The FDCC is just a starting point, however. For example, the reference model has disabled the guest access account. IT administrators should use the guidance that eWeek has advocated for years—lock down the standard desktop image so that users have the least amount of privileges needed for authorized business applications.

SCAP will likely have a major impact on both vulnerability and configuration management tools, as well as on application makers. The FDCC already requires federal agencies to acquire software validated to not change registry and other configuration settings during the installation process.

With applications required to leave system components alone and with scanning tools standardized on reading vulnerability and configuration information from a standard protocol, IT managers likely will be able to focus on selecting applications for business function without as much uncertainty about security risks the application will introduce.

FDCC requirements are a good starting point for organizations, but they are no substitute for a solid IT plan for a standard desktop and laptop configuration that meets business needs. I talked with several eWeek Corporate Partners, our advisers on IT field practice, after using the FDCC base-line Windows XP configuration. They agreed that the FDCC was a good concept but said they already had standard, approved configurations and wouldn’t be implementing the FDCC in their organizations.

A couple of the Corporate Partners interviewed are in large commercial organizations that are already subject to some regulation. For IT managers in SMBs, I recommend starting with selling top management on the idea of a single—or a very small number of—standard images that lock out administrative privilege.

The FDCC requirements were developed with a restricted security mission and a user community that is accustomed to being given directives. Commercial IT managers should consider that some of the FDCC settings may be too restrictive for practical implementation in a commercial organization. For example, many of the password policies that can be enforced in an organization that uses security clearances will be too costly to implement for a commercial organization.

The NIST checklists are freely accessible, and, since the money has already been spent, savvy IT managers would do well to consider the recommendations for ways to standardize and secure today’s user systems.