The struggle to conform

All roads in the federal government may lead to a standard configuration for Windows PCs, but those roads cross different terrains. Some agencies have made significant progress complying with the Federal Desktop Core Configuration, but others are experiencing considerable challenges, if the presentations and discussions at a recent FDCC workshop are any indication.The Army and Interior Department are among those on track to implement FDCC across their organizations. But some other agencies have unique functions and workforce arrangements that pose a challenge to retrofitting desktops to FDCC, agency officials and industry experts say.Moreover, adoption of FDCC could be slow for some agencies because ensuring that each agency PC complies with Office of Management and Budget mandates will require 16 checks that must be done by hand, adding complexity to the process.Last year, OMB ordered agencies to upgrade their PCs. Those PCs running Microsoft Windows XP or Windows Vista must conform to FDCC. Authored by the National Institute of Standards and Technology and National Security Agency with the help of Microsoft, FDCC is a set of operating system configurations designed to improve security. The configuration would, for example, turn off unused services and run users' applications in user, rather than administrator, mode.By Feb. 1, agencies were to give OMB a summary of the total number of desktop PCs they have running Microsoft Windows XP and Windows Vista, along with the total of those that are FDCC-compliant.By March 31, agencies must submit a technical report to NIST and OMB about the status of their implementations.The move to a standard configuration will change the way some employees work. At the workshop NIST hosted last month, Blair Heiserman, who works in the agency's Office of the Chief Information Officer, noted that some NIST employees, being technically inclined, write their own device drivers. Unsigned drivers are not permitted under FDCC, though Vista allows administrators to sign drivers.Jim Donohue, from the Agriculture Department's Office of the CIO, said many of the agency's laptop PCs are used by field personnel, which could also pose a challenge to quick compliance.Because of the peripatetic nature of the field employees' jobs, their laptops are infrequently checked into the network. Some may go as long as a year between visits.And because field employees need to install their own software, they are given administrative rights, which is prohibited under FDCC.Another challenge is how to address the manual checks of PCs that agency information technology employees need to perform to comply with FDCC. Such manual checks can complicate agency efforts to hit OMB deadlines for reporting FDCC compliance, said Amrit Williams, chief technology officer at enterprise systems and security management company BigFix.'It puts a lot of burden on the folks who have to generate the reports and do the assessments,' he said. 'Most people are struggling just to do the automated stuff. Not only must they scan their environments to generate a report, but they have to modify the [resulting] reports to accommodate information coming from these manual checks.'Although some companies already offer automated scanning tools, these tools probably will not be able to execute all the checks required under FDCC.Mitre lead information security engineer Andrew Buttner, who spoke at the NIST workshop, said an FDCC Security Content Automation Protocol (SCAP) testing team found that 98 percent of the checks needed for FDCC could be done automatically. However, Windows Vista, Windows XP and Internet Explorer all had some settings that could only be updated and checked by hand.Buttner said Windows XP has a total of 279 FDCC checks and Windows Vista has 328 FDCC checks. In addition, Internet Explorer 7, which runs on both operating systems, has an additional 122 FDCC checks.Of these sets, Windows XP has seven items that need to be checked by hand, Windows Vista eight, and Internet Explorer one.The SCAP team is working with Microsoft to find ways to check these settings automatically.'They are the subject matter experts and hopefully know how to perform that test,' Buttner said. 'As of today, we're still waiting to get those answers back.'The checks that remain unautomated include those that offer the ability to check IPv6 settings in the firewall and check some Kerberos settings with Windows XP and Windows Vista. One in Internet Explorer permits the browser to install programs automatically.Until some sort of path to automation is provided, Williams said, the manual checks will add a level of complexity to all aspects of the FDCC process, from reporting and assessment to remediation.How much this affects agencies trying to comply with FDCC is an open question.'Agencies have two choices, they can do the checks manually or use no validated SCAP-capable tools and accept some risk,' said Peter Mell, who leads NIST's SCAP project. 'There are hundreds of settings, but it can be done. We have a staff member who does it regularly.'Meanwhile, a new Web page hosted by NIST lists products that have been validated to scan the security configurations of Windows operating systems on federal PCs.The scanners use SCAP to check for compliance with the FDCC standards. So far, three products have been validated under NIST's National Voluntary Laboratory Accreditation Program. (For more on SCAP, see GCN.com/966.)There are a fair number of FDCC success stories. Interior has laid the groundwork to prepare for FDCC, said Bill Corrington, chief technology officer at Interior.Implementing FDCC is a particular challenge because of the agency's federated nature; Interior consists of 13 relatively independent bureaus and offices.'Each one has its own CIO, its own CTO and its own IT security manager,' he said. The keys to success were planning and communications.Early last year, the agency convened a joint team from these ranks of CTOs, CIOs and chief information security officers to develop a plan of execution. The plan was then presented to executive management and submitted to OMB.The agency then assembled a smaller team of technical experts in Windows and Active Directory to establish a baseline configuration.'We really wanted to have people who knew what they were doing to study the issue,' Corrington said.The team tested the settings and came up with a set of draft configurations, which were reviewed by all Interior agencies. 'We had a couple of bureaus say they were fine out of the box, and we had a couple that had 15 or so settings that they had issues with. But it was a relatively small number,' Corrington said.In some cases, FDCC was even less stringent than the bureau's policies, so those bureaus could keep the existing settings in place.Interior will distribute the FDCC configuration through a set of files that administrators can then install on desktop computers.For tracking compliance among bureaus, the agency has extended its process for tracking Federal Information Security Management Act compliance to also handle FDCC. 'We wanted to use the existing process and not use something new,' Corrington said.The Army has more than 800,000 desktop computers that need to be FDCC-compliant.Although that is a big job, the service was ahead of the game because of an existing standardized Windows XP configuration it already put in place, called the Golden Master program.'Since August 2006, if you have a computer in the Army, you are required to have the Army Golden Master on your computer,' said Amy Harding, who works in the Army CIO office.Because the Golden Master image was based on Microsoft, NIST and Defense Information Systems Agency security guidelines, updating them to FDCC involved relatively few modifications.The CIO's office released the first FDCC-compliant Golden Master image in August and plans to update its image as changes in FDCC occur.For those Army offices that do not want to re-image their computers each time an update occurs, the program also offers Group Policy Objects settings that could be passed down to the desktop computers through the Army's Active Directory structure. The Army is also modifying its contracts with suppliers to require new desktop computers to have the Golden Master FDCC versions of the operating systems installed.However, not all agencies' FDCC deployments are as smooth as the deployments at the Army and Interior.After the formal presentations, one audience member said agency officials had a choice: Implement FDCC and take down their entire network serving 180,000 users or tell the agency secretary that the agency will get a red score from OMB on this yearlong mandate.'FDCC crashes our system,' said the audience member, who did not identify the agency. 'OMB's initial assumption is wrong ' that you can apply the FDCC without breaking your system.'Wendy Liberante, OMB's policy analyst heading the FDCC initiative, gave an impromptu talk at the workshop, to clarify what OMB wanted for the Feb. 1 deadline. 'If you are not compliant, we want to know how far off you are,' Liberante said. 'We want agencies to understand their universe and have a plan to get to FDCC compliance.'She also emphasized that when agencies submit their detailed technical reports to NIST and OMB, which are due March 31, they are not to consider deviations they disclose to be waivers.Rather, the deviations are issues that NIST and OMB will work through to see if they are true problems or something that can be fixed.
























Checking up

























Success stories













































William Jackson contributed to this story.
X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.