The National Institute of Standards and Technology created a frequently asked questions Web page and set up an e-mail address to help agency officials understand the Federal Desktop Core Configuration (FDCC) policy for Microsoft Windows XP and Vista.
Matt Barrett, a NIST senior computer scientist, identified two questions that agencies ask most frequently. They are:
Q: Does the secure configuration policy apply to special-purpose computers, such as those for scientific, medical, process control or experimental uses?
A: The primary targets of FDCC are general-purpose systems, such as desktop and laptop PCs. Embedded computers, process control systems, specialized scientific or experimental systems, and similar systems using Windows XP or Vista are not included under the policy. However, agencies should still weigh using the FDCC security configuration wherever it is feasible and appropriate.
Q: How do I report compliance and deviations? To whom do I report that information? Is there a specific reporting format?
A: The Office of Management and Budget policy recognizes that agencies may determine that settings in the FDCC are impractical. In a March 20 memo to federal chief information officers, OMB instructed agencies to provide NIST with documentation of any deviations from the FDCC and the rationale for them. Agencies can report compliance in terms of numbers of compliant and noncompliant computers. OMB plans to issue additional reporting guidelines.
With a Feb. 1 deadline approaching, some federal agencies are finding it easier than they anticipated to implement a new governmentwide software security policy. According to the policy, they must configure the majority of their desktop computers using standard software security settings, commonly referred to as the Federal Desktop Core Configuration (FDCC).
Ken Page, Microsoft’s FDCC program manager, said the company is working with 25 agencies to install the core configuration on desktop computers running Microsoft Windows XP and Vista. Most agencies aren’t having any major problems, he said.
In addition to the Feb. 1 deadline, the Office of Management and Budget and the National Institute of Standards and Technology extended a deadline to March 31 for agencies to produce detailed technical reports on their FDCC work. OMB said the Feb. 1 deadline is still in effect. Agencies must complete their configuration work or show progress by that date.
OMB has been tracking agencies’ progress toward compliance with the secure configuration standard using the agency’s quarterly management score card process, said Karen Evans, OMB’s administrator for information technology and e-government. Evans could not provide a detailed status report.
The March 31 deadline will give agencies additional time to procure Secure Content Automation Protocol (SCAP) tools as they become available from NIST, said Matt Barrett, senior computer scientist and information security researcher at NIST, who works on the FDCC program.
Such technical tools provide proof that computers have the proper security settings.
Agencies need time to become familiar with SCAP-based configuration scanners “and to scan, aggregate, analyze and submit SCAP results files,” Barrett said.
NIST expects to have SCAP validation tools ready for agencies to use by Feb. 1, said Peter Mell, who leads NIST’s SCAP project.
“There is a risk for agencies that use nonvalidated tools,” Mell said. “They can either accept the risk or manually check the configurations.” Knowledgeable staff members can perform the configuration checks manually — without the tools, he said. Complying with FDCC policy should pose few technical problems, industry and government officials said.
“There are no real challenges to building [operating system software] images and rolling them out,” Page said. “Most agencies removed the [system] administrative privileges, and that eliminated 90 percent of all application-compatibility issues.”
Page said the FDCC policy’s mandatory security settings don’t prevent applications from running. In some cases, agencies want to use a higher level of encryption that the FDCC requires, he added.
