Information Security
Agencies Need to Implement Federal Desktop Core Configuration Requirements Gao ID: GAO-10-202 March 12, 2010The increase in security incidents and continuing weakness in security controls on information technology systems at federal agencies highlight the continuing need for improved information security. To standardize and strengthen agencies' security, the Office of Management and Budget (OMB), in collaboration with the National Institute of Standards and Technology (NIST), launched the Federal Desktop Core Configuration (FDCC) initiative in 2007. GAO was asked to (1) identify the goals, objectives, and requirements of the initiative; (2) determine the status of actions federal agencies have taken, or plan to take, to implement the initiative; and (3) identify the benefits, challenges, and lessons learned in implementing this initiative. To accomplish this, GAO reviewed policies, plans, and other documents at the 24 major executive branch agencies; reviewed OMB and NIST guidance and documentation; and interviewed officials.
The goals of FDCC are to improve information security and reduce overall information technology operating costs across the federal government by, among other things, providing a baseline level of security through the implementation of a set of standard configuration settings on government-owned desktop and laptop computers (i.e., workstations). To carry out the initiative, OMB required that executive branch agencies take several actions, including: (1) submit an implementation plan to OMB; (2) apply all configuration settings to all applicable workstations by February 2008; (3) document any deviations from the prescribed settings and have them approved by an accrediting authority; (4) acquire a specified NIST-validated tool for monitoring implementation of the settings; (5) ensure that future information technology acquisitions comply with the configuration settings; and (6) submit a status report to NIST. While agencies have taken actions to implement these requirements, none of the agencies has fully implemented all configuration settings on their applicable workstations. Specifically, most plans submitted to OMB did not address all key implementation activities; none of the agencies implemented all of the prescribed configuration settings on all applicable workstations, though several implemented agency-defined subsets of the settings; several agencies did not fully document their deviations from the settings or establish a process for approving them; six agencies did not acquire and make use of the required tool for monitoring FDCC compliance; many agencies did not incorporate language into contracts to ensure that future information technology acquisitions comply with FDCC; and many agencies did not describe plans for eliminating or mitigating their deviations in their compliance reports to NIST. Until agencies ensure that they are meeting these FDCC requirements, the effectiveness of the initiative will be limited. FDCC has the potential to increase agencies' information security by requiring stricter security settings on workstations than those that may have been previously in place and standardizing agencies' management of workstations, making it easier to manage changes such as applying updates or patches. In addition, a number of lessons can be learned from the management and implementation of the FDCC initiative which, if considered, could improve the implementation of future versions of FDCC or other configuration efforts. At the same time, agencies face several ongoing challenges in fully complying with FDCC requirements, including retrofitting applications and systems in their existing environments to comply with the settings, assessing the risks associated with deviations, and monitoring workstations to ensure that the settings are applied and functioning properly. As OMB moves forward with the initiative, understanding the lessons learned as well as the ongoing challenges agencies face will be essential in order to ensure the initiative is successful in ensuring public confidence in the confidentiality, integrity, and availability of government information.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Gregory C. Wilshusen Team: Government Accountability Office: Information Technology Phone: (202) 512-6244GAO-10-202, Information Security: Agencies Need to Implement Federal Desktop Core Configuration Requirements
This is the accessible text file for GAO report number GAO-10-202
entitled 'Information Security: Agencies Need to Implement Federal
Desktop Core Configuration Requirements' which was released on April
12, 2010.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as
part of a longer term project to improve GAO products' accessibility.
Every attempt has been made to maintain the structural and data
integrity of the original printed product. Accessibility features,
such as text descriptions of tables, consecutively numbered footnotes
placed at the end of the file, and the text of agency comment letters,
are provided but may not exactly duplicate the presentation or format
of the printed version. The portable document format (PDF) file is an
exact electronic replica of the printed version. We welcome your
feedback. Please E-mail your comments regarding the contents or
accessibility features of this document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Requesters:
United States Government Accountability Office:
GAO:
March 2010:
Information Security:
Agencies Need to Implement Federal Desktop Core Configuration
Requirements:
GAO-10-202:
GAO Highlights:
Highlights of GAO-10-202, a report to congressional requesters.
Why GAO Did This Study:
The increase in security incidents and continuing weakness in security
controls on information technology systems at federal agencies
highlight the continuing need for improved information security. To
standardize and strengthen agencies‘ security, the Office of
Management and Budget (OMB), in collaboration with the National
Institute of Standards and Technology (NIST), launched the Federal
Desktop Core Configuration (FDCC) initiative in 2007.
GAO was asked to (1) identify the goals, objectives, and requirements
of the initiative; (2) determine the status of actions federal
agencies have taken, or plan to take, to implement the initiative; and
(3) identify the benefits, challenges, and lessons learned in
implementing this initiative. To accomplish this, GAO reviewed
policies, plans, and other documents at the 24 major executive branch
agencies; reviewed OMB and NIST guidance and documentation; and
interviewed officials.
What GAO Found:
The goals of FDCC are to improve information security and reduce
overall information technology operating costs across the federal
government by, among other things, providing a baseline level of
security through the implementation of a set of standard configuration
settings on government-owned desktop and laptop computers (i.e.,
workstations). To carry out the initiative, OMB required that
executive branch agencies take several actions, including: (1) submit
an implementation plan to OMB; (2) apply all configuration settings to
all applicable workstations by February 2008; (3) document any
deviations from the prescribed settings and have them approved by an
accrediting authority; (4) acquire a specified NIST-validated tool for
monitoring implementation of the settings; (5) ensure that future
information technology acquisitions comply with the configuration
settings; and (6) submit a status report to NIST.
While agencies have taken actions to implement these requirements,
none of the agencies has fully implemented all configuration settings
on their applicable workstations. Specifically, most plans submitted
to OMB did not address all key implementation activities; none of the
agencies implemented all of the prescribed configuration settings on
all applicable workstations, though several implemented agency-defined
subsets of the settings; several agencies did not fully document their
deviations from the settings or establish a process for approving
them; six agencies did not acquire and make use of the required tool
for monitoring FDCC compliance; many agencies did not incorporate
language into contracts to ensure that future information technology
acquisitions comply with FDCC; and many agencies did not describe
plans for eliminating or mitigating their deviations in their
compliance reports to NIST. Until agencies ensure that they are
meeting these FDCC requirements, the effectiveness of the initiative
will be limited.
FDCC has the potential to increase agencies‘ information security by
requiring stricter security settings on workstations than those that
may have been previously in place and standardizing agencies‘
management of workstations, making it easier to manage changes such as
applying updates or patches. In addition, a number of lessons can be
learned from the management and implementation of the FDCC initiative
which, if considered, could improve the implementation of future
versions of FDCC or other configuration efforts. At the same time,
agencies face several ongoing challenges in fully complying with FDCC
requirements, including retrofitting applications and systems in their
existing environments to comply with the settings, assessing the risks
associated with deviations, and monitoring workstations to ensure that
the settings are applied and functioning properly. As OMB moves
forward with the initiative, understanding the lessons learned as well
as the ongoing challenges agencies face will be essential in order to
ensure the initiative is successful in ensuring public confidence in
the confidentiality, integrity, and availability of government
information.
What GAO Recommends:
GAO recommends that OMB, among other things, issue guidance on
assessing the risks of deviations and monitoring compliance with FDCC.
