Agencies push ahead on security efforts

The National Institute of Standards and Technology has released updated security settings for agencies to adopt for Microsoft Windows XP and Vista operating systems under the Federal Desktop Core Configuration (FDCC). NIST officials said they made the changes as a result of public comments they received in April and May and an analysis of agencies’ reports on their experiences implementing the existing settings.Agencies must install the security settings when they upgrade to Microsoft XP or Vista, the Office of Management and Budget said in announcing the initiative last year. FDCC aims to provide a standard desktop view so agencies can make security improvements, such as installing virus patches, faster and more effectively, OMB said.Currently, FDCC consists of 674 settings, but agencies can check 99 percent of them electronically using the Security Content Automation Protocol validation tool, NIST said in its June 20 announcement.The CIO Council’s Architecture and Infrastructure Committee has created the FDCC Change Control Board to manage and address future changes to FDCC security settings, said Karen Evans, OMB’s administrator for e-government and information technology.FDCC is one of several security initiatives for which agencies must complete milestones by the end of this month. The Trusted Internet Connections (TIC) initiative is another.As part of that program, agencies reported to OMB that they have reduced the number of external Internet gateways from more than 4,300 in January to 2,758 in May, Evans said June 18. OMB has an ultimate target of only 100 secure Internet connections across the federal government.With fewer connections to the Internet, agencies can better secure their networks, she said.Vendors, including those on the Networx governmentwide telecommunications and network contract, can offer agencies TIC services, she added.Agencies have a number of activities to complete to meet the deadline for the security initiatives, but there are tools that can help them, Evans said.“The first best practice is cross-agency collaboration for sharing expertise, analyzing and validating requirements, and developing solutions,” she said. Resources include:• The Information Systems Security Line of Business tools.• NIST's standards development process.• The individual agency’s enterprise architecture, in particular the network infrastructure segment architecture.