Federal agencies have not fully adopted secure desktop configuration standards mandated by the Office of Management and Budget (OMB) three years ago, leaving desktops less secure than they ought to be, a recent General Accountability Office (GAO) report found.

Federal agencies have taken some steps to implement the goals of the Federal Desktop Core Configuration (FDCC), which are to improve overall security and reduce IT operating costs across the federal government.

None, however, have fully implemented all the configuration settings on applicable PCs, citing a number of challenges to doing so, according to the report, published last month.

The FDCC was established by the OMB in 2007 to provide a baseline for security across federal workstations. The OMB based the FDCC on settings developed by the Air Force in partnership with the National Security Agency, Defense Information Systems Agency, the National Institute of Standards and Technology (NIST) and representatives from the Army, Navy, and Marines.

To become compliant with FDCC, agencies were supposed to first submit an implementation plan, and then configure Windows XP and Vista PCs according to the common security settings required by the initiative by February 2008.

They also were required to document any changes from the OMB's recommended settings and have them approved by an accrediting authority; acquire a specified NIST-validated tool for monitoring implementation of the settings; ensure that future IT acquisitions comply with the configuration settings; and submit a status report to NIST.

The main barrier to full implementation of the FDCC is that the new configurations disrupt current systems in use, particularly older software and legacy systems, according to the report.

The discrepancy between the number of desktops in different agencies also has posed a problem for some agencies. Though all were expected to implement all the settings, some agencies have only a handful of desktops in one location, while others have had to configure many desktops in multiple geographic locations, making implementation more complicated.

Monitoring workstations to ensure compliance with the FDCC also has proven challenging and will continue to do so, according to the report.

To improve the current state of FDCC implementation, the GAO is recommending that the OMB provide clearer and more realistic deadlines for implementation when announcing changes to the FDCC, such as those required for Windows 7 desktops.

It also advised the OMB to inform agencies of the various approaches for testing the settings and implementing the changes in phases, which may help agencies more successfully implement the initiative, according to the report.

Further, the OMB should develop performance measures and provide guidance to agencies for reporting the benefits of FDCC, as well as clarify its policy regarding FDCC deviations.