Fed Agencies Failing On Desktop SecurityFed Agencies Failing On Desktop Security
No agency has fully met the requirements of the Federal Desktop Core Configuration, established as baseline security for government workstations three years ago.
April 13, 2010
Federal agencies have not fully adopted secure desktop configuration standards mandated by the Office of Management and Budget (OMB) three years ago, leaving desktops less secure than they ought to be, a recent General Accountability Office (GAO) report found.
Federal agencies have taken some steps to implement the goals of the Federal Desktop Core Configuration (FDCC), which are to improve overall security and reduce IT operating costs across the federal government.
None, however, have fully implemented all the configuration settings on applicable PCs, citing a number of challenges to doing so, according to the report, published last month.
The FDCC was established by the OMB in 2007 to provide a baseline for security across federal workstations. The OMB based the FDCC on settings developed by the Air Force in partnership with the National Security Agency, Defense Information Systems Agency, the National Institute of Standards and Technology (NIST) and representatives from the Army, Navy, and Marines.
To become compliant with FDCC, agencies were supposed to first submit an implementation plan, and then configure Windows XP and Vista PCs according to the common security settings required by the initiative by February 2008.
They also were required to document any changes from the OMB's recommended settings and have them approved by an accrediting authority; acquire a specified NIST-validated tool for monitoring implementation of the settings; ensure that future IT acquisitions comply with the configuration settings; and submit a status report to NIST.
The main barrier to full implementation of the FDCC is that the new configurations disrupt current systems in use, particularly older software and legacy systems, according to the report.
The discrepancy between the number of desktops in different agencies also has posed a problem for some agencies. Though all were expected to implement all the settings, some agencies have only a handful of desktops in one location, while others have had to configure many desktops in multiple geographic locations, making implementation more complicated.
Monitoring workstations to ensure compliance with the FDCC also has proven challenging and will continue to do so, according to the report.
To improve the current state of FDCC implementation, the GAO is recommending that the OMB provide clearer and more realistic deadlines for implementation when announcing changes to the FDCC, such as those required for Windows 7 desktops.
It also advised the OMB to inform agencies of the various approaches for testing the settings and implementing the changes in phases, which may help agencies more successfully implement the initiative, according to the report.
Further, the OMB should develop performance measures and provide guidance to agencies for reporting the benefits of FDCC, as well as clarify its policy regarding FDCC deviations.
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
Concerns Mount Over Ransomware, Zero-Day Bugs, and AI-Enabled Malware
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks
9 Traits You Need to Succeed as a Cybersecurity Leader
The Ultimate Guide to the CISSP
The Burnout Breach: How employee burnout is emerging as the next frontier in cybersecurity
Maximize the Human Potential of Your SOC
Gone Phishing: How to Defend Against Persistent Phishing Attempts Targeting Your Organization