[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Desktop security eases into place


By Jason Miller
January 21, 2008

With a Feb. 1 deadline approaching, some federal agencies are finding it 
easier than they anticipated to implement a new governmentwide software 
security policy. According to the policy, they must configure the 
majority of their desktop computers using standard software security 
settings, commonly referred to as the Federal Desktop Core Configuration 

Ken Page, Microsofts FDCC program manager, said the company is working 
with 25 agencies to install the core configuration on desktop computers 
running Microsoft Windows XP and Vista. Most agencies arent having any 
major problems, he said.

In addition to the Feb. 1 deadline, the Office of Management and Budget 
and the National Institute of Standards and Technology extended a 
deadline to March 31 for agencies to produce detailed technical reports 
on their FDCC work. OMB said the Feb. 1 deadline is still in effect. 
Agencies must complete their configuration work or show progress by that 

OMB has been tracking agencies progress toward compliance with the 
secure configuration standard using the agencys quarterly management 
score card process, said Karen Evans, OMBs administrator for information 
technology and e-government. Evans could not provide a detailed status 

The March 31 deadline will give agencies additional time to procure 
Secure Content Automation Protocol (SCAP) tools as they become available 
from NIST, said Matt Barrett, senior computer scientist and information 
security researcher at NIST, who works on the FDCC program.

Such technical tools provide proof that computers have the proper 
security settings.

Agencies need time to become familiar with SCAP-based configuration 
scanners and to scan, aggregate, analyze and submit SCAP results files, 
Barrett said.

NIST expects to have SCAP validation tools ready for agencies to use by 
Feb. 1, said Peter Mell, who leads NISTs SCAP project.

There is a risk for agencies that use nonvalidated tools, Mell said. 
They can either accept the risk or manually check the configurations. 
Knowledgeable staff members can perform the configuration checks 
manually without the tools, he said. Complying with FDCC policy should 
pose few technical problems, industry and government officials said.

There are no real challenges to building [operating system software] 
images and rolling them out, Page said. Most agencies removed the 
[system] administrative privileges, and that eliminated 90 percent of 
all application-compatibility issues.

Page said the FDCC policys mandatory security settings dont prevent 
applications from running. In some cases, agencies want to use a higher 
level of encryption that the FDCC requires, he added.

Subscribe to InfoSec News