GAO also recommends that 22 agencies take steps to fully implement
FDCC requirements. These agencies generally concurred with GAO‘s
recommendations.
To view the full product, including the scope and methodology, click
on [hyperlink, http://www.gao.gov/products/GAO-10-202]. For more
information, contact Gregory C. Wilshusen at (202) 512-6244 or
wilshuseng@gao.gov.
[End of section]
Contents:
Letter:
Background:
FDCC Aims to Improve Agencies' Information Security and Reduce IT
Operating Costs:
Agencies Have Not Fully Implemented FDCC Settings, but Most Have
Complied with Other Requirements:
Implementing FDCC Resulted in Benefits and Lessons Learned, but
Agencies Continue to Face Challenges in Meeting Requirements:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: Percentage of Agency Workstations with FDCC Settings
Implemented as of September 2009:
Appendix III: Recommendations to Departments and Agencies:
Appendix IV: Comments from the U.S. Department of Agriculture:
Appendix V: Comments from the Department of Commerce:
Appendix VI: Comments from the Department of Defense:
Appendix VII: Comments from the General Services Administration:
Appendix VIII: Comments from the Department of Homeland Security:
Appendix IX: Comments from the Department of Housing and Urban
Development:
Appendix X: Comments from the Department of the Interior:
Appendix XI: Comments from the Department of Labor:
Appendix XII: Comments from the National Aeronautics and Space
Administration:
Appendix XIII: Comments from the Office of Personnel Management:
Appendix XIV: Comments from the Social Security Administration:
Appendix XV: Comments from the Department of the Treasury:
Appendix XVI: Comments from the U.S. Agency for International
Development:
Appendix XVII: Comments from the Department of Veterans Affairs:
Appendix XVIII: GAO Contact and Staff Acknowledgments:
Tables:
Table 1: Number of Agency FDCC Implementation Plans That Addressed
Required Actions:
Table 2: Range of the Number of Less-Stringent Deviations with the
Corresponding Number of Agencies:
Table 3: Ten Most Common Less-Stringent FDCC Deviations at Federal
Agencies:
Table 4: Status of Agency Compliance with Deviation Guidance:
Table 5: Status of Agency Acquisition and Use of a NIST-validated SCAP
Tool:
Table 6: Agency Incorporation of Language into Contracts:
Table 7: Agency-Reported Percentages of Workstations with FDCC
Settings Implemented as of September 2009:
Figure:
Figure 1: Agency-Reported Implementation of FDCC Baseline as of
September 2009:
Abbreviations:
FDCC: Federal Desktop Core Configuration:
FISMA: Federal Information Security Management Act of 2002:
IT: information technology:
NIST: National Institute of Standards and Technology:
OMB: Office of Management and Budget:
SCAP: Security Content Automation Protocol:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
March 12, 2010:
The Honorable Joseph I. Lieberman:
Chairman:
The Honorable Susan M. Collins:
Ranking Member:
Committee on Homeland Security and Governmental Affairs:
United States Senate:
The Honorable Thomas R. Carper:
Chairman:
Subcommittee on Federal Financial Management, Government Information,
Federal Services, and International Security: Committee on Homeland
Security and Governmental Affairs: United States Senate:
The frequency of information security incidents at federal agencies,
the wide availability of hacking tools, and steady advances in the
sophistication and effectiveness of attack technology all contribute
to the urgency of protecting the federal government's information and
systems. In addition to these threats, we have consistently identified
significant weaknesses in the security controls on federal systems,
including desktops and laptops (i.e., workstations) that have impacted
the confidentiality, integrity, and availability of government
information. Due to the persistent nature of these vulnerabilities and
associated risks, we have designated information security as a
governmentwide high-risk issue since 1997 in our biennial reports to
Congress.[Footnote 1]
In an attempt to standardize and thereby strengthen information
security, the Office of Management and Budget (OMB) launched the
Federal Desktop Core Configuration (FDCC) initiative in March 2007.
The initiative mandated that federal agencies implement standardized
configuration settings on workstations with Windows XP or Vista
operating systems.
In view of the importance of FDCC in improving the ability of the
federal government to safeguard its systems and protect sensitive
information, you asked us to (1) identify the goals, objectives, and
requirements for the initiative; (2) determine the status of actions
federal agencies have taken, or plan to take, to implement the
initiative; and (3) identify the benefits, challenges, and lessons
learned in implementing this initiative.
We conducted our review at each of the 24 major federal
agencies[Footnote 2] covered by the Chief Financial Officers Act,
[Footnote 3] where we obtained and analyzed policies, plans, status
reports, and agency descriptions of challenges relative to the
requirements of the initiative. We also developed a data collection
instrument to gather information on the status of FDCC implementation
at the 24 agencies as of September 2009. We compared agency
documentation and descriptions of challenges with OMB program
requirements and relevant National Institute of Standards and
Technology (NIST) guidance, which we confirmed through interviews with
OMB and NIST officials. We also met with staff from all 24 Offices of
the Inspector General regarding their audit work performed relative to
the initiative to obtain information on their audit methodology,
findings, and related documentation. Based on our review of the
adequacy of work performed, we have sufficient assurance to rely on
work completed by the inspectors general in the context of our audit
objective related to whether the agency had documented deviations and
had incorporated language related to use of FDCC settings into its
contracts.
We conducted this performance audit from December 2008 to March 2010
in accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe
that the evidence obtained provides a reasonable basis for our
findings and conclusions based on our audit objectives. Further
details of our objectives, scope, and methodology are included in
appendix I.
Background:
Cyber-based threats to federal systems and critical infrastructure are
evolving and growing. These threats can be intentional or
unintentional, targeted or non-targeted, and can come from a variety
of sources, including criminals, terrorists, and other adversarial
groups, as well as hackers and disgruntled employees. These potential
attackers have a variety of techniques at their disposal, which can
vastly enhance the reach and impact of their actions. For example,
cyber attackers do not need to be physically close to their targets,
their attacks can cross state and national borders, and they can
preserve their anonymity. Further, the growing interconnectivity among
different types of information systems presents increasing
opportunities for such attacks. Reports of security incidents from
federal agencies are on the rise, increasing by more than 200 percent
from fiscal year 2006 to fiscal year 2008.[Footnote 4]
In February 2009, the Director of National Intelligence testified that
foreign nations and criminals had targeted government and private
sector networks to potentially disrupt or destroy them, and that
terrorist groups had expressed a desire to use cyber attacks as a
means to target the United States.[Footnote 5] As recently as July
2009, media accounts reported that a widespread and coordinated attack
over the course of several days targeted Web sites operated by major
government agencies, including the Departments of Homeland Security
and Defense, the Federal Aviation Administration, and the Federal
Trade Commission, causing disruptions to the public availability of
government information. Such attacks highlight the importance of
developing a concerted response to safeguard federal information
systems.
Previously Reported Weaknesses in Agency Information Security Controls:
Compounding the growing number and kinds of threats, we--along with
agencies and their inspectors general--have identified significant
weaknesses in the security controls on federal information
systems,[Footnote 6] which have resulted in pervasive vulnerabilities.
These include deficiencies in the security of financial systems and
information and vulnerabilities in other critical federal information
systems and networks. These weaknesses exist in all major categories
of information security controls at federal agencies; for example, in
fiscal year 2008, weaknesses were reported in such controls at 23 of
the 24 major agencies. Specifically, agencies did not consistently
authenticate users to prevent unauthorized access to systems; apply
encryption to protect sensitive data; and log, audit, and monitor
security-relevant events, among other actions.
