OMB directs use and proof of security settings
- By Mary Mosquera
- Aug 13, 2008
he Office of Management and Budget has published guidance to help agencies implement the first major version of the Federal Desktop Core Configuration (FDCC) when they update to the Microsoft Windows XP or Vista operating system.
The configuration applies to all desktop and laptop PCs but not to servers, said Karen Evans, OMB’s administrator for e-government and information technology, in a memo released Aug. 12.
“It is important for the collective security of the federal government for all the Windows XP and Windows Vista computers to meet or exceed FDCC, regardless of function,” Evans said.
FDCC provides a standard configuration to improve IT security, and OMB officials have said it should make updates, such as installing virus patches, faster and more effective.
In June, agencies submitted detailed technical plans to OMB about their implementation of FDCC security settings. In July, OMB directed agencies to include a description of the FDCC elements they have implemented in their Federal Information Security Management Act (FISMA) annual reports.
The National Institute of Standards and Technology, which released the first major FDCC version in June, provides descriptions of the correct settings and a checklist for applying them. To assist agencies, NIST also offers Security Content Automation Protocol content, which, along with other SCAP tools that have FDCC scanning capability, can validate the security settings on Windows operating systems, Evans said.
“Agencies must also use these tools when monitoring use of these configurations as part of FISMA continuous monitoring,” Evans said.
Federal and industry IT providers must use SCAP software to prove that their products adhere to FDCC settings, she said. In February, procurement regulators added FDCC to federal acquisition rules. Agency chief information officers must choose vendors that have made assertions regarding their products’ support for FDCC, Evans said.
Mary Mosquera is a reporter for Federal Computer Week.