Information Security:

Agencies Need to Implement Federal Desktop Core Configuration Requirements

GAO-10-202: Published: Mar 12, 2010. Publicly Released: Apr 12, 2010.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The increase in security incidents and continuing weakness in security controls on information technology systems at federal agencies highlight the continuing need for improved information security. To standardize and strengthen agencies' security, the Office of Management and Budget (OMB), in collaboration with the National Institute of Standards and Technology (NIST), launched the Federal Desktop Core Configuration (FDCC) initiative in 2007. GAO was asked to (1) identify the goals, objectives, and requirements of the initiative; (2) determine the status of actions federal agencies have taken, or plan to take, to implement the initiative; and (3) identify the benefits, challenges, and lessons learned in implementing this initiative. To accomplish this, GAO reviewed policies, plans, and other documents at the 24 major executive branch agencies; reviewed OMB and NIST guidance and documentation; and interviewed officials.

The goals of FDCC are to improve information security and reduce overall information technology operating costs across the federal government by, among other things, providing a baseline level of security through the implementation of a set of standard configuration settings on government-owned desktop and laptop computers (i.e., workstations). To carry out the initiative, OMB required that executive branch agencies take several actions, including: (1) submit an implementation plan to OMB; (2) apply all configuration settings to all applicable workstations by February 2008; (3) document any deviations from the prescribed settings and have them approved by an accrediting authority; (4) acquire a specified NIST-validated tool for monitoring implementation of the settings; (5) ensure that future information technology acquisitions comply with the configuration settings; and (6) submit a status report to NIST. While agencies have taken actions to implement these requirements, none of the agencies has fully implemented all configuration settings on their applicable workstations. Specifically, most plans submitted to OMB did not address all key implementation activities; none of the agencies implemented all of the prescribed configuration settings on all applicable workstations, though several implemented agency-defined subsets of the settings; several agencies did not fully document their deviations from the settings or establish a process for approving them; six agencies did not acquire and make use of the required tool for monitoring FDCC compliance; many agencies did not incorporate language into contracts to ensure that future information technology acquisitions comply with FDCC; and many agencies did not describe plans for eliminating or mitigating their deviations in their compliance reports to NIST. Until agencies ensure that they are meeting these FDCC requirements, the effectiveness of the initiative will be limited. FDCC has the potential to increase agencies' information security by requiring stricter security settings on workstations than those that may have been previously in place and standardizing agencies' management of workstations, making it easier to manage changes such as applying updates or patches. In addition, a number of lessons can be learned from the management and implementation of the FDCC initiative which, if considered, could improve the implementation of future versions of FDCC or other configuration efforts. At the same time, agencies face several ongoing challenges in fully complying with FDCC requirements, including retrofitting applications and systems in their existing environments to comply with the settings, assessing the risks associated with deviations, and monitoring workstations to ensure that the settings are applied and functioning properly. As OMB moves forward with the initiative, understanding the lessons learned as well as the ongoing challenges agencies face will be essential in order to ensure the initiative is successful in ensuring public confidence in the confidentiality, integrity, and availability of government information.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In fiscal year 2012, we verified that the United States Government Configuration Baseline replaced the FDCC and now provides the baseline settings that Federal agencies are required to implement for security and environmental reasons. We also verified that OMB, as an alternative to our recommendation, required agencies to establish clear, realistic, and effectively communicated deadlines for completing implementation.

    Recommendation: To improve implementation of FDCC at federal agencies, the Director of OMB should when announcing new FDCC versions, such as Windows 7, and changes to existing versions, include clear, realistic, and effectively communicated deadlines for completing implementation.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  2. Status: Closed - Implemented

    Comments: In fiscal year 2012, we verified that the United States Government Configuration Baseline (USGCB) replaced the FDCC and now provides the baseline settings that Federal agencies are required to implement for security and environmental reasons. We also verified that OMB, as an alternative to our recommendation, assigned responsibility to the Federal CIO Council for issuing guidance related to the implementation of the USGCB.

