop in new third-party policy definitions. XCCDF is an XML-based format that addresses these problems by providing a unified way to describe:

- System configuration policies/benchmarks/standards such those from the Center for Internet Security or the NSA’s Security Configuration Guides.

- How software can evaluate systems for policy compliance using Mitre’s Open Vulnerability Assessment Language or similar schemes.

- How people and/or software can fix systems that don’t comply.

- How well a particular system conforms to a policy for reporting purposes.


Learn more:

NIST provides the lastest XCCDF specifications and related resources.

Benchmark Editor is a Java-based tool for XCCDF benchmark documents.

This was last updated in February 2012
Posted by: Margaret Rouse

Related Terms


  • Regulation Fair Disclosure (Regulation FD or Reg FD)

    - Regulation Fair Disclosure is a rule passed by the U.S. Securities and Exchange Commission that aims to prevent selective disclosure of information by requiring publicly traded companies to make pu... (SearchCompliance.com)

  • Freedom on the Net report

    - Freedom on the Net is an annual report on the extent to which people in countries around the globe can publish and access Internet content without undue restriction and have their rights respected. (WhatIs.com)

  • corporate performance

    - Corporate performance is a composite assessment of how well an organization executes on its most important parameters, typically financial, market and shareholder performance. (WhatIs.com)


  • Compliance

    - Terms related to compliance, including regulatory definitions and words and phrases about governance and mitigating IT risk.

  • Internet applications

    - This WhatIs.com glossary contains terms related to Internet applications, including definitions about Software as a Service (SaaS) delivery models and words and phrases about web sites, e-commerce ...

Ask a Question About XCCDF (Extensible Configuration Checklist Description Format)Powered by ITKnowledgeExchange.com

Get answers from your peers on your most technical challenges

Tech TalkComment



    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.