Information Security:

Agencies Need to Implement Federal Desktop Core Configuration Requirements

GAO-10-202: Published: Mar 12, 2010. Publicly Released: Apr 12, 2010.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The increase in security incidents and continuing weakness in security controls on information technology systems at federal agencies highlight the continuing need for improved information security. To standardize and strengthen agencies' security, the Office of Management and Budget (OMB), in collaboration with the National Institute of Standards and Technology (NIST), launched the Federal Desktop Core Configuration (FDCC) initiative in 2007. GAO was asked to (1) identify the goals, objectives, and requirements of the initiative; (2) determine the status of actions federal agencies have taken, or plan to take, to implement the initiative; and (3) identify the benefits, challenges, and lessons learned in implementing this initiative. To accomplish this, GAO reviewed policies, plans, and other documents at the 24 major executive branch agencies; reviewed OMB and NIST guidance and documentation; and interviewed officials.

The goals of FDCC are to improve information security and reduce overall information technology operating costs across the federal government by, among other things, providing a baseline level of security through the implementation of a set of standard configuration settings on government-owned desktop and laptop computers (i.e., workstations). To carry out the initiative, OMB required that executive branch agencies take several actions, including: (1) submit an implementation plan to OMB; (2) apply all configuration settings to all applicable workstations by February 2008; (3) document any deviations from the prescribed settings and have them approved by an accrediting authority; (4) acquire a specified NIST-validated tool for monitoring implementation of the settings; (5) ensure that future information technology acquisitions comply with the configuration settings; and (6) submit a status report to NIST. While agencies have taken actions to implement these requirements, none of the agencies has fully implemented all configuration settings on their applicable workstations. Specifically, most plans submitted to OMB did not address all key implementation activities; none of the agencies implemented all of the prescribed configuration settings on all applicable workstations, though several implemented agency-defined subsets of the settings; several agencies did not fully document their deviations from the settings or establish a process for approving them; six agencies did not acquire and make use of the required tool for monitoring FDCC compliance; many agencies did not incorporate language into contracts to ensure that future information technology acquisitions comply with FDCC; and many agencies did not describe plans for eliminating or mitigating their deviations in their compliance reports to NIST. Until agencies ensure that they are meeting these FDCC requirements, the effectiveness of the initiative will be limited. FDCC has the potential to increase agencies' information security by requiring stricter security settings on workstations than those that may have been previously in place and standardizing agencies' management of workstations, making it easier to manage changes such as applying updates or patches. In addition, a number of lessons can be learned from the management and implementation of the FDCC initiative which, if considered, could improve the implementation of future versions of FDCC or other configuration efforts. At the same time, agencies face several ongoing challenges in fully complying with FDCC requirements, including retrofitting applications and systems in their existing environments to comply with the settings, assessing the risks associated with deviations, and monitoring workstations to ensure that the settings are applied and functioning properly. As OMB moves forward with the initiative, understanding the lessons learned as well as the ongoing challenges agencies face will be essential in order to ensure the initiative is successful in ensuring public confidence in the confidentiality, integrity, and availability of government information.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Energy should ensure all components that are required to implement FDCC have acquired and deployed a NIST-validated SCAP tool to monitor compliance with FDCC.

    Agency Affected: Department of Energy

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Energy should ensure all components that are required to implement FDCC develop, document, and implement a policy to monitor FDCC compliance using a NIST-validated SCAP tool.

    Agency Affected: Department of Energy

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Energy should ensure that language is included in contracts of those components that are required to implement FDCC to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Department of Energy

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the agency's implementation of FDCC, the Administrator of the Environmental Protection Agency should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: Environmental Protection Agency

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the agency's implementation of FDCC, the Administrator of the Environmental Protection Agency should develop, document, and implement a policy to approve deviations to FDCC by a designated accrediting authority.

    Agency Affected: Environmental Protection Agency

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the agency's implementation of FDCC, the Administrator of the General Services Administration should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: General Services Administration

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Health and Human Services should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: Department of Health and Human Services

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Health and Human Services should develop, document, and implement a policy to monitor FDCC compliance using a NIST-validated SCAP tool.