    Recommendation: To improve implementation of FDCC at federal agencies, the Director of OMB should clarify OMB policy regarding FDCC deviations to include: whether deviations can be permanent or should be mitigated in a timely manner; requirements for plans of actions and milestones for mitigating deviations, including resources necessary for doing so; guidance to use for assessing the risk of deviations across the agency; and how frequently and to whom deviations should be reported to assist in making decisions regarding future versions.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  3. Status: Closed - Implemented

    Comments: In fiscal year 2012, we verified that the United States Government Configuration Baseline (USGCB) replaced the FDCC and now provides the baseline settings that Federal agencies are required to implement for security and environmental reasons. We also verified that OMB, as an alternative to our recommendation, informed agencies of the various approaches for testing the settings and implementing the initiative in phases, which may aid successful implementation through the USGCB technical Web site and the documentation found there.

    Recommendation: To improve implementation of FDCC at federal agencies, the Director of OMB should inform agencies of the various approaches for testing the settings and implementing the initiative in phases, which may aid successful implementation.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  4. Status: Closed - Implemented

    Comments: In fiscal year 2012, we verified that OMB, in response to our recommendation for applying lessons learned during implementation, institutionalized the process for developing baselines in the Federal government by developing and implementing a cooperative, sustainable process so that, through the Federal CIO Council, agencies determine their baselines, requirements, testing, and deadlines.

    Recommendation: To improve implementation of FDCC at federal agencies, the Director of OMB should assess the efficacy of, and take steps to apply as appropriate, other lessons learned during the initial implementation of this initiative such as the need for (1) additional collaboration efforts, (2) independent testing, and (3) advance notice of requirements, to assist agencies in implementing this initiative.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  5. Status: Closed - Implemented

    Comments: In fiscal year 2012, we verified that OMB , in response to our recommendation, reported that National Institute of Standards and Technology Special Publication 800-117, Guide to Adopting and Using the Security Content Automation Protocol (SCAP), provides guidance on using SCAP tools to include information on the frequency and scope with which agencies should perform monitoring.

    Recommendation: To improve implementation of FDCC at federal agencies, the Director of OMB should provide guidance on using Security Content Automation Protocol (SCAP) tools to include information on the frequency and scope with which agencies should perform monitoring.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  6. Status: Closed - Implemented

    Comments: In fiscal year 2012 we verified that OMB, in coordination with Department of Homeland Security, released updated performance measures for USGCB, formally FDCC. OMB and DHS released performance measures and the associated guidance which aid agencies in reporting the benefits of USGCB.

    Recommendation: To improve implementation of FDCC at federal agencies, the Director of OMB should develop performance measures and provide guidance to agencies for reporting the benefits of FDCC.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  7. Status: Closed - Not Implemented

    Comments: USDA has not fully implemented FDCC/USGCB settings as of 2013. USDA expects to improve implementation percentages by the end of 2014 and to report deviations and compensating controls in operating environments where full implementation is not feasible.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Agriculture should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: Department of Agriculture

  8. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that USDA, in response to our recommendation, documented deviations to FDCC and have them approved by a designated accrediting authority.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Agriculture should document deviations to FDCC and have them approved by a designated accrediting authority.

    Agency Affected: Department of Agriculture

  9. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that USDA, in response to our recommendation, developed, documented, and implemented a policy to approve deviations by a designated accrediting authority.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Agriculture should develop, document, and implement a policy to approve deviations by a designated accrediting authority.

    Agency Affected: Department of Agriculture

  10. Status: Closed - Implemented

    Comments: In fiscal year 2013 we verified that Commerce, in response to our recommendation, has issued guidance requiring all components to implement a NIST-validated security content automation protocol (SCAP) tool to monitor compliance with FDCC/USGCB settings. In addition, we verified that Commerce has ensured that all operating units are using a NIST-validated SCAP tool to monitor these settings.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Commerce should ensure all components have acquired and deployed a NIST-validated SCAP tool to monitor compliance with FDCC.

