OMB to verify agency work on security settings

The Office of Management and Budget plans to verify the data that agencies submitted about their progress in implementing the Federal Desktop Core Configuration (FDCC) by using a statistical sampling approach that assesses policy compliance. OMB anticipates that it will validate the agency data in November or December using the Policy Utilization Assessment (PUA) program, Karen Evans, OMB’s administrator for e-government and information technology, said today at a security conference sponsored by the National Institute of Standards and Technology. The FDCC is a standard security configuration that agencies must implement when they update their computers to the Microsoft Windows XP or Vista operating system. OMB has said a standard configuration should improve IT security because it requires a standard desktop view and should make updates, such as installing virus patches, faster and more effective. In June, agencies submitted detailed technical plans to OMB about their implementation of FDCC security settings. In August, Evans issued guidance on implementing the first version of the FDCC. OMB made available through NIST -- and directed agencies to use -- software named Security Content Automation Protocol and associated tools to scan and validate the security settings they had put in place as part of the FDCC implementation, she said. The PUA program, developed by the General Services Administration, can give chief information officers feedback on how well they have implemented specific policies. So far, the assessment program is being applied only to security policies, she said. OMB conducted a pilot program with a few agencies using the assessment program to validate data they reported earlier this year, Evans said. Agencies reported in March that they believed that they were 50 percent through FDCC implementation. The assessment program found agencies had actually implemented just 30 percent of the policy, Evans said. However, agencies need clarification about the best way to put in place and use SCAP tools, she said, adding that NIST is considering how best to communicate that to agencies. “There are gaps based on how agencies are implementing them and interpreting the results,” Evans said. Agencies tend to have similar issues; the information they submit to OMB is “only as good as what’s been reported to them from their components,” she said. After agencies have resolved these gaps, OMB will run the next PUA program later this year to validate the FDCC information from all agencies “so we can say with some assurance on the [Capitol] Hill that we have validated the results; they are statistically sound; and we at x percent of implementation,” she said. Agencies reported there are about 3.5 million desktops that use XP or Vista and need to have FDCC deployed, Evans said. Half of them, some 1.25 million, are in the Defense Department, she noted.