As of March 31, 2008, any federal agency that falls under the Office of Management and Budget, the largest cabinet-level office within the Executive Office of the President of the United States, will have to meet the FDCC (Federal Desktop Core Configuration) policy for all Microsoft Windows XP and Vista systems through the use of the SCAP (Security Content Automation Protocol, pronounced “S-cap”), a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation.
Each federal agency’s CIO is required to submit his FDCC reports to NIST (National Institute of Standards and Technology). The goals of this initiative are to increase the overall system security and reduce the cost of system and application maintenance for all federal agencies.
The FDCC baseline was created through a collaboration between NIST, DHS (Department of Homeland Security), DISA (Defense Information Systems Agency), NSA (National Security Agency), USAF (U.S. Air Force), and Microsoft. NIST has developed resources to aid agencies in testing, implementing, and deploying WinXP and Vista to meet the FDCC baseline, including a scanning tool and technical FAQs.
What Does It All Mean?
According to Ron Gula, chief executive officer and chief technical officer for Tenable Security (www.tenablesecurity.com), there isn’t as much confusion around the government mandate in comparison to regulatory compliance, such as PCI (Payment Card Industry), which has very broad and generic requirements. “SCAP has very specific settings that are applied to specific operating systems. It’s taking the ambiguity out of system configurations,” he explains.
Each agency will be responsible for reporting computer counts, SCAP reports, and FDCC deviations for each environment/system role within its jurisdiction. Validation and reporting are not limited to just the operating system but to assorted components, such as firewalls, antivirus, Web browsers, etc. NIST provides extensive SCAP checklists for individual components, as well as SCAP-validated vendor products.
Over the years, Gula has worked extensively with government agencies, including the NSA where he conducted advanced vulnerability research and penetration tests of government networks, as well as helping to secure networks and systems in the private sector.
Robert Hollis, director of product development at ThreatGuard (www.threatguard.com), offers a simplified description: “At a very high level, FDCC is a policy that is mandated saying that all desktops in the federal space should be configured in a certain manner. SCAP, the technology piece to FDCC, is a set of protocols that define how to check for or enforce the policy.”
SCAP is a suite of open standards that function together to deliver automated vulnerability management, measurement, and policy compliance evaluation. The XCCDF (eXtensible Configuration Checklist Description Format) and OVAL (Open Vulnerability Assessment Language) are assessment protocols. The reference protocols include the CCE (Common Configuration Enumeration), CPE (Common Platform Enumeration), CVSS (Common Vulnerability Scoring System), and CVE (Common Vulnerabilities and Exposures). (See the “SCAP Abbreviations & Definitions” sidebar for more information.)
SCAP will allow security technologies to exchange systems and vulnerability information through a common format, thus allowing individual agencies the flexibility to use configuration management and security solutions that best meet their needs and budgets.
“Interoperability and standardized methods for communication between security and compliance tools are essential in order for agencies to optimize their security dollar and increase their return on investment. The SCAP validation program for security products is a huge next step in accomplishing that goal,” says Andrew Buttner, lead INFOSEC engineer at The MITRE Corp. (www.mitre.org).
Not Just For Feds
Although SCAP is only required by government agencies, organizations in the private sector have begun to adopt the standards, such as they have with the NSA Best Practices and the DISA Security Technical Information Guides. “You’ll see organizations like credit unions and healthcare agencies—those who work with the government—implementing FDCC,” says Gula, who believes the government might be encouraging organizations to adopt the policy and standards as a requisite for doing business with them.
“The government agency, being a customer, is basically asking their vendors to comply with the same standards to which they themselves are held accountable,” Gula notes. “The only motivation there is to get the business of the government, which is obviously a significant amount of potential revenue.”
Hollis agrees. “We believe that FDCC is such a good idea that other industries will take hold of this. You’ll definitely see this adopted in private industries, such as health care,” he says.
Security experts, including Alan Paller, director of research at the SANS Institute, believe that Washington is moving in the right direction by implementing FDCC and mandating that all vendors supplying software to federal agencies pass an SCAP validation. “People saw what could work, so they made these national mandates around software sales and systems patching, and every company in the nation could do the same type of things to help themselves,” Paller says. “By working with the vendors instead of blaming software companies for these problems, this type of effort can be helpful for everyone else.”
As a consequence of SCAP, federal agencies, as well as nongovernment organizations, are able to implement automated configuration assessment applications to help them meet the FDCC requirements and have a proactive security posture through routine monitoring of systems for any policy violations as a result of patching, new software installation, or human intervention.