    Agency Affected: Department of Commerce

  11. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that Commerce, in response to our recommendation, developed, documented and implemented a policy requiring the use of NIST-validated SCAP tools to monitor compliance with FDCC.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Commerce should ensure all components develop, document, and implement a policy to monitor FDCC compliance using a NIST-validated SCAP tool.

    Agency Affected: Department of Commerce

  12. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that Commerce, in response to our recommendation, ensured that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Commerce should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Department of Commerce

  13. Status: Closed - Not Implemented

    Comments: According to the agency's inspector general FISMA report for fiscal year 2013, for Windows-based components, USGCB secure configuration settings are not fully implemented, and any deviations from USGCB baseline settings are not fully documented. Additionally, the inspector general reported that they did not identify any comprehensive audit reports in the Federal audit community that addressed the implementation of USGCB secure configuration settings.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Defense should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: Department of Defense

  14. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that DOD, in response to our recommendation, ensured that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Defense should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Department of Defense

  15. Status: Closed - Implemented

    Comments: In fiscal year 2014, we verified that Energy, in response to our recommendation, completed implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Energy should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: Department of Energy

  16. Status: Closed - Implemented

    Comments: In fiscal year 2013, we verified that the Department of Energy, in response to our recommendation, ensured that all components that are required to implement FDCC have acquired and deployed a NIST-validated SCAP tool to monitor compliance with FDCC.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Energy should ensure all components that are required to implement FDCC have acquired and deployed a NIST-validated SCAP tool to monitor compliance with FDCC.

    Agency Affected: Department of Energy

  17. Status: Closed - Implemented

    Comments: In fiscal year 2013, we verified that the Department of Energy, in response to our recommendation, ensured all components that are required to implement FDCC developed, documented, and implemented a policy to monitor FDCC compliance using a NIST-validated SCAP tool.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Energy should ensure all components that are required to implement FDCC develop, document, and implement a policy to monitor FDCC compliance using a NIST-validated SCAP tool.

    Agency Affected: Department of Energy

  18. Status: Closed - Implemented

    Comments: In fiscal year 2013 we verified that DOE, in response to our recommendation, ensured that language is included in contracts of those components that are required to implement FDCC to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Energy should ensure that language is included in contracts of those components that are required to implement FDCC to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Department of Energy

  19. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verifed that the Environmental Protection Agency, in response to our recommendation, completed implementation of the agency's FDCC baseline.

    Recommendation: To improve the agency's implementation of FDCC, the Administrator of the Environmental Protection Agency should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: Environmental Protection Agency

  20. Status: Closed - Implemented

    Comments: In fiscal year 2012 we verified that the Environmental Protection Agency, in response to our recommendation, developed, documented, and implemented a policy to approve deviations to FDCC by a designated accrediting authority.

    Recommendation: To improve the agency's implementation of FDCC, the Administrator of the Environmental Protection Agency should develop, document, and implement a policy to approve deviations to FDCC by a designated accrediting authority.

    Agency Affected: Environmental Protection Agency

  21. Status: Closed - Implemented

    Comments: In fiscal year 2012 we verified that the General Services Administration, in response to our recommendation, completed implementation of the agency's FDCC baseline.

    Recommendation: To improve the agency's implementation of FDCC, the Administrator of the General Services Administration should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: General Services Administration

  22. Status: Closed - Not Implemented

    Comments: According to the agency's inspector general FISMA report for fiscal year 2013, for Windows-based components, USGCB secure configuration settings are not fully implemented, and any deviations from USGCB baseline settings are not fully documented.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Health and Human Services should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: Department of Health and Human Services

  23. Status: Closed - Implemented

    Comments: In fiscal year 2014 we verified that HHS, in response to our recommendation, developed, documented, and implemented a policy to monitor FDCC compliance using a NIST-validated SCAP tool.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Health and Human Services should develop, document, and implement a policy to monitor FDCC compliance using a NIST-validated SCAP tool.