    Agency Affected: Department of Health and Human Services

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Health and Human Services should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Department of Health and Human Services

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Homeland Security complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: Department of Homeland Security

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Homeland Security should develop, document, and implement a policy to approve deviations to FDCC by a designated accrediting authority.

    Agency Affected: Department of Homeland Security

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Homeland Security should develop, document, and implement a policy to monitor FDCC compliance using a NIST-validated SCAP tool.

    Agency Affected: Department of Homeland Security

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Homeland Security should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Department of Homeland Security

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Energy should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: Department of Energy

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Defense should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Department of Defense

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Defense should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: Department of Defense

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve implementation of FDCC at federal agencies, the Director of OMB should when announcing new FDCC versions, such as Windows 7, and changes to existing versions, include clear, realistic, and effectively communicated deadlines for completing implementation.

    Agency Affected: Executive Office of the President: Office of Management and Budget

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve implementation of FDCC at federal agencies, the Director of OMB should clarify OMB policy regarding FDCC deviations to include: whether deviations can be permanent or should be mitigated in a timely manner; requirements for plans of actions and milestones for mitigating deviations, including resources necessary for doing so; guidance to use for assessing the risk of deviations across the agency; and how frequently and to whom deviations should be reported to assist in making decisions regarding future versions.

    Agency Affected: Executive Office of the President: Office of Management and Budget

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve implementation of FDCC at federal agencies, the Director of OMB should inform agencies of the various approaches for testing the settings and implementing the initiative in phases, which may aid successful implementation.

    Agency Affected: Executive Office of the President: Office of Management and Budget

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve implementation of FDCC at federal agencies, the Director of OMB should assess the efficacy of, and take steps to apply as appropriate, other lessons learned during the initial implementation of this initiative such as the need for (1) additional collaboration efforts, (2) independent testing, and (3) advance notice of requirements, to assist agencies in implementing this initiative.

    Agency Affected: Executive Office of the President: Office of Management and Budget

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve implementation of FDCC at federal agencies, the Director of OMB should provide guidance on using Security Content Automation Protocol (SCAP) tools to include information on the frequency and scope with which agencies should perform monitoring.

    Agency Affected: Executive Office of the President: Office of Management and Budget

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve implementation of FDCC at federal agencies, the Director of OMB should develop performance measures and provide guidance to agencies for reporting the benefits of FDCC.

    Agency Affected: Executive Office of the President: Office of Management and Budget

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Agriculture should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: Department of Agriculture

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Agriculture should document deviations to FDCC and have them approved by a designated accrediting authority.

    Agency Affected: Department of Agriculture

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Agriculture should develop, document, and implement a policy to approve deviations by a designated accrediting authority.

    Agency Affected: Department of Agriculture

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Commerce should ensure all components have acquired and deployed a NIST-validated SCAP tool to monitor compliance with FDCC.

    Agency Affected: Department of Commerce

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Commerce should ensure all components develop, document, and implement a policy to monitor FDCC compliance using a NIST-validated SCAP tool.

    Agency Affected: Department of Commerce

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Commerce should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Department of Commerce

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Housing and Urban Development should acquire and deploy a NIST-validated SCAP tool to monitor compliance with FDCC.

    Agency Affected: Department of Housing and Urban Development

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Housing and Urban Development should develop, document, and implement a policy to monitor FDCC compliance using a NIST-validated SCAP tool.

    Agency Affected: Department of Housing and Urban Development

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Housing and Urban Development should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Department of Housing and Urban Development

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the agency's implementation of FDCC, the Administrator of the Small Business Administration should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Small Business Administration

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the agency's implementation of FDCC, the Commissioner of the Social Security Administration should develop, document, and implement a policy to approve deviations to FDCC by a designated accrediting authority.