Our recent work focusing on specific agencies has also revealed
security weaknesses, as illustrated by the following examples:
* In 2009, we reported that three National Aeronautics and Space
Administration centers had not, among other things, sufficiently
restricted system access and privileges to only those users that
needed access to perform their assigned duties, appropriately
implemented encryption to safeguard sensitive information, and
expeditiously applied a critical operating system patch or patches for
a number of general third-party applications.[Footnote 7] At the same
time, the agency experienced numerous cyber attacks and malicious
software infections, thereby exposing critical and sensitive data to
unauthorized access, disclosure, and manipulation. We recommended that
the agency take steps to mitigate these weaknesses and fully implement
a comprehensive information security program.
* In the same year, we reported that the Financial Crimes Enforcement
Network, a bureau within the Department of the Treasury, had not
consistently implemented effective password controls or effectively
controlled user identification and authentication.[Footnote 8] As a
result, there was increased risk that malicious individuals could gain
inappropriate access to sensitive systems and data. We recommended
that the agency take steps to fully implement an agencywide security
program.
* In 2008, we reported that although the Department of Energy's Los
Alamos National Laboratory--one of the nation's weapons laboratories--
had implemented measures to enhance the information security of its
unclassified network, there were still vulnerabilities in monitoring
and auditing compliance with security policies and controlling and
documenting changes to a computer system's hardware and software.
[Footnote 9]
* Finally, we reported in 2007 that the Department of Homeland
Security had significant weaknesses in computer security controls
intended to protect the information systems used to support its U.S.
Visitor and Immigration Status Indicator Technology program for border
security.[Footnote 10] For example, the department had not implemented
controls to effectively prevent, limit, and detect access to computer
networks, systems, and information. Specifically, it had not provided
adequate logging or user accountability for the mainframe,
workstations, or servers and had not consistently maintained secure
configurations on the application servers and workstations at a key
data center and points of entry.
In each of these cases, we made recommendations for strengthening or
fully implementing agencies' information security programs.
Federal Law Assigns Responsibility to OMB, NIST, and Agencies for
Information Security:
In addition to the responsibilities of individual agencies, OMB and
NIST play key roles in ensuring the security of federal systems and
information. Under the Federal Information Security Management Act of
2002 (FISMA),[Footnote 11] OMB is responsible for developing and
overseeing the implementation of policies, principles, standards, and
guidelines on information security, and reviewing agency information
security programs at least annually. In addition, the act requires
that OMB report to Congress no later than March 1 of each year on the
status of agency compliance with FISMA. The act, which sets forth a
comprehensive framework for ensuring the effectiveness of information
security controls over information resources that support federal
operations and assets, also assigned NIST responsibility for
developing standards and guidelines (for systems other than national
security systems) that include minimum information security
requirements. FISMA also assigns specific responsibilities to agencies
to document and implement agencywide security programs and report on
their security policies, procedures, and practices. For example,
agencies are responsible for developing and complying with minimally
acceptable system configuration requirements. Finally, FISMA requires
agency inspectors general to annually evaluate agency information
security activities.
OMB Initiated FDCC and Provided Guidance for Agency Implementation:
To help carry out its responsibilities for ensuring federal
information security, OMB launched the FDCC initiative in March 2007.
This initiative required federal agencies to implement common security
configurations on Windows XP and Vista operating systems[Footnote 12]
by February 2008.[Footnote 13] Subsequently, OMB issued several other
memorandums detailing additional requirements and guidance to agencies
on completing implementation of the initiative. OMB also has
responsibility for approving any changes to the settings or setting
parameters.
At the request of OMB, NIST published the first beta version of the
FDCC configuration settings in July 2007 for federal workstations that
use Windows XP or Windows Vista as their operating system. FDCC was
based on settings developed by the Air Force in partnership with the
National Security Agency, Defense Information Systems Agency, NIST,
and representatives from the Army, Navy, and Marines. Over the course
of the next 11 months, NIST made several updates to the content and
posted the revised versions on its Web site. The first major version
of the configuration settings, version 1.0, was posted on NIST's Web
site in June 2008 after a period of public comment. Based on
implementation information reported by the agencies to NIST in March
2008, agency feedback on settings that were problematic to implement,
and comments from the federal community, OMB had NIST remove 40
settings from the original beta version for version 1.0.
In addition to publishing the FDCC settings, NIST also has
responsibility for:
* Developing resources, in collaboration with Microsoft, to aid
agencies in deploying and testing the security configuration settings
within their computing environments. These include group policy
objects,[Footnote 14] which allow agencies to deploy the settings to
desktop and laptop computers agencywide, and virtual hard-disk files,
[Footnote 15] which allow agencies to test the settings in a non-
operational environment. These files were first made available for
agencies to download from NIST's Web site starting in July 2007 and
were later updated with the release of major version 1.0.
* Establishing the Security Content Automation Protocol (SCAP),
[Footnote 16] which can be used to support the automated checking,
measuring, and monitoring of the FDCC settings for compliance. Product
vendors can create a tool (i.e., application) that uses SCAP for these
activities.
* Validating SCAP tools to ensure that a tool uses the features and
functionality available through SCAP. In order for a tool to receive
validation, a vendor must first have the tool tested by 1 of 10
independent testing laboratories accredited under NIST's National
Voluntary Laboratory Accreditation Program.[Footnote 17] The testing
results are then sent by the laboratory to NIST for review. If the
tool passes, NIST will validate the SCAP tool, which is valid for 1
calendar year.
* Making technical changes to the SCAP that support the FDCC settings,
such as when new specifications are added, existing specifications are
updated, or when a more efficient method is found to test a particular
setting. NIST has released two additional major versions to make
technical modifications to the SCAP: version 1.1 in October 2008 and
version 1.2 in April 2009. NIST also publishes patch content updates
based on Microsoft's patch releases.
* Posting frequently asked questions on its Web site on behalf of OMB
to answer agencies' questions about testing, deployment, reporting
deviations, and use of SCAP tools for evaluation of compliance. The
questions have also provided clarification of the settings
requirements and their applicability to different types of computers,
including contractor-owned or operated machines. These questions are
revised on a periodic basis as needed and as determined by NIST.
FDCC Aims to Improve Agencies' Information Security and Reduce IT
Operating Costs:
In its March 2007 directives to agencies to implement FDCC, OMB
established two goals for the initiative: improve information security
and reduce overall information technology (IT) operating costs for
agencies that use or plan to use Windows XP or Vista operating systems
on their workstations.[Footnote 18] By implementing the initiative,
OMB intended that agencies should be able to achieve the following
objectives:
* Provide a baseline level of security through the use of standardized
configuration settings that limit access privileges granted to users
and other access controls, thereby controlling what a user may or may
not do on his or her workstation. The settings create a baseline from
which agencies may increase the level of security by making the
settings more restrictive or by employing firewalls and intrusion
detection systems along with other security devices and practices.
* Reduce risk from security threats and vulnerabilities by employing
the use of standards that are more restrictive than the default
settings of the manufacturer. For example, the required settings do
not allow the installation of unauthorized software, which lowers the
risk of introducing a virus or other malicious device along with the
software.
* Save time and resources by requiring all FDCC workstations within an
agency to use the same settings. This standardization also allows an
agency's IT department to be more efficient in repairing computer
problems.