    Agency Affected: Department of Health and Human Services

  24. Status: Closed - Implemented

    Comments: In fiscal year 2014, we verified that HHS, in response to our recommendation, developed the Standard for Security Configurations Language for HHS Contracts and implemented Federal Acquisition Regulation language regarding Common Security Configuration and HHS information security requirements. In addition, the department released Security and Privacy Considerations to Guide IT Procurements in May 2012.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Health and Human Services should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Department of Health and Human Services

  25. Status: Closed - Implemented

    Comments: In fiscal year 2013, GAO verified that the Department of Homeland Security, in response to GAO's recommendation, has fully implemented secure configuration settings that meet Federal Desktop Core Configuration/ U.S. Government Configuration Baseline (USGCB) requirements on applicable workstations in all but one of its components. The remaining component is applying USGCB settings and is scheduled to be 85 to 90 percent compliant by January 2014.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Homeland Security complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: Department of Homeland Security

  26. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that the Department of Homeland Security, in response to our recommendation, developed, documented, and implemented a policy to approve deviations to FDCC by a designated accrediting authority.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Homeland Security should develop, document, and implement a policy to approve deviations to FDCC by a designated accrediting authority.

    Agency Affected: Department of Homeland Security

  27. Status: Closed - Implemented

    Comments: In fiscal year 2012 we verified that the Department of Homeland Security, in response to our recommendation, developed, documented and implemented a policy to monitor FDCC using a NIST-validated SCAP tool.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Homeland Security should develop, document, and implement a policy to monitor FDCC compliance using a NIST-validated SCAP tool.

    Agency Affected: Department of Homeland Security

  28. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that the Department of Homeland Security, in response to our recommendation, ensured that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Homeland Security should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Department of Homeland Security

  29. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that HUD, in response to our recommendation, acquired and deployed a NIST-validated SCAP tool to monitor compliance with FDCC.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Housing and Urban Development should acquire and deploy a NIST-validated SCAP tool to monitor compliance with FDCC.

    Agency Affected: Department of Housing and Urban Development

  30. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that HUD, in response to our recommendation, developed, documented, and implemented a policy to monitor FDCC compliance using a NIST-validated SCAP tool.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Housing and Urban Development should develop, document, and implement a policy to monitor FDCC compliance using a NIST-validated SCAP tool.

    Agency Affected: Department of Housing and Urban Development

  31. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that HUD, in response to our recommendation, ensured that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Housing and Urban Development should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Department of Housing and Urban Development

  32. Status: Closed - Implemented

    Comments: In fiscal year 2013 we verified that the Department of Interior, in response to our recommendation, implemented 73% of the recommended settings for the Federal Desktop Core Configuration Baseline.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of the Interior should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: Department of the Interior

  33. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that the Department of Interior, in response to our recommendation, ensured all Components implemented the department's existing policy to document deviations to FDCC and have those deviations approved by a designated accrediting authority.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of the Interior should ensure all components implement the department's existing policy to document deviations to FDCC and have those deviations approved by a designated accrediting authority.

    Agency Affected: Department of the Interior

  34. Status: Closed - Not Implemented

    Comments: The Department of Interior effort to ensure all components implement the department's existing policy to acquire and deploy a NIST-validated SCAP tool and monitor compliance with FDCC is delayed due to lack of funding. Current target date of completion is 12-31-2014.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of the Interior should ensure all components implement the department's existing policy to acquire and deploy a NIST-validated SCAP tool and monitor compliance with FDCC.

    Agency Affected: Department of the Interior

  35. Status: Closed - Implemented

    Comments: In fiscal year 2014, we verified that Justice, in response to our recommendation, implemented 74% of the recommended settings for the Federal Desktop Core Configuration Baseline.

    Recommendation: To improve the department's implementation of FDCC, the Attorney General should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: Department of Justice

  36. Status: Closed - Implemented

    Comments: In fiscal year 2014 we verified that Justice, in response to our recommendation, developed, documented, and implemented a policy to approve deviations to FDCC by a designated accrediting authority.

    Recommendation: To improve the department's implementation of FDCC, the Attorney General should develop, document, and implement a policy to approve deviations to FDCC by a designated accrediting authority.

