By Mary Mosquera
Office of Management and Budget officials believe a standard computer
desktop configuration will dramatically improve security governmentwide,
said Karen Evans, OMBs administrator for e-government and information
technology. Agencies upgrading their computers to Microsoft Windows XP
or Vista must adopt the Federal Desktop Core Configuration (FDCC)
standard by February 2008, she said.
Agencies otherwise will move to the FDCC standard when they plan to
update their computers, she said. OMB published three memos this year on
plans for the standard configuration.
The Security Content Automation Program (SCAP) is automated software
that can help agencies implement the standard configuration by
monitoring adherence to the configuration by applications and system
Not all agencies support a standard configuration. Some people are
concerned, however, that OMB and the National Institute of Standards and
Technology have been so transparent in publishing documents for the FDCC
standard and SCAP that hackers could exploit vulnerabilities, she said.
It is possible that we could be vulnerable, but right now, I would have
to say that we cant be more vulnerable than where we are today, Evans
said today at a security conference sponsored by NIST. We have utter
chaos going on. Were losing information. We dont know whats coming and
going. Were losing laptops that people didnt even know we had.
Agencies that want to deviate from the configuration must apply for a
waiver and document why their operations require it. NIST will track
these changes to determine if there is a pattern that reflects a problem
with settings in the standard configuration, Evans said.
We did err on the high side of these settings so there would be more
security, she said.
OMB also requires that vendors incorporate SCAP to ensure that their
software and hardware products operate as intended on the federal secure
configuration, and agencies must verify that the companies have
satisfied that requirement. Vendor products must not alter the standard
NIST, for example, has worked with Microsoft to develop a secure
configuration for its operating systems that opens in a window over the
desktop in a virtual machine image, said Matthew Barrett, co-lead of
NISTs Information Security Automation Program.
Because it is automated, SCAP will let agencies stay on top of
vulnerabilities better than manual methods, said Alan Paller, research
director at the SANS Institute. Senior managers also can get full
visibility into the security status of systems and networks.
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com