While working with our clients to establish appropriate system hardening standards for PCI compliance, we are often asked to provide resources and guidance that can be referenced as additional system and operating system types are deployed. The following NIST resource can be most helpful in this regard.
The National Checklist Program (NCP), defined by the NIST SP 800-70 Rev. 1, is the U.S. government repository of publicly available security checklists (or benchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and applications. NCP is migrating its repository of checklists to conform to the Security Content Automation Protocol (SCAP). SCAP enables standards based security tools to automatically perform configuration checking using NCP checklists.
Jeremy Simon, PCI QSA, CISSP, CISA
Practice Lead, PCI Compliance Services