    Agency Affected: Social Security Administration

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the agency's implementation of FDCC, the Commissioner of the Social Security Administration should complete deployment of a NIST-validated SCAP tool to monitor compliance with FDCC.

    Agency Affected: Social Security Administration

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the agency's implementation of FDCC, the Commissioner of the Social Security Administration should develop, document, and implement a policy to monitor FDCC compliance using a NIST-validated SCAP tool.

    Agency Affected: Social Security Administration

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the agency's implementation of FDCC, the Commissioner of the Social Security Administration should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Social Security Administration

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Transportation should complete deployment of a NIST-validated SCAP tool to monitor compliance with FDCC.

    Agency Affected: Department of Transportation

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Transportation should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Department of Transportation

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of the Treasury should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: Department of the Treasury

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of the Treasury should ensure that all components include language in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Department of the Treasury

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the agency's implementation of FDCC, the Administrator of the U.S. Agency for International Development should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Department of State: Agency for International Development

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Veterans Affairs should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: Department of Veterans Affairs

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Veterans Affairs should acquire and deploy a NIST-validated SCAP tool to monitor compliance with FDCC.

    Agency Affected: Department of Veterans Affairs

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Veterans Affairs should develop, document, and implement a policy to monitor FDCC compliance using a NIST-validated SCAP tool.

    Agency Affected: Department of Veterans Affairs

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the agency's implementation of FDCC, the Administrator of the Small Business Administration should develop, document, and implement a policy to approve deviations to FDCC by a designated accrediting authority.

    Agency Affected: Small Business Administration

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the agency's implementation of FDCC, the Director of the Office of Personnel Management should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Office of Personnel Management

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the agency's implementation of FDCC, the Director of the Office of Personnel Management should document deviations to FDCC and have them approved by a designated accrediting authority.

    Agency Affected: Office of Personnel Management

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of the Interior should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: Department of the Interior

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of the Interior should ensure all components implement the department's existing policy to document deviations to FDCC and have those deviations approved by a designated accrediting authority.

    Agency Affected: Department of the Interior

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of the Interior should ensure all components implement the department's existing policy to acquire and deploy a NIST-validated SCAP tool and monitor compliance with FDCC.

    Agency Affected: Department of the Interior

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the department's implementation of FDCC, the Attorney General should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: Department of Justice

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the department's implementation of FDCC, the Attorney General should develop, document, and implement a policy to approve deviations to FDCC by a designated accrediting authority.

    Agency Affected: Department of Justice

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the department's implementation of FDCC, the Attorney General should complete deployment of a NIST-validated SCAP tool to monitor FDCC compliance.

    Agency Affected: Department of Justice

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the department's implementation of FDCC, the Attorney General should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Department of Justice

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Labor should complete efforts to ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Department of Labor

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the agency's implementation of FDCC, the Administrator of the National Aeronautics and Space Administration should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: National Aeronautics and Space Administration

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the agency's implementation of FDCC, the Director of the National Science Foundation should complete deployment of a NIST-validated SCAP tool to monitor FDCC compliance.

    Agency Affected: National Science Foundation

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the agency's implementation of FDCC, the Chairman of the Nuclear Regulatory Commission should develop, document, and implement a policy to approve deviations to FDCC by a designated accrediting authority.

    Agency Affected: Nuclear Regulatory Commission

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the agency's implementation of FDCC, the Chairman of the Nuclear Regulatory Commission should ensure that all components include language in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Nuclear Regulatory Commission

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the agency's implementation of FDCC, the Director of the Office of Personnel Management should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: Office of Personnel Management

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Veterans Affairs should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Department of Veterans Affairs

    Status:

    Comments: Please contact the Director listed above for details on this recommendation.

    Apr 17, 2014

    Apr 2, 2014

    Jan 28, 2014

    Jan 8, 2014

    Sep 26, 2013

    Feb 20, 2013

    Feb 1, 2013

    Sep 27, 2012

    Sep 18, 2012

    Jul 17, 2012

    Looking for more? Browse all our products here