* Improve system performance by restricting the access privileges of
administrators and users to only those necessary to perform their
duties. This helps to limit downloading of unapproved software and
information that could tie up system and help desk resources.
* Decrease operating costs by using standard configuration settings
that allow IT personnel to solve a workstation problem once and then
replicate that solution for every workstation in the agency, saving
labor and time.
* Ensure public confidence in the confidentiality, integrity, and
availability of government information by standardizing strong
security settings across all federal agencies. This will help to
protect federal systems from cyber attacks and may help to ensure the
public's confidence that their personal information will not be
compromised.
OMB Established Requirements for Agency Implementation of FDCC:
In its initial memorandums and subsequent guidance, OMB identified
several requirements with which agencies were directed to comply in
order to implement FDCC. The following are the key FDCC requirements:
* Submit a draft implementation plan to OMB by May 1, 2007.[Footnote
19] Agencies were required to submit an implementation plan to OMB
describing how they intended to (1) test configuration settings in a
non-production environment to identify any adverse effects on system
functionality; (2) implement the settings and automate monitoring and
use; (3) restrict administration of these settings to authorized
professionals; (4) ensure, by June 30, 2007, that new IT acquisitions
include the settings and require IT providers to certify that their
products operate effectively using the settings; (5) apply Microsoft
patches available from the Department of Homeland Security when
addressing new Windows XP or Vista vulnerabilities; (6) provide to
NIST documentation of any deviations[Footnote 20] from these settings
and the rationale for the deviations; and (7) ensure the settings are
incorporated into agency capital planning and investment control
processes.
* Adopt the Windows XP and Vista security configuration settings by
February 1, 2008.[Footnote 21] Agencies were required to implement the
FDCC configuration settings on all government-owned desktops and
laptops that use Windows XP or Vista operating systems and the
Internet Explorer 7 or Windows Firewall applications. This requirement
was later clarified to include desktops and laptops that are owned or
operated by a contractor on behalf of or for the federal government or
that are integrated into a federal system. The requirement excludes
servers, embedded computers, process control systems, specialized
scientific or experimental systems, and similar systems using these
operating systems.[Footnote 22]
FDCC major version 1.0 includes 674 configuration settings for Windows
XP and Windows Vista systems, when bundled with Internet Explorer 7
and Windows Firewall. Examples of these settings include the following:
- Specifies the number of minutes a locked-out account remains locked
out before it automatically unlocks.
- Specifies the minimum number of characters a password must have.
- Specifies whether or not the user is prompted for a password when
the system resumes from sleep mode.
- Requires the use of Federal Information Processing Standards-
compliant[Footnote 23] algorithms for encryption, hashing, and
signing.[Footnote 24]
- Shuts the system down immediately if it is unable to log security
audits.[Footnote 25]
- Creates a log when Windows firewall with advanced security allows an
inbound connection. The log will detail why and when the connection
was formed.
* Document deviations and have them approved by a designated
accrediting authority. Agencies were required to document deviations
initially as part of their draft implementation plan efforts.[Footnote
26] OMB later required agencies to report these deviations to NIST in
March 2008.[Footnote 27] OMB also later noted[Footnote 28] that
configuration setting deviations are to be approved by the department
or agency accrediting authority.[Footnote 29]
* Acquire a SCAP tool and use it to monitor FDCC. Agencies are
required to acquire a NIST-validated SCAP tool[Footnote 30] and to use
these tools when monitoring the settings.[Footnote 31]
* Ensure that new acquisitions include security configuration
settings. Agencies are required to ensure that new acquisitions
include FDCC settings and products of information technology providers
operate effectively using them.[Footnote 32]
* Submit FDCC compliance reports to NIST by March 31, 2008. Agencies
were required to submit a spreadsheet that summarized workstation
counts, setting deviations, and descriptions of plans of action and
milestones[Footnote 33] for the deviations, along with related reports
generated by a SCAP tool for each operational environment present
within the agency.[Footnote 34]
* Report on status of FDCC compliance in annual FISMA reporting.
Agencies were required to report the status of compliance with FDCC as
part of FISMA reporting for fiscal year 2008. This requirement
included reporting on whether the configuration settings had been
adopted and implemented, with deviations documented; whether language
relating to the use of FDCC settings had been included in contracts;
and whether all workstations had the security settings
implemented.[Footnote 35] Agency inspectors general were asked to
assess agencies' compliance with the reporting requirements. For
fiscal year 2009, agencies and agency inspectors general were required
to report the status of compliance with specific requirements
including whether deviations had been documented and language relating
to the use of FDCC settings had been included in all contracts.
[Footnote 36]
Agencies Have Not Fully Implemented FDCC Settings, but Most Have
Complied with Other Requirements:
None of the agencies has fully implemented all FDCC configuration
settings on all applicable workstations, although most have complied
with other requirements. Specifically, 11 agencies reported they had
completed implementation of an agency-approved subset of the FDCC
settings and do not plan to implement all the configuration settings,
while the remaining agencies reported they are still completing
implementation of the settings. However, most agencies have generally
complied with other initiative requirements. For instance, 19 agencies
have fully documented their deviations and 16 have established a
policy for having those deviations approved by a designated authority.
In addition, 15 agencies have acquired and deployed a NIST-validated
SCAP tool to monitor the compliance of their setting implementation.
Eight agencies have also incorporated language into their contracts to
ensure that new acquisitions comply with FDCC.
Most Agencies Submitted FDCC Implementation Plans to OMB, but Did Not
Address All Required Activities:
While agencies were required to submit a draft implementation plan to
OMB by May 1, 2007, fewer than half of the agencies developed plans
that addressed the seven actions necessary to fully implement the
initiative. Of the 24 agencies, 19 provided their plans to us, while 5
agencies either did not develop an implementation plan or were unable
to locate a copy of the plan.[Footnote 37] Of the 19 plans, 11
described how the agency intended to implement each of the seven
actions required by OMB. The remaining 8 plans either did not address
the actions or described only some of them. Table 1 shows how many
agencies addressed each of the required actions in their FDCC
implementation plans.
Table 1: Number of Agency FDCC Implementation Plans That Addressed
Required Actions:
Required action: 1. Test configurations in a non-production
environment to identify adverse effects on system functionality;
Agency plans that addressed the action: 16.
Required action: 2. Implement the configurations and automate
monitoring and use;
Agency plans that addressed the action: 16.
Required action: 3. Restrict administration of these configurations to
authorized professionals;
Agency plans that addressed the action: 15.
Required action: 4. Ensure by June 30, 2007, that new acquisitions
include the configurations and require information technology
providers to certify that their products operate effectively using the
configurations;
Agency plans that addressed the action: 11.
Required action: 5. Apply Microsoft patches available from Department
of Homeland Security when addressing new Windows XP or Vista
vulnerabilities;
Agency plans that addressed the action: 12.
Required action: 6. Provide NIST documentation of any deviations from
these configurations and the rationale for the deviations;
Agency plans that addressed the action: 15.
Required action: 7. Ensure these configurations are incorporated into
agency capital planning and investment control processes;
Agency plans that addressed the action: 12.
Source: GAO analysis of agency FDCC implementation plans submitted to
OMB.
[End of table]
Officials from one of the agencies whose plan did not address the
required activities told us that OMB had provided feedback and
requested changes to the plan, but the remaining agencies indicated
that OMB had not provided feedback on the submitted plans and had not
requested any changes. OMB was unable to confirm whether the 24
agencies had submitted the implementation plans by the required
deadline because, officials stated, this information had been archived
with the previous administration. As discussed later in the section on
lessons learned, agencies experienced problems in implementing this
requirement due to unrealistic deadlines.
