informa
/
Announcements
Event
Beyond Passwords: New Thinking and Strategies for Authentication | January 27 Webinar | <REGISTER NOW>
Event
Securing Your APIs: What You Need to Know | January 25 Webinar | <REGISTER NOW>
Event
Beyond Spam and Phishing: Emerging Email-based Threats | January 18 Webinar | <REGISTER NOW>
PreviousNext
Risk
Commentary

Are You SCAP Ready?

In case you missed it, about a year ago the Office of Management and Budget issued policy memorandum M-07-11, aka the Implementation of Commonly Accepted Security Configurations for Windows Operating Systems. Essentially, this mandates that all federal agency systems must adhere to the Federal Desktop Core Configuration (FDCC) by February 2008. That's this Friday.
George V. Hulme
Contributor
January 29, 2008
In case you missed it, about a year ago the Office of Management and Budget issued policy memorandum M-07-11, aka the Implementation of Commonly Accepted Security Configurations for Windows Operating Systems. Essentially, this mandates that all federal agency systems must adhere to the Federal Desktop Core Configuration (FDCC) by February 2008. That's this Friday.The goal is laudable; as these security configurations can go a long way to help CIOs and federal agency CISOs keep systems safer. But both the configuration and verification of this standard system implementation rely heavily on a rather obscure protocol known as SCAP, which is the Security Content Automation Protocol.

SCAP, basically, is a checklist that relies on a handful of open standards for naming software flaw conventions and configurations in applications and systems. So, if your scanner is SCAP compliant, you can more swiftly check to see if your agency systems are FDCC compliant.

That's probably why, in another memo, the OMB mandated that federal CIOs must use SCAP-validated tools for FDCC software acceptance for all U.S. government systems.

And that's where trouble starts to enter this acronym paradise. This Friday, those federal agencies are supposed to submit to OMB a listing of all of their systems running XP and Vista, as well as how many are FDCC compliant (Though SCAP is not required for this deadline).

Here's the rub: as of today, no SCAP products have been validated. There's just this Web page listing no validated SCAP tools. However, the National Institute of Standards and Technology has promised a list by this Friday.

There's nothing like pushing a deadline.

In the long run, SCAP will no doubt will make it easier for agencies, vendors, and auditors to maintain more secure federal systems. A secure configuration that can be easily validated means fewer mistakes and easier enforcement of sound security practices.

For those agencies that don't want to wait until Friday to get started, here's a list of scanners that purport to have SCAP capabilities.

Recommended Reading:
More Insights
White Papers
More White Papers
Webinars
More Webinars
Reports
More Reports
Webinars
More Webinars
White Papers
More White Papers
Events
More Events
More Insights
White Papers
More White Papers
Webinars
More Webinars
Reports
More Reports