New federal regulations for government agencies will have an impact in the commercial space.
Organizations that already have a stable, secure image for desktop
and laptop computers can ignore this story. Everyone else can now
implement the Federal Desktop Core Configuration for Windows XP and
Vista, which provides a good framework for ensuring secure civilian
desktop and laptop configurations.
In particular, IT managers at small and midsize organizations can
use the freely available checklists, model Windows GPO (Group Policy
Objects) and reference virtual machine images that the NIST (National
Institute of Standards and Technology) has provided for Windows XP and
Vista to create their own standard, secure desktop and laptop
The Office of Management and Budget has mandated that by Feb. 1 all
federal agencies using Windows XP and Vista adopt the standard security
configurations developed by NIST, the Department of Defense and the
Department of Homeland Security as part of FDCC.
The requirement also applies to the Windows XP and Vista firewalls,
and Internet Explorer 7. In a nutshell, the FDCC provides organizations
with guidelines for implementing standard, secure and assessable
operating system and application configurations, in an effort to reduce
the attack surfaces of the Windows-based desktop and laptop systems
that inhabit federal networks.
While the FDCC is currently limited to improving threat resistance
and compliance reporting for XP, Vista and Internet Explorer 7, expect
the guidelines to spur the adoption of configuration and scanning
standards that impact a broader set of applications. The OMB has yet to
mandate Apple, Red Hat and Sun Microsystems operating systems, but NIST
is working with these vendors to incorporate their systems.
Aside from Apple, the systems are primarily server operating
systems. The FDCC does not apply to Windows systems when they are used
as servers. It's likely that the Security Content Automation
Protocol-or SCAP, pronounced "S-CAP"-will eventually extend
vulnerability and configuration management to server operating systems.
The NIST-developed SCAP is the technical glue holding the FDCC
effort together. SCAP content is security checklist data that is
communicated in in XML formats and provides data about vulnerability,
configuration, compliance and asset information in Extensible
Configuration Checklist Description Format and Open Vulnerability and