PC Lockdown in the Government and Beyond

New federal regulations for government agencies will have an impact in the commercial space.

Organizations that already have a stable, secure image for desktop and laptop computers can ignore this story. Everyone else can now implement the Federal Desktop Core Configuration for Windows XP and Vista, which provides a good framework for ensuring secure civilian desktop and laptop configurations.

In particular, IT managers at small and midsize organizations can use the freely available checklists, model Windows GPO (Group Policy Objects) and reference virtual machine images that the NIST (National Institute of Standards and Technology) has provided for Windows XP and Vista to create their own standard, secure desktop and laptop configurations.

The Office of Management and Budget has mandated that by Feb. 1 all federal agencies using Windows XP and Vista adopt the standard security configurations developed by NIST, the Department of Defense and the Department of Homeland Security as part of FDCC.

The requirement also applies to the Windows XP and Vista firewalls, and Internet Explorer 7. In a nutshell, the FDCC provides organizations with guidelines for implementing standard, secure and assessable operating system and application configurations, in an effort to reduce the attack surfaces of the Windows-based desktop and laptop systems that inhabit federal networks.

While the FDCC is currently limited to improving threat resistance and compliance reporting for XP, Vista and Internet Explorer 7, expect the guidelines to spur the adoption of configuration and scanning standards that impact a broader set of applications. The OMB has yet to mandate Apple, Red Hat and Sun Microsystems operating systems, but NIST is working with these vendors to incorporate their systems.

Aside from Apple, the systems are primarily server operating systems. The FDCC does not apply to Windows systems when they are used as servers. It's likely that the Security Content Automation Protocol-or SCAP, pronounced "S-CAP"-will eventually extend vulnerability and configuration management to server operating systems.

The NIST-developed SCAP is the technical glue holding the FDCC effort together. SCAP content is security checklist data that is communicated in in XML formats and provides data about vulnerability, configuration, compliance and asset information in Extensible Configuration Checklist Description Format and Open Vulnerability and Assessment Language.