OMB to verify agency work on security settings

The Office of Management and Budget plans to verify the data that agencies submitted about their progress in implementing the Federal Desktop Core Configuration (FDCC) by using a statistical sampling approach that assesses policy compliance.

OMB anticipates that it will validate the agency data in November or December using the Policy Utilization Assessment (PUA) program, Karen Evans, OMB’s administrator for e-government and information technology, said today at a security conference sponsored by the National Institute of Standards and Technology.

The FDCC is a standard security configuration that agencies must implement when they update their computers to the Microsoft Windows XP or Vista operating system. OMB has said a standard configuration should improve IT security because it requires a standard desktop view and should make updates, such as installing virus patches, faster and more effective.

In June, agencies submitted detailed technical plans to OMB about their implementation of FDCC security settings. In August, Evans issued guidance on implementing the first version of the FDCC.

OMB made available through NIST -- and directed agencies to use -- software named Security Content Automation Protocol and associated tools to scan and validate the security settings they had put in place as part of the FDCC implementation, she said.

The PUA program, developed by the General Services Administration, can give chief information officers feedback on how well they have implemented specific policies. So far, the assessment program is being applied only to security policies, she said.

OMB conducted a pilot program with a few agencies using the assessment program to validate data they reported earlier this year, Evans said. Agencies reported in March that they believed that they were 50 percent through FDCC implementation. The assessment program found agencies had actually implemented just 30 percent of the policy, Evans said.

However, agencies need clarification about the best way to put in place and use SCAP tools, she said, adding that NIST is considering how best to communicate that to agencies.

“There are gaps based on how agencies are implementing them and interpreting the results,” Evans said. Agencies tend to have similar issues; the information they submit to OMB is “only as good as what’s been reported to them from their components,” she said.

After agencies have resolved these gaps, OMB will run the next PUA program later this year to validate the FDCC information from all agencies “so we can say with some assurance on the [Capitol] Hill that we have validated the results; they are statistically sound; and we at x percent of implementation,” she said.

Agencies reported there are about 3.5 million desktops that use XP or Vista and need to have FDCC deployed, Evans said. Half of them, some 1.25 million, are in the Defense Department, she noted.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.