SignaCert to verify FDCC compliance
- By Rutrell Yasin
- Dec 26, 2007
SignaCert has announced its active support for the Federal Desktop Core Configuration (FDCC) and Security Configuration Automation Protocol (SCAP), which aim to improve desktop computer security for federal agencies.
Using software measurement methods, SignaCert products can prove that federal systems are FDCC compliant to the binary level, according to company officials. The FDCC is a preset secure configuration that the Office of Management and Budget has required agencies to adopt by Feb. 1 when they install the Microsoft Windows XP and Vista operating systems.
SignaCert will provide standard baseline images for Windows XP and Vista desktops at no additional charge with its Enterprise Trust Server both as an appliance-based solution or a hosted service.
SCAP is important to vendors because it is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation, according to officials at the National Institute of Standards and Technology.
SCAP is a format that will help tackle the Tower of Babel that impedes various security monitoring and scanning tools from communicating with one another and government systems, said Steve Quinn, program manager of the Information Security Automation Program and senior computer scientist at NIST.
'If we can just agree upon this is what we call certain configurations, this is how we express it, [and then] we can go back to the vendor and say: 'how do we check this on your platform so we have complete consistency?'' Quinn said.
NIST is providing the required configuration settings in the SCAP format.
OMB asked the agency to develop a process through the National Voluntary Laboratory Assessment Program to establish SCAP validation. So companies such as McAfee, Microsoft, Secure Elements, SignaCert, and Symantec can submit their software to these labs to determine if they adhere to SCAP requirements, Quinn said.
The labs are being accredited now and companies will submit their products early next year, he said.
Although SCAP is intended to standardize the configuration controls for desktop systems subject to the OMB mandates, SignaCert goes one step further by verifying that the actual deployed binary image meets the prescribed image requirements under FDCC, SignaCert officials said.
SignaCert announced its partnership to support SCAP in partnership with Secure Elements in September, and expects to work with other existing and emerging vendors that support the SCAP standards and methods.
Rutrell Yasin is is a freelance technology writer for GCN.