All Agencies Reported Implementing a Subset of FDCC Settings:
Though agencies were required to adopt and implement the FDCC settings
by February 1, 2008, as of September 2009, none of the 24 major
agencies reported that they had adopted and fully implemented the
complete set of prescribed settings on all applicable workstations.
Instead, all agencies planned to implement a subset of the FDCC
settings, which they referred to as their agency baseline; these
baselines included deviations from the approved parameters established
by FDCC, in some cases for up to one-fifth of the settings.[Footnote
38] As of September 2009, 11 agencies reported they had completed
implementation of their baselines on all applicable workstations, and
11 were still in the process of finishing implementation of their
baseline. The other 2 agencies were unable to provide sufficient data
to determine the status of implementation because they either lacked a
SCAP tool or had data reliability issues due to using multiple tools.
(See appendix II for more details on the status of each agency in
implementing the FDCC settings, as of September 2009.) For those
agencies that were still in the process of completing implementation
of their baseline, agency officials reported various milestones for
expected completion; however, some of those deadlines had not been
met, and other agency officials did not report a milestone for
completion. For example, a few agency officials indicated they would
complete implementation by September 2009; however, this deadline was
not met. Figure 1 summarizes the status of agency-reported
implementation of their FDCC baselines for applicable workstations
with Windows XP and Vista operating systems.
Figure 1: Agency-Reported Implementation of FDCC Baseline as of
September 2009:
[Refer to PDF for image: vertical bar graph]
Percentage of workstations: 0–24%;
XP: 2;
Vista: 1.
Percentage of workstations: 25–49%;
XP: 2;
Vista: 1.
Percentage of workstations: 50–74%;
XP: 1;
Vista: 2.
Percentage of workstations: 75–100%;
XP: 17;
Vista: 9.
Source: GAO analysis of data reported by agencies in GAO data
collection instrument.
[End of figure]
Agency officials told us that several factors had influenced their
decision to establish deviations, whether less or more stringent, from
the settings. These factors included cases where FDCC settings:
* had an adverse impact on applications, production, or legacy systems;
* conflicted with agency policy;
* prohibited agency administrators from completing tasks; and:
* impaired the capability to provide customer support or remote
assistance.
In establishing their baselines, agencies allowed a range of
deviations, some with parameters that were less stringent (e.g., less
secure) than the approved parameters, while others were more
stringent. Of the 24 agencies, 23 provided us a list of their
deviations and 1 agency indicated it had not developed a list. Each of
the 23 lists identified deviations that were less stringent than the
FDCC settings. Specifically, 15 agencies had 10 or more less-stringent
deviations, and 6 agencies had 40 or more less-stringent deviations,
which is 6 percent of the 674 total number of FDCC settings. Table 2
shows the range of the number of less-stringent deviations and the
corresponding number of agencies.
Table 2: Range of the Number of Less-Stringent Deviations with the
Corresponding Number of Agencies:
Range of deviations: 1-9;
Number of agencies: 8.
Range of deviations: 10-19;
Number of agencies: 4.
Range of deviations: 20-39;
Number of agencies: 5.
Range of deviations: 40-75;
Number of agencies: 3.
Range of deviations: 76-130;
Number of agencies: 3.
Source: GAO analysis of agency reported data.
[End of table]
Our analysis revealed ten most common less-stringent deviations across
the federal government. For example, 21 of the 23 agencies that
provided deviation lists had a deviation for the use of encryption
algorithms[Footnote 39] that are compliant with Federal Information
Processing Standards, and 17 agencies had a deviation for the setting
regarding digital signatures of client communications. Table 3 shows
the 10 most common less-stringent deviations and the number of
agencies that reported having them.
Table 3: Ten Most Common Less-Stringent FDCC Deviations at Federal
Agencies:
FDCC setting: Determines whether Federal Information Processing
Standards-compliant encryption algorithms must be used;
Operating system: XP/Vista;
Number of agencies: 21.
FDCC setting: Determines whether the computer always digitally signs
client communications;
Operating system: XP/Vista;
Number of agencies: 17.
FDCC setting: Determines what happens when an attempt is made to
install a device driver that has not been certified by the Windows
Hardware Quality Lab;
Operating system: XP;
Number of agencies: 16.
FDCC setting: Determines which password hashing algorithm is used for
network logons;
Operating system: XP/Vista;
Number of agencies: 12.
FDCC setting: Determines which users are allowed to use a network
utility tool;
Operating system: XP;
Number of agencies: 12.
FDCC setting: Determines whether the Server Message Block server is
required to perform packet signing;
Operating system: XP/Vista;
Number of agencies: 12.
FDCC setting: Determines who can connect to the workstation over the
network;
Operating system: XP/Vista;
Number of agencies: 11.
FDCC setting: Determines the least number of characters that a
password for a user account can contain;
Operating system: XP/Vista;
Number of agencies: 11.
FDCC setting: Determines whether a wireless configuration service can
be used;
Operating system: XP;
Number of agencies: 10.
FDCC setting: Determines whether users can make remote assistance
invitations for workstations;
Operating system: XP/Vista;
Number of agencies: 9.
Source: GAO analysis of agency data.
[End of table]
Additionally, 7 agencies listed deviations that were more stringent
(e.g., had parameters that were more secure) than the FDCC settings.
Of the 7 agencies with more-stringent deviations, 1 had 10 or more of
these more-stringent deviations, while the remaining 6 agencies had
fewer than 10. There is also a common set of these more-stringent
deviations among the 7 agencies. For example, 3 agencies have a
deviation for duration accounts can be locked out, 2 agencies have a
deviation for how many invalid logon attempts can occur before an
account is locked out, and 2 agencies have a deviation for the type of
user who can format and eject removable media.
Until those agencies that have not completed implementation of their
FDCC baseline (see appendix II) establish firm milestones for
completion and complete implementation, agencies risk not achieving
the potential benefits of the initiative.
Most Agencies Documented Deviations, but Eight Did Not Establish a
Policy for Approving Them:
Although OMB guidance indicates that agencies are to document and have
a designated accrediting authority approve deviations from FDCC,
several agencies did not do so. Of the 24 agencies, 23 had deviations
and 1 did not maintain a list. Of the 23, 19 had fully documented
their deviations but 4 had not. In addition, 16 agencies established a
policy to have deviations approved by a designated accrediting
authority, while 8 agencies have not established such a policy. Table
4 shows which agencies have documented deviations and have a policy in
place to approve deviations by a designated authority.
Table 4: Status of Agency Compliance with Deviation Guidance:
Agency: Agriculture;
Documented deviations: No;
Have policy to approve deviations by designated authority: No.
Agency: Commerce;
Documented deviations: Yes;
Have policy to approve deviations by designated authority: Yes.
Agency: Defense;
Documented deviations: Yes;
Have policy to approve deviations by designated authority: Yes.
Agency: Education;
Documented deviations: Yes;
Have policy to approve deviations by designated authority: Yes.
Agency: Energy;
Documented deviations: No;
Have policy to approve deviations by designated authority: Yes.
Agency: Environmental Protection Agency;
Documented deviations: Yes;
Have policy to approve deviations by designated authority: No.
