By William Jackson
A new Web page  hosted by the National Institute of Standards and
Technology lists products that have been validated to scan the security
configurations of Windows operating systems on federal desktop PCs.
The scanners use the Security Content Automation Protocol to check for
compliance with the Federal Desktop Core Configuration (FDCC) standards.
So far, three products have been validated by independent laboratories
under NISTs National Voluntary Laboratory Accreditation Program.
The Office of Management and Budget required agencies that use Windows
XP and Vista to comply with the FDCC by Feb. 1. OMB also required
agencies to use SCAP scanning tools to ensure that configurations were
not being altered.
Your agency can now acquire information technology products that are
self-asserted by information technology providers as compliant with the
Windows XP & Vista FDCC, and use NISTs Security Content Automation
Protocol to help evaluate providers self-assertions, OMB wrote in a July
31 memo to federal chief information officers. However, information
technology providers must use SCAP-validated tools, as they become
available, to certify their products do not alter these configurations,
and agencies must use these tools when monitoring use of these
NIST developed SCAP in cooperation with the Defense and Homeland
Security departments and Mitre Corp. to provide technical specifications
for identifying, enumerating, assigning and sharing security-related
data. Vendors have developed tools using the protocol to help automate
IT security operations, but as with any protocol, proper implementation
must be validated.
NIST established a SCAP validation program last summer, accrediting
three laboratories, and the first FDCC scanners have recently been
evaluated. The new page is hosted in NISTs National Vulnerability
Database Web site. Currently validated products all scan only Windows XP
Professional SP 2. They are:
* SecureFusion v3.501 from Gideon Technologies Inc. of Duluth, Ga.
* C5 Compliance Platform v. 3.3.1 from Secure Elements Inc. of
* Secutor Prime v2.0.4 from ThreatGuard Inc. of San Antonio.
Meanwhile, a number of other products are in the process of being
Currently accredited laboratories are EWA-Canada, of Ottawa; SAIC
Accredited Testing and Evaluation Laboratories, of Columbia, Md.; and
ICSA Labs of Mechanicsburg, Pa.
Subscribe to InfoSec News