informa
Commentary

Are You SCAP Ready?

In case you missed it, about a year ago the Office of Management and Budget issued policy memorandum M-07-11, aka the Implementation of Commonly Accepted Security Configurations for Windows Operating Systems. Essentially, this mandates that all federal agency systems must adhere to the Federal Desktop Core Configuration (FDCC) by February 2008. That's this Friday.
In case you missed it, about a year ago the Office of Management and Budget issued policy memorandum M-07-11, aka the Implementation of Commonly Accepted Security Configurations for Windows Operating Systems. Essentially, this mandates that all federal agency systems must adhere to the Federal Desktop Core Configuration (FDCC) by February 2008. That's this Friday.The goal is laudable; as these security configurations can go a long way to help CIOs and federal agency CISOs keep systems safer. But both the configuration and verification of this standard system implementation rely heavily on a rather obscure protocol known as SCAP, which is the Security Content Automation Protocol.

SCAP, basically, is a checklist that relies on a handful of open standards for naming software flaw conventions and configurations in applications and systems. So, if your scanner is SCAP compliant, you can more swiftly check to see if your agency systems are FDCC compliant.

That's probably why, in another memo, the OMB mandated that federal CIOs must use SCAP-validated tools for FDCC software acceptance for all U.S. government systems.

And that's where trouble starts to enter this acronym paradise. This Friday, those federal agencies are supposed to submit to OMB a listing of all of their systems running XP and Vista, as well as how many are FDCC compliant (Though SCAP is not required for this deadline).

Here's the rub: as of today, no SCAP products have been validated. There's just this Web page listing no validated SCAP tools. However, the National Institute of Standards and Technology has promised a list by this Friday.

There's nothing like pushing a deadline.

In the long run, SCAP will no doubt will make it easier for agencies, vendors, and auditors to maintain more secure federal systems. A secure configuration that can be easily validated means fewer mistakes and easier enforcement of sound security practices.

For those agencies that don't want to wait until Friday to get started, here's a list of scanners that purport to have SCAP capabilities.

Recommended Reading: