The struggle to conform

All roads in the federal government may lead to a standard configuration for Windows PCs, but those roads cross different terrains. Some agencies have made significant progress complying with the Federal Desktop Core Configuration, but others are experiencing considerable challenges, if the presentations and discussions at a recent FDCC workshop are any indication.The Army and Interior Department are among those on track to implement FDCC across their organizations. But some other agencies have unique functions and workforce arrangements that pose a challenge to retrofitting desktops to FDCC, agency officials and industry experts say.Moreover, adoption of FDCC could be slow for some agencies because ensuring that each agency PC complies with Office of Management and Budget mandates will require 16 checks that must be done by hand, adding complexity to the process.Last year, OMB ordered agencies to upgrade their PCs. Those PCs running Microsoft Windows XP or Windows Vista must conform to FDCC. Authored by the National Institute of Standards and Technology and National Security Agency with the help of Microsoft, FDCC is a set of operating system configurations designed to improve security. The configuration would, for example, turn off unused services and run users' applications in user, rather than administrator, mode.By Feb. 1, agencies were to give OMB a summary of the total number of desktop PCs they have running Microsoft Windows XP and Windows Vista, along with the total of those that are FDCC-compliant.By March 31, agencies must submit a technical report to NIST and OMB about the status of their implementations.The move to a standard configuration will change the way some employees work. At the workshop NIST hosted last month, Blair Heiserman, who works in the agency's Office of the Chief Information Officer, noted that some NIST employees, being technically inclined, write their own device drivers. Unsigned drivers are not permitted under FDCC, though Vista allows administrators to sign drivers.Jim Donohue, from the Agriculture Department's Office of the CIO, said many of the agency's laptop PCs are used by field personnel, which could also pose a challenge to quick compliance.Because of the peripatetic nature of the field employees' jobs, their laptops are infrequently checked into the network. Some may go as long as a year between visits.And because field employees need to install their own software, they are given administrative rights, which is prohibited under FDCC.Another challenge is how to address the manual checks of PCs that agency information technology employees need to perform to comply with FDCC. Such manual checks can complicate agency efforts to hit OMB deadlines for reporting FDCC compliance, said Amrit Williams, chief technology officer at enterprise systems and security management company BigFix.'It puts a lot of burden on the folks who have to generate the reports and do the assessments,' he said. 'Most people are struggling just to do the automated stuff. Not only must they scan their environments to generate a report, but they have to modify the [resulting] reports to accommodate information coming from these manual checks.'Although some companies already offer automated scanning tools, these tools probably will not be able to execute all the checks required under FDCC.Mitre lead information security engineer Andrew Buttner, who spoke at the NIST workshop, said an FDCC Security Content Automation Protocol (SCAP) testing team found that 98 percent of the checks needed for FDCC could be done automatically. However, Windows Vista, Windows XP and Internet Explorer all had some settings that could only be updated and checked by hand.Buttner said Windows XP has a total of 279 FDCC checks and Windows Vista has 328 FDCC checks. In addition, Internet Explorer 7, which runs on both operating systems, has an additional 122 FDCC checks.Of these sets, Windows XP has seven items that need to be checked by hand, Windows Vista eight, and Internet Explorer one.The SCAP team is working with Microsoft to find ways to check these settings automatically.'They are the subject matter experts and hopefully know how to perform that test,' Buttner said. 'As of today, we're still waiting to get those answers back.'The checks that remain unautomated include those that offer the ability to check IPv6 settings in the firewall and check some Kerberos settings with Windows XP and Windows Vista. One in Internet Explorer permits the browser to install programs automatically.Until some sort of path to automation is provided, Williams said, the manual checks will add a level of complexity to all aspects of the FDCC process, from reporting and assessment to remediation.How much this affects agencies trying to comply with FDCC is an open question.'Agencies have two choices, they can do the checks manually or use no validated SCAP-capable tools and accept some risk,' said Peter Mell, who leads NIST's SCAP project. 'There are hundreds of settings, but it can be done. We have a staff member who does it regularly.'Meanwhile, a new Web page hosted by NIST lists products that have been validated to scan the security configurations of Windows operating systems on federal PCs.The scanners use SCAP to check for compliance with the FDCC standards. So far, three products have been validated under NIST's National Voluntary Laboratory Accreditation Program. (For more on SCAP, see GCN.com/966.)There are a fair number of FDCC success stories. Interior has laid the groundwork to prepare for FDCC, said Bill Corrington, chief technology officer at Interior.Implementing FDCC is a particular challenge because of the agency's federated nature; Interior consists of 13 relatively independent bureaus and offices.'Each one has its own CIO, its own CTO and its own IT security manager,' he said. The keys to success were planning and communications.Early last year, the agency convened a joint team from these ranks of CTOs, CIOs and chief information security officers to develop a plan of execution. The plan was then presented to executive management and submitted to OMB.The agency then assembled a smaller team of technical experts in Windows and Active Directory to establish a baseline configuration.'We really wanted to have people who knew what they were doing to study the issue,' Corrington said.The team tested the settings and came up with a set of draft configurations, which were reviewed by all Interior agencies. 'We had a couple of bureaus say they were fine out of the box, and we had a couple that had 15 or so settings that they had issues with. But it was a relatively small number,' Corrington said.In some cases, FDCC was even less stringent than the bureau's policies, so those bureaus could keep the existing settings in place.Interior will distribute the FDCC configuration through a set of files that administrators can then install on desktop computers.For tracking compliance among bureaus, the agency has extended its process for tracking Federal Information Security Management Act compliance to also handle FDCC. 'We wanted to use the existing process and not use something new,' Corrington said.The Army has more than 800,000 desktop computers that need to be FDCC-compliant.Although that is a big job, the service was ahead of the game because of an existing standardized Windows XP configuration it already put in place, called the Golden Master program.'Since August 2006, if you have a computer in the Army, you are required to have the Army Golden Master on your computer,' said Amy Harding, who works in the Army CIO office.Because the Golden Master image was based on Microsoft, NIST and Defense Information Systems Agency security guidelines, updating them to FDCC involved relatively few modifications.The CIO's office released the first FDCC-compliant Golden Master image in August and plans to update its image as changes in FDCC occur.For those Army offices that do not want to re-image their computers each time an update occurs, the program also offers Group Policy Objects settings that could be passed down to the desktop computers through the Army's Active Directory structure. The Army is also modifying its contracts with suppliers to require new desktop computers to have the Golden Master FDCC versions of the operating systems installed.However, not all agencies' FDCC deployments are as smooth as the deployments at the Army and Interior.After the formal presentations, one audience member said agency officials had a choice: Implement FDCC and take down their entire network serving 180,000 users or tell the agency secretary that the agency will get a red score from OMB on this yearlong mandate.'FDCC crashes our system,' said the audience member, who did not identify the agency. 'OMB's initial assumption is wrong ' that you can apply the FDCC without breaking your system.'Wendy Liberante, OMB's policy analyst heading the FDCC initiative, gave an impromptu talk at the workshop, to clarify what OMB wanted for the Feb. 1 deadline. 'If you are not compliant, we want to know how far off you are,' Liberante said. 'We want agencies to understand their universe and have a plan to get to FDCC compliance.'She also emphasized that when agencies submit their detailed technical reports to NIST and OMB, which are due March 31, they are not to consider deviations they disclose to be waivers.Rather, the deviations are issues that NIST and OMB will work through to see if they are true problems or something that can be fixed.