Agencies grapple with FDCC compliance

Some agencies are making headway to hit the Feb. 1 deadline to make their desktop computers compliant with the Federal Desktop Core Configuration, but others are experiencing considerable challenges, at least if the presentations and discussions at a recent FDCC workshop were any indication.

The National Institute of Standards and Technology hosted the workshop, which was held in Gaithersburg, Md.

Last year, the Office of Management and Budget ordered that agencies upgrading their desktop computers, and those running Microsoft Windows XP or Windows Vista, must conform to the FDCC. Authored by NIST and the National Security Agency with the help of Microsoft, FDCC is a set of operating-system configurations to ensure security, such as turning off unused services and running user applications in user, rather than system administrator, mode.

By Feb. 1, agencies must submit to OMB a summary of the total number of desktop computers they have running Microsoft Windows XP and Windows Vista, along with the total number of those that are FDCC-compliant. By March 31, agencies must submit a technical report to NIST and OMB about the status of their implementations.

While many federal desktop computers are pretty generic in their implementations, a thus-far undetermined number of others have unique functions that may make them a challenge to retrofit to FDCC requirements.

At the workshop, Blair Heiserman, who works in NIST's Office of the Chief Information Officer, noted that some NIST employees, being technically inclined, tend to write their own device drivers. Unsigned drivers are not permitted under FDCC, though Vista allows administrators to sign drivers.

Jim Donohue, from the Agriculture Department's Office of the CIO, noted his agency had many laptop PCs used by field personnel, which could also pose a challenge to quick compliance. Because of the peripatetic nature of these field employees' jobs, the laptops they use are infrequently checked into the network. Some may go as long as a year between visits.

And since the personnel need to install their own software, they are given administrative rights, which is prohibited under FDCC.

Nonetheless, the conference had a fair number of success stories. Bill Corrington, chief technology officer at the Interior Department, described how his own agency set up the groundwork to prepare for FDCC.

Implementing FDCC would be a particular challenge, due to the federated nature of the agency. Interior consists of 13 relatively independent bureaus and offices.

"Each one has its own CIO, its own CTO and its own IT security manager," he said.
The keys to success were planning and communications. Early last year, the agency convened a joint team from these ranks of CTOs, CIOs and CISOs to develop a plan of execution. The plan was then presented to executive management and submitted to OMB.

The agency then assembled a smaller team of technical experts in Windows and Active Directory to establish a baseline FDCC configuration. "We really wanted to have people who knew what they were doing to study the issue," Corrington said.

The team then tested the settings and came up with a set of draft configurations, which were reviewed by all Interior agencies. "We had a couple of bureaus say they were fine out of the box, and we had a couple that had 15 or so settings that they had issues with. But it was a relatively small number," Corrington said. In some cases, the FDCC was even less stringent than the bureau's own policies, so these bureaus could keep these existing settings in place.

Interior will distribute the FDCC configuration through a set of .INF files, which administrators can then install on desktop computers.

For tracking compliance among bureaus, the agency has extended its process for tracking Federal Information Security Management Act compliance to also handle FDCC. "We wanted to use the existing process and not use something new," Corrington said.

Amy Harding, who works in the Army CIO office, also talked about implementation of the FDCC. The service has over 800,000 desktop computers that need to be FDCC-compliant. Although a big job, the Army was ahead of the game due to an existing standardized Windows XP it already put in place, called the Golden Master program. "Since August 2006, if you have a computer in the Army, you are required to have the Army Golden Master on your computer."

Since the Golden Master image was based on Microsoft, NIST and Defense Information Systems Agency security guidelines, updating them to FDCC involved a relatively few number of modifications. The CIO's office released the first FDCC-compliant Golden Master image in August, and plans to update their image as changes in the FDCC occur.

For those Army offices that do not want to reimage their computers each time an update occurs, the program also offers Group Policy Objects settings that could be passed down to the desktop computers through the Army's Active Directory structure. The Army is also modifying its contracts with suppliers to require new desktop computers to have the Golden Master FDCC versions of the operating systems installed.

While the Army and the Interior Department touted their success, not all agencies' FDCC rollouts are as smooth.

After the formal presentations, one audience member said their agency had a choice: Implement the FDCC and take down their entire network serving 180,000 users, or tell their secretary that they will get a red score from OMB on this yearlong mandate.

'FDCC crashes our system,' said the audience member, who did not identify their agency. 'OMB's initial assumption is wrong that you can apply the FDCC without breaking your system.'

Another audience member from the U.S. Patent and Trademark Office said they will not be FDCC-compliant because they have a problem with a number of the settings.

Wendy Liberante, OMB's policy analyst heading the FDCC initiative, gave an impromptu talk at the workshop, in order to clarify what OMB wanted for the Feb. 1 deadline. 'If you are not compliant, we want to know how far off you are,' Liberante said. 'We want agencies to understand their universe and have a plan to get to FDCC compliance.'

She also emphasized that when agencies submit their detailed technical reports to NIST and OMB, which are due March 31, they are not to consider deviations they disclose as waivers. Rather, the deviations are issues that NIST and OMB will work through to see if they are true problems or something that can be fixed.

'You know what your anomalies are,' Liberante said. 'You need to tell us what your outliers are and the reasons why they are not compliant.'

Liberante said there is no scheduled update for the FDCC image, but it will happen as needed.

Reader Comments

Thu, Apr 9, 2009

You security types make it IMPOSSIBLE for people to do their jobs. I hope now that a computer literate person is in office, that he will reverse some of these senseless idiocies that Bush put into place, including the HSPD-12 initiative.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above