OMB to verify agency work on security settings

The Office of Management and Budget plans to verify the data that agencies submitted about their progress in implementing the Federal Desktop Core Configuration (FDCC) by using a statistical sampling approach that assesses policy compliance.

OMB anticipates that it will validate the agency data in November or December using the Policy Utilization Assessment (PUA) program, Karen Evans, OMB’s administrator for e-government and information technology, said today at a security conference sponsored by the National Institute of Standards and Technology.

The FDCC is a standard security configuration that agencies must implement when they update their computers to the Microsoft Windows XP or Vista operating system. OMB has said a standard configuration should improve IT security because it requires a standard desktop view and should make updates, such as installing virus patches, faster and more effective.

In June, agencies submitted detailed technical plans to OMB about their implementation of FDCC security settings. In August, Evans issued guidance on implementing the first version of the FDCC.

OMB made available through NIST -- and directed agencies to use -- software named Security Content Automation Protocol and associated tools to scan and validate the security settings they had put in place as part of the FDCC implementation, she said.

The PUA program, developed by the General Services Administration, can give chief information officers feedback on how well they have implemented specific policies. So far, the assessment program is being applied only to security policies, she said.

OMB conducted a pilot program with a few agencies using the assessment program to validate data they reported earlier this year, Evans said. Agencies reported in March that they believed that they were 50 percent through FDCC implementation. The assessment program found agencies had actually implemented just 30 percent of the policy, Evans said.

However, agencies need clarification about the best way to put in place and use SCAP tools, she said, adding that NIST is considering how best to communicate that to agencies.

“There are gaps based on how agencies are implementing them and interpreting the results,” Evans said. Agencies tend to have similar issues; the information they submit to OMB is “only as good as what’s been reported to them from their components,” she said.

After agencies have resolved these gaps, OMB will run the next PUA program later this year to validate the FDCC information from all agencies “so we can say with some assurance on the [Capitol] Hill that we have validated the results; they are statistically sound; and we at x percent of implementation,” she said.

Agencies reported there are about 3.5 million desktops that use XP or Vista and need to have FDCC deployed, Evans said. Half of them, some 1.25 million, are in the Defense Department, she noted.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.