To standardize and strengthen federal agencies’ computer security, the Office of Management and Budget (OMB), in collaboration with the National Institute of Standards and Technology (NIST), launched the Federal Desktop Core Configuration (FDCC) initiative in 2007.
Under the Federal Desktop Core Configuration initiative, the OMB directed federal agencies that have Windows XP and/or Windows Vista operating systems deployed to adopt the security configurations developed by the National Institute of Standards and Technology, the Department of Defense, and Department of Homeland Security.
At the request of OMB, NIST published the first beta version of the FDCC configuration settings in July 2007 for federal workstations that use Windows XP or Windows Vista as their operating system. FDCC was based on settings developed by the Air Force in partnership with the National Security Agency, Defense Information Systems Agency, NIST, and representatives from the Army, Navy, and Marines. Over the course of the next 11 months, NIST made several updates to the content and posted the revised versions on its website. The first major version of the configuration settings, version 1.0, was posted on NIST's website in June 2008 after a period of public comment. Based on implementation information reported by the agencies to NIST in March 2008, agency feedback on settings that were problematic to implement, and comments from the federal community, OMB had NIST remove 40 settings from the original beta version for version 1.0.
The goals of FDCC are to improve information security and reduce overall information technology operating costs across the federal government by, among other things, providing a baseline level of security through the implementation of a set of standard configuration settings on government- owned desktop and laptop computers (i.e., workstations). To carry out the initiative, OMB required that executive branch agencies take several actions, including: (1) submit an implementation plan to OMB; (2) apply all configuration settings to all applicable workstations by February 2008; (3) document any deviations from the prescribed settings and have them approved by an accrediting authority; (4) acquire a specified NIST-validated tool for monitoring implementation of the settings; (5) ensure that future information technology acquisitions comply with the configuration settings; and (6) submit a status report to NIST.
Current status Edit
While agencies have taken actions to implement these requirements, as of March 2010, none of the agencies has fully implemented all configuration settings on their applicable workstations. Specifically, most plans submitted to OMB did not address all key implementation activities; none of the agencies implemented all of the prescribed configuration settings on all applicable workstations, though several implemented agency-defined subsets of the settings; several agencies did not fully document their deviations from the settings or establish a process for approving them; six agencies did not acquire and make use of the required tool for monitoring FDCC compliance; many agencies did not incorporate language into contracts to ensure that future information technology acquisitions comply with FDCC; and many agencies did not describe plans for eliminating or mitigating their deviations in their compliance reports to NIST.
- ↑ GAO, Information Security: Agencies Need to Implement Federal Desktop Core Configuration Requirements (GAO-10-202) (Mar. 12, 2010) (full-text).