Agency: General Services Administration;
Documented deviations: Yes;
Have policy to approve deviations by designated authority: Yes.
Agency: Health and Human Services;
Documented deviations: Yes;
Have policy to approve deviations by designated authority: Yes.
Agency: Homeland Security;
Documented deviations: Yes;
Have policy to approve deviations by designated authority: No.
Agency: Housing and Urban Development;
Documented deviations: Yes;
Have policy to approve deviations by designated authority: Yes.
Agency: Interior;
Documented deviations: No[A];
Have policy to approve deviations by designated authority: No[A].
Agency: Justice;
Documented deviations: Yes;
Have policy to approve deviations by designated authority: No.
Agency: Labor;
Documented deviations: Yes;
Have policy to approve deviations by designated authority: Yes.
Agency: National Aeronautics and Space Administration;
Documented deviations: Yes;
Have policy to approve deviations by designated authority: Yes.
Agency: National Science Foundation;
Documented deviations: Yes;
Have policy to approve deviations by designated authority: Yes.
Agency: Nuclear Regulatory Commission;
Documented deviations: Yes;
Have policy to approve deviations by designated authority: No.
Agency: Office of Personnel Management;
Documented deviations: No;
Have policy to approve deviations by designated authority: Yes.
Agency: Small Business Administration;
Documented deviations: Yes;
Have policy to approve deviations by designated authority: No.
Agency: Social Security Administration;
Documented deviations: Yes;
Have policy to approve deviations by designated authority: No.
Agency: State;
Documented deviations: Yes;
Have policy to approve deviations by designated authority: Yes.
Agency: Transportation;
Documented deviations: Yes;
Have policy to approve deviations by designated authority: Yes.
Agency: Treasury;
Documented deviations: Yes;
Have policy to approve deviations by designated authority: Yes.
Agency: U.S. Agency for International Development;
Documented deviations: Yes;
Have policy to approve deviations by designated authority: Yes.
Agency: Veterans Affairs;
Documented deviations: Yes;
Have policy to approve deviations by designated authority: Yes.
Source: GAO analysis of agency documentation and responses by agency
inspectors general to fiscal year 2009 FISMA reporting question.
[A] Although the Department of the Interior documented deviations and
had them approved by a designated authority at the department level,
all of its agency components had not implemented these requirements.
[End of table]
Agency officials who had not documented deviations said they either
did not maintain lists for field offices or had not yet completed the
process for establishing the agency baseline and documenting the
deviations. Officials from agencies that did not have a policy in
place for approving deviations told us they were still working to
develop an approval process. Until agencies document their FDCC
deviations or have a policy in place to approve those deviations, they
cannot fully assess the potential risk of not implementing the
required settings and they cannot ensure that configuration baselines
are effectively controlled and maintained.
Six Agencies Have Yet to Acquire a SCAP Tool and Use It to Monitor
FDCC Configurations:
Agencies were required to obtain a NIST-validated SCAP tool and use it
to consistently monitor the implementation of the configuration;
however, while 15 agencies reported acquiring and deploying NIST-
validated tools, 6 had not. Of the 3 remaining agencies, some of their
components have a NIST-validated SCAP tool, while the other components
either do not have a tool or do not use a NIST-validated tool for
monitoring workstation configurations. Regardless of whether the tool
has been validated or not, most agencies used one to monitor FDCC
implementation. However, 2 agencies that had a validated tool had not
yet established a policy for monitoring compliance. Table 5 shows
which federal agencies have acquired a NIST-validated tool and were
using it to monitor their workstation configurations.
Table 5: Status of Agency Acquisition and Use of a NIST-validated SCAP
Tool:
Agency: Agriculture;
NIST-validated SCAP tool acquired and deployed: Yes;
NIST-validated SCAP tool used to monitor compliance: Yes.
Agency: Commerce;
NIST-validated SCAP tool acquired and deployed: Partially;
NIST-validated SCAP tool used to monitor compliance: Partially.
Agency: Defense;
NIST-validated SCAP tool acquired and deployed: Yes;
NIST-validated SCAP tool used to monitor compliance: Yes.
Agency: Education;
NIST-validated SCAP tool acquired and deployed: Yes;
NIST-validated SCAP tool used to monitor compliance: Yes.
Agency: Energy;
NIST-validated SCAP tool acquired and deployed: Partially;
NIST-validated SCAP tool used to monitor compliance: Partially.
Agency: Environmental Protection Agency;
NIST-validated SCAP tool acquired and deployed: Yes;
NIST-validated SCAP tool used to monitor compliance: Yes.
Agency: General Services Administration;
NIST-validated SCAP tool acquired and deployed: Yes;
NIST-validated SCAP tool used to monitor compliance: Yes.
Agency: Health and Human Services;
NIST-validated SCAP tool acquired and deployed: Yes;
NIST-validated SCAP tool used to monitor compliance: No[B].
Agency: Homeland Security;
NIST-validated SCAP tool acquired and deployed: Yes;
NIST-validated SCAP tool used to monitor compliance: No.
Agency: Housing and Urban Development;
NIST-validated SCAP tool acquired and deployed: No;
NIST-validated SCAP tool used to monitor compliance: No.
Agency: Interior;
NIST-validated SCAP tool acquired and deployed: Partially;
NIST-validated SCAP tool used to monitor compliance: Partially.
Agency: Justice;
NIST-validated SCAP tool acquired and deployed: No[A];
NIST-validated SCAP tool used to monitor compliance: No[C].
Agency: Labor;
NIST-validated SCAP tool acquired and deployed: Yes;
NIST-validated SCAP tool used to monitor compliance: Yes.
Agency: National Aeronautics and Space Administration;
NIST-validated SCAP tool acquired and deployed: Yes;
NIST-validated SCAP tool used to monitor compliance: Yes.
Agency: National Science Foundation;
NIST-validated SCAP tool acquired and deployed: No[A];
NIST-validated SCAP tool used to monitor compliance: No[C].
Agency: Nuclear Regulatory Commission;
NIST-validated SCAP tool acquired and deployed: Yes;
NIST-validated SCAP tool used to monitor compliance: Yes.
Agency: Office of Personnel Management;
NIST-validated SCAP tool acquired and deployed: Yes;
NIST-validated SCAP tool used to monitor compliance: Yes.
Agency: Small Business Administration;
NIST-validated SCAP tool acquired and deployed: Yes;
NIST-validated SCAP tool used to monitor compliance: Yes.
Agency: Social Security Administration;
NIST-validated SCAP tool acquired and deployed: No[A];
NIST-validated SCAP tool used to monitor compliance: No.
Agency: State;
NIST-validated SCAP tool acquired and deployed: Yes;
NIST-validated SCAP tool used to monitor compliance: Yes.
Agency: Transportation;
NIST-validated SCAP tool acquired and deployed: No[A];
NIST-validated SCAP tool used to monitor compliance: No[C].
Agency: Treasury;
NIST-validated SCAP tool acquired and deployed: Yes;
NIST-validated SCAP tool used to monitor compliance: Yes.
Agency: U.S. Agency for International Development;
NIST-validated SCAP tool acquired and deployed: Yes;
NIST-validated SCAP tool used to monitor compliance: Yes.
Agency: Veterans Affairs;
NIST-validated SCAP tool acquired and deployed: No;
NIST-validated SCAP tool used to monitor compliance: No.
Source: GAO analysis of agency data.
