FDCC compliance slowed by manual checks

FDCC compliance slowed by manual checks
FDCC compliance slowed by manual checks 

By Joab Jackson

Ensuring that each agency desktop computer is compliant with the Office 
of Management and Budget's Federal Desktop Core Configuration requires 
16 checks that need to be done by hand. Such manual checks can 
complicate agency efforts to hit today's OMB deadline for reporting FDCC 
compliance, said Amrit Williams, chief technology officer at enterprise 
systems and security management company BigFix.

"It puts a lot of burden on the folks who have to generate the reports 
and do the assessments, he said. Most people are struggling just to do 
the automated stuff. Not only must they scan their environments to 
generate a report, but they have to modify the [resulting] reports to 
accommodate information coming from these manual checks."

Today is the day agencies must submit a report to OMB about how many 
computers they have that are compliant with FDCC settings. NIST is also 
expected today to release a list of those tools that can perform the 
FDCC checks automatically. While some companies already offer automated 
scanning tools, these tools probably will not be able to execute all the 
checks required under FDCC.

According to Mitre lead information security engineer Andrew Buttner, 
who spoke at the National Institute of Standards and Technology's 2008 
Federal Desktop Core Configuration Implementers Workshop last week, a 
FDCC Security Content Automation Protocol testing team found that 98 
percent of the checks needed for FDCC could be done automatically. 
However, Windows Vista, Windows XP and Internet Explorer all had 
settings that could only be updated and checked by hand.

Buttner said Windows XP has a total of 279 FDCC checks and Windows Vista 
has 328 FDCC checks. In addition, Internet Explorer 7, which runs on 
both operating systems, has an additional 122 FDCC checks.

Of these sets, Windows XP has seven items that need to be checked by 
hand, Windows Vista has eight checks and Internet Explorer has one.

"We mark those 16 as unknown tests in the content, which basically says 
it is unknown how to automate the checking of that setting," Buttner 
said. The unknown status means either that the check cannot be automated 
or that the checking process doesn't work, the documentation states.

The SCAP team is currently working with Microsoft to find ways that 
these settings could be checked in an automated fashion. "They are the 
subject matter experts and hopefully know how to perform that test," 
Buttner said. "As of today, we're still waiting to get those answers 

Among the checks that remain unautomated include those that offer the 
ability to check IPv6 settings in the firewall, and to check some 
Kerberos settings with Windows XP and Windows Vista, and one in Internet 
Explorer that permits the browser to automatically install programs.

Until some sort of path to automation is provided, Williams said, the 
manual checks will "add a level of complexity" to all aspects of the 
FDCC process, from reporting and assessment to remediation.

In some cases the administrators must visit each desktop computer, such 
as the IPv6 settings, and check the setting from there. With other 
checks, such as those around Kerberos, they can be checked at the server 

Plus the manual checks introduce yet another level of complexity, if the 
agency is using an external party to manage their computers. "If they 
are using an automated tool, it is agreed upon that they do not have to 
interact with the server operation team they can just run the tool and 
generate the report, Williams said. But if they do not own the box, now 
they have to go to the third party and ask them to do the manual 

How much this affects agencies trying to get in compliance with FDCC is 
an open question.

Agencies have two choices, they can do the checks manually or use 
nonvalidated SCAP-capable tools and accept some risk, said Peter Mell, 
who leads NISTs SCAP project. There are hundreds of settings, but it can 
be done. We have a staff member who does it regularly.

Williams' company BigFix offers software (BigFix Enterprise Server) that 
does asset discovery and compliance testing and enforcement, and 
includes a template for checking network machines for FDCC compliance. 
Like other offerings, the software has to work around the manual checks.

"We're struggling with the same issues that everyone else is, Williams 
said. So we just have a note in our report that says it does not include 
the following checks."

Jason Miller contributed to this report.

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2015 CodeGods