OMB directs use and proof of security settings

he Office of Management and Budget has published guidance to help agencies implement the first major version of the Federal Desktop Core Configuration (FDCC) when they update to the Microsoft Windows XP or Vista operating system.

The configuration applies to all desktop and laptop PCs but not to servers, said Karen Evans, OMB’s administrator for e-government and information technology, in a memo released Aug. 12.

“It is important for the collective security of the federal government for all the Windows XP and Windows Vista computers to meet or exceed FDCC, regardless of function,” Evans said.

FDCC provides a standard configuration to improve IT security, and OMB officials have said it should make updates, such as installing virus patches, faster and more effective.

In June, agencies submitted detailed technical plans to OMB about their implementation of FDCC security settings. In July, OMB directed agencies to include a description of the FDCC elements they have implemented in their Federal Information Security Management Act (FISMA) annual reports.

The National Institute of Standards and Technology, which released the first major FDCC version in June, provides descriptions of the correct settings and a checklist for applying them. To assist agencies, NIST also offers Security Content Automation Protocol content, which, along with other SCAP tools that have FDCC scanning capability, can validate the security settings on Windows operating systems, Evans said.

“Agencies must also use these tools when monitoring use of these configurations as part of FISMA continuous monitoring,” Evans said.

Federal and industry IT providers must use SCAP software to prove that their products adhere to FDCC settings, she said. In February, procurement regulators added FDCC to federal acquisition rules. Agency chief information officers must choose vendors that have made assertions regarding their products’ support for FDCC, Evans said.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • Cybersecurity
    malware detection (Alexander Yakimov/Shutterstock.com)

    Microsoft targets copycat influence websites

    Microsoft went to court to take down websites it believes to be part of a foreign intelligence operation targeting conservative think tanks and the U.S. Senate.

  • Cybersecurity
    secure network

    FAA explores shifting its network to FISMA high

    The Federal Aviation Administration is exploring an upgrade to the information security categorization of IT systems as part of air traffic control modernization.

  • Cybersecurity
    Shutterstock photo id 669226093 By Gorodenkoff

    The disinformation game

    The federal government is poised to bring new tools and strategies to bear in the fight against foreign-backed online disinformation campaigns, but how and when they choose to act could have ramifications on the U.S. political ecosystem.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.