    Agency Affected: Department of Justice

  37. Status: Closed - Implemented

    Comments: In fiscal year 2014 we verified that Justice, in response to our recommendation, completed deployment of a NIST-validated SCAP tool to monitor FDCC compliance.

    Recommendation: To improve the department's implementation of FDCC, the Attorney General should complete deployment of a NIST-validated SCAP tool to monitor FDCC compliance.

    Agency Affected: Department of Justice

  38. Status: Closed - Implemented

    Comments: In fiscal year 2014 we verified that Justice, in response to our recommendation, ensured that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Recommendation: To improve the department's implementation of FDCC, the Attorney General should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Department of Justice

  39. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that the Department of Labor, in response to our recommendation, ensured that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Labor should complete efforts to ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Department of Labor

  40. Status: Closed - Not Implemented

    Comments: According to the agency's inspector general FISMA report for fiscal year 2013, for Windows-based components, USGCB secure configuration settings are not fully implemented, and any deviations from USGCB baseline settings are not fully documented.

    Recommendation: To improve the agency's implementation of FDCC, the Administrator of the National Aeronautics and Space Administration should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: National Aeronautics and Space Administration

  41. Status: Closed - Implemented

    Comments: In fiscal year 2012 we verified that the National Science Foundation, in response to our recommendation, completed deployment of a NIST-validated SCAP tool to monitor FDCC compliance.

    Recommendation: To improve the agency's implementation of FDCC, the Director of the National Science Foundation should complete deployment of a NIST-validated SCAP tool to monitor FDCC compliance.

    Agency Affected: National Science Foundation

  42. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that the Nuclear Regulatory Commission, in response to our recommendation, developed, documented, and implemented a policy to approve deviations to FDCC by a designated accrediting authority.

    Recommendation: To improve the agency's implementation of FDCC, the Chairman of the Nuclear Regulatory Commission should develop, document, and implement a policy to approve deviations to FDCC by a designated accrediting authority.

    Agency Affected: Nuclear Regulatory Commission

  43. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verifed that the Nuclear Regulatory Commission, in response to our recommendation, ensured that all components include language in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Recommendation: To improve the agency's implementation of FDCC, the Chairman of the Nuclear Regulatory Commission should ensure that all components include language in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Nuclear Regulatory Commission

  44. Status: Closed - Implemented

    Comments: In fiscal year 2014 we verified that the Office of Personnel Management, in response to our recommendation, completed implementation of the agency's FDCC baseline.

    Recommendation: To improve the agency's implementation of FDCC, the Director of the Office of Personnel Management should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: Office of Personnel Management

  45. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that the Office of Personnel Management, in response to our recommendation, documented deviations to FDCC and have them approved by a designated accrediting authority.

    Recommendation: To improve the agency's implementation of FDCC, the Director of the Office of Personnel Management should document deviations to FDCC and have them approved by a designated accrediting authority.

    Agency Affected: Office of Personnel Management

  46. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that the Office of Personnel Management, in response to our recommendation, ensured that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Recommendation: To improve the agency's implementation of FDCC, the Director of the Office of Personnel Management should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Office of Personnel Management

  47. Status: Closed - Not Implemented

    Comments: The Small Business Administration is continuing efforts to update SBA SOP 90 47 3 to include the FDCC requirement but has not yet fully implemented our recommendation.

    Recommendation: To improve the agency's implementation of FDCC, the Administrator of the Small Business Administration should develop, document, and implement a policy to approve deviations to FDCC by a designated accrediting authority.

    Agency Affected: Small Business Administration

  48. Status: Closed - Not Implemented

    Comments: The Small Business Administration is working with its procurement office to include the required language into new acquisitions but has not fully implemented our recommendation.

    Recommendation: To improve the agency's implementation of FDCC, the Administrator of the Small Business Administration should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Small Business Administration

  49. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that the Social Security Administration, in response to our recommendation, developed, documented, and implemented a policy to approve deviations to FDCC by a designated accrediting authority.