[A] Agency has acquired a NIST-validated tool but has not completed
deployment at the agency.
[B] Although the agency lacks a policy for monitoring compliance, it
does perform scanning of its workstations using a NIST-validated SCAP
tool.
[C] Agency or components within the agency used a SCAP tool not
currently validated by NIST to monitor compliance.
Note: Agency was given a rating of "partially" if some components had
acquired a validated SCAP tool and used it to monitor compliance but
other components had not.
[End of table]
At agencies that did not have a NIST-validated SCAP tool, officials
told us they were in the process of acquiring a tool but had been
delayed due to funding issues. For those agencies where only some
components had acquired a tool, officials told us their components
were responsible for acquiring a tool and noted that funding had been
an issue. At agencies without a policy for monitoring implementation,
officials told us that either a policy had not been finalized or a
policy would be developed once a SCAP tool had been acquired. However,
officials from one of these agencies noted that although they lacked a
policy, they were still performing some monitoring of workstations.
Until agencies acquire and deploy a NIST-validated SCAP tool and
develop, document, and implement policies to monitor compliance, they
will not be able to ensure that the FDCC settings have been
successfully implemented to help protect the confidentiality,
integrity, and availability of their information.
Most Agencies Have Not Incorporated Language into Contracts:
Although OMB requires agencies to include language in contracts to
ensure new acquisitions include FDCC settings and products of
information technology providers operate effectively using them, most
agencies have not done so. Eight agencies had incorporated the
language into their contracts, while 13 agencies had not, and 3
agencies had partially implemented the requirement. Table 6 shows
which agencies have incorporated language into their contracts.
Table 6: Agency Incorporation of Language into Contracts:
Agency: Agriculture;
Language incorporated: Yes.
Agency: Commerce;
Language incorporated: No.
Agency: Defense;
Language incorporated: No.
Agency: Education;
Language incorporated: Yes.
Agency: Energy;
Language incorporated: No.
Agency: Environmental Protection Agency;
Language incorporated: Yes.
Agency: General Services Administration;
Language incorporated: Yes.
Agency: Health and Human Services;
Language incorporated: No.
Agency: Homeland Security;
Language incorporated: No.
Agency: Housing and Urban Development;
Language incorporated: No.
Agency: Interior;
Language incorporated: Yes.
Agency: Justice;
Language incorporated: No.
Agency: Labor;
Language incorporated: Partially.
Agency: National Aeronautics and Space Administration;
Language incorporated: Yes.
Agency: National Science Foundation;
Language incorporated: Yes.
Agency: Nuclear Regulatory Commission;
Language incorporated: Partially.
Agency: Office of Personnel Management;
Language incorporated: No.
Agency: Small Business Administration;
Language incorporated: No.
Agency: Social Security Administration;
Language incorporated: No.
Agency: State;
Language incorporated: Yes.
Agency: Transportation;
Language incorporated: No.
Agency: Treasury;
Language incorporated: Partially.
Agency: U.S. Agency for International Development;
Language incorporated: No.
Agency: Veterans Affairs;
Language incorporated: No.
Source: GAO analysis and agency inspector general-provided responses
for FISMA fiscal year 2009 reporting.
Note: Agencies were given a rating of "partially" if some components
had incorporated the language into contracts but others had not, or if
some contracts had the language incorporated, but others did not.
[End of table]
Officials from agencies that had not included language in the
contracts had either included language in only a portion of the
contracts reviewed, or the agency indicated it was still working on
incorporating the language into its contracts. In addition, two
agencies had one or more components that had not included the language
in contracts. Until these agencies ensure that language is included
into contracts to ensure that new acquisitions include FDCC settings
and products of information technology providers operate effectively
using them, agencies will not be able to ensure that new acquisitions
are in compliance with FDCC requirements.
Majority of Agencies Reported Status of Compliance with FDCC to NIST,
but Many Indicated No Plans to Mitigate Deviations:
Although most agencies submitted a compliance status report to NIST,
the documentation was not always complete, including plans for
mitigating deviations, or timely. Agencies were required to report to
NIST the status of their compliance with FDCC by March 31, 2008, and
submit a list of deviations, their plans of action and milestones for
mitigating the deviations, and copies of reports generated by their
SCAP tools. The majority of the agencies in our review submitted
documentation to NIST; however, 2 agencies told us they had not
submitted information to NIST, and 1 agency was unable to locate all
the documents submitted. Of the 21 agencies that provided
documentation, 12 agencies submitted all of the required information
and documents. The remaining 9 agencies were either missing the
required information or did not submit all of the required SCAP tool
reports. In addition, while many of the agencies listed deviations,
they either noted they did not plan to mitigate the deviations, or
made general statements about addressing them at some point in the
future. Furthermore, only 13 of the agencies in our review generally
met the March 31, 2008, deadline for submission, while the remaining
agencies took an additional month or more to provide documentation to
NIST. As discussed later in the section on lessons learned, agencies
experienced problems in implementing this requirement due to
unrealistic deadlines.
Implementing FDCC Resulted in Benefits and Lessons Learned, but
Agencies Continue to Face Challenges in Meeting Requirements:
While implementation of FDCC can result in improvements to agencies'
information security as well as other benefits, such as cost savings,
attempting to meet the requirements yielded lessons learned that could
improve the implementation of future versions of FDCC or other
workstation configurations. In addition, agencies continue to face
significant challenges in meeting FDCC requirements, monitoring their
implementation of the settings, and measuring benefits of the
initiative, among other things.
Implementing FDCC Can Enhance Security at Federal Agencies:
FDCC has the potential both to increase agencies' information security
and to standardize their management of workstations. Other potential
benefits include cost savings arising from reduced power usage.
FDCC implementation enhances security by requiring stricter security
settings on workstations than those that may have been previously in
place at federal agencies. Specifically, some of the key configuration
settings serve to secure agency workstations by restricting user and
administrative rights to particular system functions. These settings
reduce the potential for malware and other known vulnerabilities to
affect agency workstations because the stricter access rights would
prevent their automatic download and installation. As an example,
officials at two agencies reported that FDCC was responsible for
protecting their workstations from recent malicious code infections.
The settings also reinforce access controls by restricting users'
rights to what is necessary for their work. Ten of the agencies in our
review attributed either increased security or increased security
awareness to implementation of the settings and were generally
supportive of a stricter configuration for the agency.
FDCC implementation also enabled agencies to reap the benefits of
having more standardized configurations within agency computing
environments. For example, a more secure enterprisewide Windows
configuration and consistent workstation profile (i.e., the set of
configuration settings and other software applied to a workstation)
across the agency can not only improve security but can also make it
easier to manage changes to the security features of workstation
software, such as applying updates or patches. Updates or patches can
be applied more expeditiously because there are fewer workstation
profiles that they must be tested on, which also reduces the amount of
necessary supporting documentation. Agency officials we spoke to
confirmed that FDCC provided an improved understanding of their
computing environment as well as a consistent desktop image across the
department. Another official stated that adopting and implementing the
configuration settings would raise awareness of the importance of
workstation configuration management across the government.
