Evans: Desktop standards will make networks safer

Office of Management and Budget officials believe a standard computer desktop configuration will dramatically improve security governmentwide, said Karen Evans, OMB’s administrator for e-government and information technology. Agencies upgrading their computers to Microsoft Windows XP or Vista must adopt the Federal Desktop Core Configuration (FDCC) standard by February 2008, she said.

Agencies otherwise will move to the FDCC standard when they plan to update their computers, she said. OMB published three memos this year on plans for the standard configuration.

The Security Content Automation Program (SCAP) is automated software that can help agencies implement the standard configuration by monitoring adherence to the configuration by applications and system vulnerabilities.

Not all agencies support a standard configuration. Some people are concerned, however, that OMB and the National Institute of Standards and Technology have been so transparent in publishing documents for the FDCC standard and SCAP that hackers could exploit vulnerabilities, she said.

“It is possible that we could be vulnerable, but right now, I would have to say that we can’t be more vulnerable than where we are today,” Evans said today at a security conference sponsored by NIST. “We have utter chaos going on. We’re losing information. We don’t know what’s coming and going. We’re losing laptops that people didn’t even know we had.”

Agencies that want to deviate from the configuration must apply for a waiver and document why their operations require it. NIST will track these changes to determine if there is a pattern that reflects a problem with settings in the standard configuration, Evans said.

“We did err on the high side of these settings so there would be more security,” she said.

OMB also requires that vendors incorporate SCAP to ensure that their software and hardware products operate as intended on the federal secure configuration, and agencies must verify that the companies have satisfied that requirement. Vendor products must not alter the standard configuration.

NIST, for example, has worked with Microsoft to develop a secure configuration for its operating systems that opens in a window over the desktop in a virtual machine image, said Matthew Barrett, co-lead of NIST’s Information Security Automation Program.

Because it is automated, SCAP will let agencies stay on top of vulnerabilities better than manual methods, said Alan Paller, research director at the SANS Institute. Senior managers also can get full visibility into the security status of systems and networks.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.