    Recommendation: To improve the agency's implementation of FDCC, the Commissioner of the Social Security Administration should develop, document, and implement a policy to approve deviations to FDCC by a designated accrediting authority.

    Agency Affected: Social Security Administration

  50. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that the Social Security Administration, in response to our recommendation, completed deployment of its NIST-validated SCAP tool to monitor compliance with FDCC.

    Recommendation: To improve the agency's implementation of FDCC, the Commissioner of the Social Security Administration should complete deployment of a NIST-validated SCAP tool to monitor compliance with FDCC.

    Agency Affected: Social Security Administration

  51. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that the Social Security Administration, in response to our recommendation, developed, documented, and implemented a policy to monitor FDCC compliance using a NIST-validated SCAP tool.

    Recommendation: To improve the agency's implementation of FDCC, the Commissioner of the Social Security Administration should develop, document, and implement a policy to monitor FDCC compliance using a NIST-validated SCAP tool.

    Agency Affected: Social Security Administration

  52. Status: Closed - Implemented

    Comments: In fiscal year 2013 we verified that the Social Security Administration, in response to our recommendation, ensured that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Recommendation: To improve the agency's implementation of FDCC, the Commissioner of the Social Security Administration should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Social Security Administration

  53. Status: Closed - Implemented

    Comments: In fiscal year 2013 we verified that the Department of Transportation, in response to our recommendation, completed deployment of a NIST-validated SCAP tool to monitor compliance with FDCC.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Transportation should complete deployment of a NIST-validated SCAP tool to monitor compliance with FDCC.

    Agency Affected: Department of Transportation

  54. Status: Closed - Implemented

    Comments: In fiscal year 2013 we verified that the Department of Transportation, in response to GAO's recommendation, ensured that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Transportation should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Department of Transportation

  55. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verifed that the Department of Treasury, in response to our recommendation, completed implementation of the agency's FDCC baseline.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of the Treasury should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: Department of the Treasury

  56. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that the Department of Treasury, in response to our recommendation, ensured that all components include language in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of the Treasury should ensure that all components include language in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Department of the Treasury

  57. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that the U.S. Agency for International Development, in response to our recommendation, ensured that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Recommendation: To improve the agency's implementation of FDCC, the Administrator of the U.S. Agency for International Development should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Department of State: Agency for International Development

  58. Status: Closed - Implemented

    Comments: In fiscal year 2013 we verified that VA, in response to our recommendation, has substantially implemented FDCC settings or, as appropriate, U.S. Government Configuration Baseline (USGCB) settings. USGCB is the initiative that replaced FDCC.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Veterans Affairs should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: Department of Veterans Affairs

  59. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that Veterans Affairs, in response to our recommendation, acquired and deployed a NIST-validated SCAP tool to monitor VA's compliance with FDCC configurations.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Veterans Affairs should acquire and deploy a NIST-validated SCAP tool to monitor compliance with FDCC.

    Agency Affected: Department of Veterans Affairs

  60. Status: Closed - Implemented

    Comments: In fiscal year 2013 we verified that Veterans Affairs, in response to our recommendation, developed, documented, and implemented a policy to monitor FDCC compliance using a NIST-validated SCAP tool.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Veterans Affairs should develop, document, and implement a policy to monitor FDCC compliance using a NIST-validated SCAP tool.

    Agency Affected: Department of Veterans Affairs

  61. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that Veterans Affairs, in response to our recommendation, ensured that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Veterans Affairs should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Department of Veterans Affairs

  62. Status: Closed - Implemented

    Comments: In fiscal year 2013 we verified that the Department of Energy, in response to our recommendation, has documented deviations to FDCC settings and has ensured that these deviations were approved by a designated approving authority.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Energy should document deviations to FDCC and have them approved by a designated accrediting authority.

    Agency Affected: Department of Energy

 

Explore the full database of GAO's Open Recommendations »

Nov 18, 2014

Nov 17, 2014

Sep 18, 2014

Sep 16, 2014

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Apr 17, 2014

Apr 2, 2014

Looking for more? Browse all our products here