Evans: Standards are us

OMB says standard configurations will bring savings and greater information security.

Karen Evans described the Bush administration’s mandate for agencies to use a standard Windows configuration for PCs as one of those decisions that could transform government operations. “Configuration management is at the heart of how we will manage our environment,” said Evans, the Office of Management and Budget’s administrator for e-government and information technology. Implementing baseline configurations in Microsoft Windows XP and Vista is a beginning point for standardizing IT governmentwide, she said.OMB has asked federal agencies to submit plans by May 1 explaining how they will comply with the new mandate. “This is an opportunity for us to standardize and work as one enterprise by leveraging the value of our procurements and maintaining security,” Evans said.Federal agencies can learn from the Air Force’s experience with standard PC configurations, said Kenneth Heitkamp, the Air Force’s associate director of life cycle management and director of the service’s IT Commodity Council. “This is about governance and policy, not technology,” he said. Heitkamp and Evans spoke about the challenges of implementing standard desktop configurations at a recent event in Washington sponsored by the SANS Institute.The Air Force began implementing standard desktop configurations in 2003. Four years later, it is close to completing the task, Heitkamp said. As of June 2006, 99 percent of all Air Force desktop PCs had a standard configuration for Windows XP. The 1 percent that didn’t comply had received waivers from Lt. Gen. Robert Elder, commander of the 8th Air Force and director of the Cyberspace Command. Heitkamp said Elder had approved only 197 waivers.To prepare for using Microsoft’s new operating system and applications, the Air Force has begun testing 279 standard baseline settings for Vista, 173 baseline settings for Office 2007 and 162 for Internet Explorer 7, Heitkamp said.Other military services and agencies have developed baseline configurations for Vista and Windows XP. DOD chief information officers and officials from the Joint Task Force Global Network Command will meet in the next month or two to discuss having a single configuration baseline for DOD, Heitkamp said.For configuration management to be effective, agencies must limit the number of baseline configurations, Heitkamp said. The Air Force went from hundreds of different configurations to only a few.The Air Force saw immediate benefits of having only a few desktop configurations when it bought new hardware, Heitkamp said. The service has bought more than 308,000 desktop PCs since 2003 at a cost of $260 million. The Air Force estimated that it saved $85 million because of its standard configuration policy. Evans said the Office of Federal Procurement Policy is considering how to insert a requirement into all federal IT contracts that any new hardware or software, possibly including shrink-wrapped software, must not alter the government’s standard configuration baseline. Evans said the Federal Acquisition Regulations Council could add a clause to FAR, or OFPP could send a memo requiring chief acquisition officers to use the contract language.OMB has set a June 30 deadline for agencies to include provisions addressing the standard configuration in contracts.Evans said Microsoft has agreed to tell its resellers that they must provide only the standard configuration to federal government customers. The Air Force is developing similar language that would be added to new contracts for IT hardware and software, Heitkamp said.That language would require vendors to guarantee that their software will not:By requiring vendors to adhere to those terms, Heitkamp said, agencies can be assured that new software will work in their environment, can be patched quickly if there is a security vulnerability and will be more secure because it meets a standard set of requirements.The Air Force has focused on restricting privileges to add software or change configuration settings to only a few approved users for security and other reasons.Restricting administrative rights also saves money on help-desk services, Heitkamp said. Research firm Gartner estimates that using a standard desktop configuration can reduce an organization’s PC costs 30 percent to 40 percent.Limiting administration rights helps prevent malware and other types of hacker attacks because ordinary users are prevented from installing dangerous software, said Alan Paller, director of the SANS Institute, which provides training for systems and network administrators. The National Security Agency found that 85 percent of all common attack points are blocked by standard desktop settings, he added.Heitkamp said the Air Force will institute a policy by 2008 that requires any PC connected to an Air Force network to conform to the standard configuration at all times. “Our vision is real-time network management. We are getting there.” The service uses software that checks every 90 minutes to see whether all laptop and desktop PCs connected to networks comply with the Air Force’s standard configuration baseline. The Air Force likely will use Microsoft’s System Management Server software to ensure that system configurations remain constant, Heitkamp said.The Air Force instituted other measures to obtain maximum benefits from standard configurations. For example, it created performance metrics and required organizations to report those metrics to the CIO’s office.Lisa Schlosser, CIO at the Housing and Urban Development Department, said she hopes to use the Air Force’s lessons learned to implement standard configurations at HUD. “The key is to build the requirements into all contracts,” including application development and service contracts, she said.




























  •  Interfere with the service’s standard desktop configuration.
  •  Let ordinary users have administration rights.
  •  Automatically change software settings or write to the protected areas of the operating system.



















Keeping score on configuration managementFederal agencies can soon add configuration management to their reporting requirements.

The Office of Management and Budget said it plans to make agencies’ progress on implementing standard Windows PC configurations part of the reporting requirements for compliance with the Federal Information Security Management Act (FISMA).

“We will make it easier for inspectors general to see the stats” on how agencies are implementing the standard configuration baseline, said Karen Evans, OMB’s administrator for e-government and information technology. “We will work with the IGs to make their annual reviews more meaningful.”

OMB also will build configuration management compliance into the President’s Management Agenda score card, Evans said.

A recent OMB memo to agency leaders detailed the new configuration management requirements and the responsibilities of deputy secretaries to enforce compliance.

“FISMA says agencies have to have a standard desktop configuration, so it has been a matter of enforcement,” Evans said. Enforcement “is not easy to do when people are managing their own environment.”

Alan Paller, director of research at the SANS Institute, said agency IGs could use a free tool to monitor  configuration compliance. That tool is available on the nonprofit Center for Internet Security Web site at www.cisecurity.org.

“It measures and shows the difference between what you are running and the standard image,” Paller said. “Some agencies will put the use of secure configuration in policy, and the chief information security officer will ask bureau CIOs to implement it, and they’ll say ‘yes.’ But how do you really know if it gets done?”

— Jason Miller