OMB stresses FDCC compliance means 100 percent

In a spirited discussion, the Office of Management and Budget made it clear to agencies that compliance with the Feb. 1 deadline for adoption of the Federal Desktop Core Configuration for Microsoft Windows XP and Vista means all PCs that use the operating systems must have the standard image. Wendy Liberante, OMB’s Government-to-Business portfolio manager and a policy analyst heading the FDCC initiative, told an agency and industry audience yesterday that the administration expects 100 percent compliance, but there also are some realistic and pragmatic issues that have to be worked through. She said OMB will be issuing a data call in the next few days asking agencies to submit a report by Feb. 1 detailing the number of systems that use XP or Vista and the number that have adopted the FDCC image. “If you are not compliant, we want to know how far off you are,” Liberante said during a conference on the core desktop standard sponsored by the National Institute of Standards and Technology in Gaithersburg, Md. “We want agencies to understand their universe and have a plan to get to FDCC compliance.” Some agencies, such as the Agency for International Development, have had little trouble complying, but others in the audience said the settings would break their systems. One  audience member said their agency had a choice: Implement the FDCC and take down their entire network serving 180,000 users, or tell their secretary that they will get a red score from OMB on this yearlong mandate. “FDCC crashes our system,” said the audience member, who did not identify their agency. “OMB’s initial assumption is wrong that you can apply the FDCC without breaking your system.” Another audience member from the U.S. Patent and Trademark Office said they will not be FDCC compliant because they have a problem with a number of the settings. Liberante said that although OMB does not want this agency to have their systems shut down, agencies need to understand what they have to do to comply with the mandate. “I’m hopeful you have some justifications on why you can’t comply when you deliver your report to OMB,” Liberante said. She also emphasized that when agencies submit their detailed technical reports on compliance and any deviations from the standard to NIST and OMB  March 31, the deviations are not waivers. Rather, the deviations are issues that NIST and OMB will work through to see if they are true problems or something that can be fixed. “You know what your anomalies are,” Liberante said. “You need to tell us what your outliers are and the reasons why they are not compliant.” NIST already has submitted to OMB a FDCC update to try to correct known issues, including that the standard doesn’t allow the use of Java and some firewall settings don't work. Andrew Buttner, an expert with Mitre Corp., said NIST and OMB recognize there are problems with the image and the settings will need to be adjusted. Liberante said there is no scheduled update for the FDCC image, but it will happen as needed.