Desktop security eases into place

With a Feb. 1 deadline approaching, some federal agencies are finding it easier than they anticipated to implement a new governmentwide software security policy. According to the policy, they must configure the majority of their desktop computers using standard software security settings, commonly referred to as the Federal Desktop Core Configuration (FDCC).Ken Page, Microsoft’s FDCC program manager, said the company is working with 25 agencies to install the core configuration on desktop computers running Microsoft Windows XP and Vista. Most agencies aren’t having any major problems, he said.In addition to the Feb. 1 deadline, the Office of Management and Budget and the National Institute of Standards and Technology extended a deadline to March 31 for agencies to produce detailed technical reports on their FDCC work. OMB said the Feb. 1 deadline is still in effect. Agencies must complete their configuration work or show progress by that date.OMB has been tracking agencies’ progress toward compliance with the secure configuration standard using the agency’s quarterly management score card process, said Karen Evans, OMB’s administrator for information technology and e-government. Evans could not provide a detailed status report.The March 31 deadline will give agencies additional time to procure Secure Content Automation Protocol (SCAP) tools as they become available from NIST, said Matt Barrett, senior computer scientist and information security researcher at NIST, who works on the FDCC program.Such technical tools provide proof that computers have the proper security settings.Agencies need time to become familiar with SCAP-based configuration scanners “and to scan, aggregate, analyze and submit SCAP results files,” Barrett said.NIST expects to have SCAP validation tools ready for agencies to use by Feb. 1, said Peter Mell, who leads NIST’s SCAP project.“There is a risk for agencies that use nonvalidated tools,” Mell said. “They can either accept the risk or manually check the configurations.” Knowledgeable staff members can perform the configuration checks manually — without the tools, he said. Complying with FDCC policy should pose few technical problems, industry and government officials said.“There are no real challenges to building [operating system software] images and rolling them out,” Page said. “Most agencies removed the [system] administrative privileges, and that eliminated 90 percent of all application-compatibility issues.”Page said the FDCC policy’s mandatory security settings don’t prevent applications from running. In some cases, agencies want to use a higher level of encryption that the FDCC requires, he added.