“Get a Personal Trainer for Your Computer!”©

Full Credit To:  Sandra Key Miller, author; 5/23/08, p. 25:

Federal Desktop Core Configuration 101
NIST Security Content Automation Protocol Provides A Better Security Framework

As of March 31, 2008, any federal agency that falls under the Office of Management and Budget, the largest cabinet-level office within the Executive Office of the President of the United States, will have to meet the FDCC (Federal Desktop Core Configuration) policy for all Microsoft Windows XP and Vista systems through the use of the SCAP (Security Content Automation Protocol, pronounced “S-cap”), a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation.

Each federal agency’s CIO is required to submit his FDCC reports to NIST (National Institute of Standards and Technology). The goals of this initiative are to increase the overall system security and reduce the cost of system and application maintenance for all federal agencies.

The FDCC baseline was created through a collaboration between NIST, DHS (Department of Homeland Security), DISA (Defense Information Systems Agency), NSA (National Security Agency), USAF (U.S. Air Force), and Microsoft. NIST has developed resources to aid agencies in testing, implementing, and deploying WinXP and Vista to meet the FDCC baseline, including a scanning tool and technical FAQs.

What Does It All Mean?

According to Ron Gula, chief executive officer and chief technical officer for Tenable Security (, there isn’t as much confusion around the government mandate in comparison to regulatory compliance, such as PCI (Payment Card Industry), which has very broad and generic requirements. “SCAP has very specific settings that are applied to specific operating systems. It’s taking the ambiguity out of system configurations,” he explains.

Each agency will be responsible for reporting computer counts, SCAP reports, and FDCC deviations for each environment/system role within its jurisdiction. Validation and reporting are not limited to just the operating system but to assorted components, such as firewalls, antivirus, Web browsers, etc. NIST provides extensive SCAP checklists for individual components, as well as SCAP-validated vendor products.

Over the years, Gula has worked extensively with government agencies, including the NSA where he conducted advanced vulnerability research and penetration tests of government networks, as well as helping to secure networks and systems in the private sector.

Robert Hollis, director of product development at ThreatGuard (, offers a simplified description: “At a very high level, FDCC is a policy that is mandated saying that all desktops in the federal space should be configured in a certain manner. SCAP, the technology piece to FDCC, is a set of protocols that define how to check for or enforce the policy.”


SCAP is a suite of open standards that function together to deliver automated vulnerability management, measurement, and policy compliance evaluation. The XCCDF (eXtensible Configuration Checklist Description Format) and OVAL (Open Vulnerability Assessment Language) are assessment protocols. The reference protocols include the CCE (Common Configuration Enumeration), CPE (Common Platform Enumeration), CVSS (Common Vulnerability Scoring System), and CVE (Common Vulnerabilities and Exposures). (See the “SCAP Abbreviations & Definitions” sidebar for more information.)

SCAP will allow security technologies to exchange systems and vulnerability information through a common format, thus allowing individual agencies the flexibility to use configuration management and security solutions that best meet their needs and budgets.

“Interoperability and standardized methods for communication between security and compliance tools are essential in order for agencies to optimize their security dollar and increase their return on investment. The SCAP validation program for security products is a huge next step in accomplishing that goal,” says Andrew Buttner, lead INFOSEC engineer at The MITRE Corp. (

Not Just For Feds

Although SCAP is only required by government agencies, organizations in the private sector have begun to adopt the standards, such as they have with the NSA Best Practices and the DISA Security Technical Information Guides. “You’ll see organizations like credit unions and healthcare agencies—those who work with the government—implementing FDCC,” says Gula, who believes the government might be encouraging organizations to adopt the policy and standards as a requisite for doing business with them.

“The government agency, being a customer, is basically asking their vendors to comply with the same standards to which they themselves are held accountable,” Gula notes. “The only motivation there is to get the business of the government, which is obviously a significant amount of potential revenue.”

Hollis agrees. “We believe that FDCC is such a good idea that other industries will take hold of this. You’ll definitely see this adopted in private industries, such as health care,” he says.

Security experts, including Alan Paller, director of research at the SANS Institute, believe that Washington is moving in the right direction by implementing FDCC and mandating that all vendors supplying software to federal agencies pass an SCAP validation. “People saw what could work, so they made these national mandates around software sales and systems patching, and every company in the nation could do the same type of things to help themselves,” Paller says. “By working with the vendors instead of blaming software companies for these problems, this type of effort can be helpful for everyone else.”

As a consequence of SCAP, federal agencies, as well as nongovernment organizations, are able to implement automated configuration assessment applications to help them meet the FDCC requirements and have a proactive security posture through routine monitoring of systems for any policy violations as a result of patching, new software installation, or human intervention.


SCAP Abbreviations & Definitions

CCE (Common Configuration Enumeration)

Provides unique identifiers to system configuration issues to facilitate fast and accurate correlation of configuration data across multiple information sources and tools

CPE (Common Platform Enumeration)

A structured naming scheme for information technology systems, platforms, and packages

CVE (Common Vulnerabilities and Exposures)

A dictionary of publicly known information security vulnerabilities and exposures

CVSS (Common Vulnerability Scoring System)

Provides an open framework for communicating the characteristics and impacts of IT vulnerabilities

OVAL (Open Vulnerability and Assessment Language)

An international information security standard to promote open and publicly available security content

XCCDF (eXtensible Configuration Checklist Description Format)

A structured collection of specification language for writing configuration, security checklists, and benchmarks



A government and technical industry panel on cyber-security is recommending that the federal government end its reliance on passwords and enforce what the industry describes as “strong authentication.”  The Report, which has been prepared during a period of 18 months of its release prior to December, 2008, was commissioned by the Center for Strategic and International Studies, a Washington (D.C.) policy group of over 60 government and business computer security specialists, after a number of break-ins into government computer systems.  The  Center also recommended the creation of a White House cyber security czar to fight the significant national security threats.


© Computer Coach.  All written materials are the sole property of Computer Coach (unless otherwise attributed) and no part of this website may be used in any format without the express written permission of Computer Coach.