By Jason Miller
January 21, 2008
With a Feb. 1 deadline approaching, some federal agencies are finding it
easier than they anticipated to implement a new governmentwide software
security policy. According to the policy, they must configure the
majority of their desktop computers using standard software security
settings, commonly referred to as the Federal Desktop Core Configuration
Ken Page, Microsofts FDCC program manager, said the company is working
with 25 agencies to install the core configuration on desktop computers
running Microsoft Windows XP and Vista. Most agencies arent having any
major problems, he said.
In addition to the Feb. 1 deadline, the Office of Management and Budget
and the National Institute of Standards and Technology extended a
deadline to March 31 for agencies to produce detailed technical reports
on their FDCC work. OMB said the Feb. 1 deadline is still in effect.
Agencies must complete their configuration work or show progress by that
OMB has been tracking agencies progress toward compliance with the
secure configuration standard using the agencys quarterly management
score card process, said Karen Evans, OMBs administrator for information
technology and e-government. Evans could not provide a detailed status
The March 31 deadline will give agencies additional time to procure
Secure Content Automation Protocol (SCAP) tools as they become available
from NIST, said Matt Barrett, senior computer scientist and information
security researcher at NIST, who works on the FDCC program.
Such technical tools provide proof that computers have the proper
Agencies need time to become familiar with SCAP-based configuration
scanners and to scan, aggregate, analyze and submit SCAP results files,
NIST expects to have SCAP validation tools ready for agencies to use by
Feb. 1, said Peter Mell, who leads NISTs SCAP project.
There is a risk for agencies that use nonvalidated tools, Mell said.
They can either accept the risk or manually check the configurations.
Knowledgeable staff members can perform the configuration checks
manually without the tools, he said. Complying with FDCC policy should
pose few technical problems, industry and government officials said.
There are no real challenges to building [operating system software]
images and rolling them out, Page said. Most agencies removed the
[system] administrative privileges, and that eliminated 90 percent of
all application-compatibility issues.
Page said the FDCC policys mandatory security settings dont prevent
applications from running. In some cases, agencies want to use a higher
level of encryption that the FDCC requires, he added.
Subscribe to InfoSec News