PC Lockdown in the Government and Beyond - Page 2
The bottom line is that the government is creating a standard way for applications and computer systems to communicate configuration information. Commercial applications already use SCAP in the PCI (Payment Card Industry) Data Security Standard audits. This is because PCI-authorized scanning services must use the National Vulnerability Database provided by NIST.NIST officials expected that several testing labs would be accredited to validate FDCC scanning tools. A number of vendors, including BigFix, ConfigureSoft, McAfee, nCircle and Symantec, have already self-certified that they can consume SCAP data streams in at least three areas required by the FDCC and are listed as compliant vendors on the NIST Web site. The FDCC is focused on Windows XP and Vista configuration in federal agencies. The FDCC calls for organizations to use Microsoft's Group Policy to put in place and demonstrate compliance with sensible configuration defaults, such as turning wireless network access off by default. NIST also provides a GPO that offers templates that can be applied to computers and users. NIST advises-and I concur-that the Group Policy templates they provide should not be applied to production environments until after diligent testing to ensure the restrictive policies won't interfere with business processes and applications. Other FDCC requirements govern a wide range of configuration settings, many concerned with passwords. Changing default accounts is a big part of the FDCC checklists and there are extensive rules around password use. For example, the FDCC mandates that passwords have a minimum length of 12 characters. I tried the model FDCC Windows XP virtual machine and found that small and midsize organizations could benefit from using the template as a beginning for building a standard image.
The ability to consume SCAP information is already appearing in other commercial IT management products from a range of vendors. Federal agencies can use scanning tools to collect security and configuration information and report compliance from those vendors.