Beyond the benefits to enhancing security within agency computing
environments, there are other potential, if unanticipated, benefits to
implementing particular settings and standardizing them across the
federal government. For example, while settings related to activating
and password-protecting screen savers can provide added security by
locking the workstation while the user is not present, they could also
reduce power consumption and lead to savings in utility costs. One
agency official said his agency was anticipating saving between $10
million and $15 million a year by implementing the power settings, and
would be deploying a tool to track this data. In addition, an agency
official from the Chief Information Officers Council's FDCC Change
Control Board said the board was working on recommending what it
considered "green settings" to OMB, which would also potentially
reduce consumption of power and the paper used to print
documents.[Footnote 40] Officials at one agency also told us that
because they had observed several benefits--including improved
security, cost avoidance through acquisition of workstations with
settings already implemented, and a simplification of the software
development process--by implementing their agency FDCC baseline, they
were in the process of developing or finalizing configuration settings
for other operating systems and servers.
Lessons Learned:
There are a number of lessons to be learned from the management and
implementation of the FDCC initiative which, if considered, could
improve the implementation of future versions of FDCC or other
configuration efforts.
Having Realistic and Established Time Frames for Completion Is Needed
to Ensure Successful Implementation:
OMB did not provide a realistic time frame for agencies to meet the
requirements of the initiative and complete implementation of FDCC by
February 2008. This is due in large part to OMB not considering
several constraints when establishing time frames for agencies to
complete the requirements and implement the beta version of the
settings within 7 months, including:
* Agencies were required to submit draft plans to implement the
settings by May 1, 2007, approximately 3 months before being informed
of the settings they were required to implement.
* Only one SCAP tool was validated in time for agencies to use to
report the status of implementation to NIST, and one agency found that
the tool did not produce the needed reports required for NIST
reporting. The earliest any of the other tools were validated was 7
months after the deadline.
* Multiple changes occurred to the FDCC content--including the
settings, SCAP, and resources--that agencies were supposed to use in
order to complete implementation by the February 2008 deadline. In
addition, another version of the settings was released between the
February deadline and the March 2008 compliance reporting deadline.
Furthermore, once the beta version of the settings was revised and
major version 1.0 was released in June 2008, OMB did not establish a
deadline for agencies to complete implementation of this version.
OMB officials confirmed they have not established a schedule for
announcing changes to FDCC versions or implementation deadlines.
However, they stated they were working with the Chief Information
Officers Council and its newly developed FDCC Change Control Board to
provide a framework for soliciting input and feedback on future
versions of the settings on a yearly basis. Nevertheless, without
realistic deadlines that are effectively communicated with sufficient
notice, agencies will continue to face challenges in meeting
implementation deadlines for future versions of FDCC.
Clarifying Guidance on Requirements for Deviations Is Necessary for
Consistent Implementation:
OMB and NIST guidance with regard to deviations was not always
comprehensive, and agencies interpreted it in divergent ways.
Specifically, OMB memorandums and guidance published on NIST's Web
site were not clear as to:
* under what conditions deviations were permitted;
* whether deviations could be permanent, or should be mitigated in a
timely manner;
* how deviations should be documented, tracked, and approved by a
designated authority; and:
* how frequently and to whom deviations should be reported.
As a result, agencies interpreted this guidance in significantly
different ways. Only one agency interpreted the requirements to mean
that no deviations were permitted, while other agencies, by contrast,
interpreted full implementation of FDCC to mean applying 85 to 95
percent of the settings, with deviations allowed under certain
circumstances. In addition, most agencies responded, either in their
descriptions of plans of action and milestones or in interviews, that
they had permanent deviations from FDCC, indicating they interpreted
the guidance to mean that deviations could be permanent. However,
several agencies also reported they may reduce the number of
deviations as they upgrade, modify, or replace existing systems and
applications.
In addition, agency processes to document and approve deviations
varied. For example, some agencies documented and approved deviations
at the agency level while other agencies allowed their components to
determine the number of deviations and approve them. Some agency
officials told us their list of deviations may not be complete because
they provided deviations from only a few components, or did not track
or maintain a list of deviations at the component level. For those
agencies, officials noted they did not have visibility into the
deviations documented and approved at the component level because
responsibility for this was delegated to the components. Furthermore,
agencies' interpretation of the requirement to report deviations to
NIST varied, with some agencies stating they were only supposed to
report deviations to NIST in March 2008, while other agencies said
they reported deviations to NIST whenever they updated their lists.
OMB officials stated that full compliance with the configuration meant
implementing all the settings without deviations on all applicable
workstations, although they allowed agencies to document deviations
and later required them to be approved. Nevertheless, without further
clarification on the approval, permanence, and reporting of
deviations, the federal government will continue to be hindered in
consistently implementing FDCC, and OMB will be hindered in assessing
the status and effectiveness of implementation across federal agencies.
Certain Testing Approaches Facilitated Successful Implementation:
The variety of approaches agencies took to testing the settings prior
to implementation affected how successful they were. In one case, an
agency implemented the settings without testing, discovered problems,
and subsequently changed its approach to include testing prior to
implementation. Another agency reported having success with
collaborative testing among agency components, which included
officials from the components sharing results and other information at
regular meetings. Officials from another agency stated that automated
testing was a better approach because it allows for easier
confirmation that there is a standard workstation configuration in use
on the agency's systems. Ensuring that testing is carried out prior to
implementation, with opportunities for information sharing and
consideration of the benefits of automation, can help agencies make
implementation of future versions of FDCC or similar configurations
more successful.
Phased Approach to Implementation Aided Successful Implementation:
Agencies that implemented the settings in a phased, or sequential,
fashion were able to avoid disruption in their operations and identify
problems that arose during implementation. Officials from four
agencies cited the benefits of or need for using such a phased
implementation approach, rather than implementing the settings in one
pass. One agency's officials observed that sequential implementation
was key to avoiding system disruption and down time because settings
were not applied to all components within the agency at the same time.
Following such an approach for future versions of FDCC and other
configurations could prove beneficial to agencies.
Further Collaboration between Agencies, OMB, and NIST Is Desired:
Another success factor in implementing FDCC was frequent communication
and collaboration among and within agencies. Officials from two
agencies noted that collaboration among its agency components on
testing was helpful in addressing problems that occurred. Agencies
noted that keeping the lines of communication open, both among agency
components and between OMB and NIST and other agencies, would help in
making such an initiative more successful. One agency official
recommended that there should be a way for NIST to communicate
operational impacts prior to the release of new FDCC settings, and
another suggested that future versions of FDCC should be vetted by the
broader IT community before being rolled out to agencies. Officials
from another agency stressed the importance of having communication
and outreach among agencies to discuss FDCC issues and changes.
Lastly, officials from one agency suggested having FDCC compliance
sessions where agencies could discuss issues and learn from one
another's experiences. Further collaboration between OMB, NIST, and
agencies could increase the effectiveness of implementation among
agencies and the chances for the success of similar future initiatives.
Independent Testing Provides an Important Perspective on Agency
Compliance:
Independent testing performed by the General Services Administration
and Department of the Interior's Inspector General found compliance
results that differed from agency-reported information. In a policy
utilization assessment[Footnote 41] conducted over 2 years in multiple
phases, the General Services Administration tested FDCC implementation
at three agencies between December 2008 and February 2009. The results
generally differed from agency-reported information on the level of
policy implementation, level of compliance, and number of deviations
reported between October 2008 and November 2008. At all three
agencies, the scan results showed a higher level of policy
implementation than the agencies had reported. In addition, two
agencies learned they had a lower number of deviations on the
workstation sample than they had reported, and two agencies were
provided a more accurate indication of their level of compliance.
In September 2009, the Inspector General of the Department of the
Interior reported widespread noncompliance with mandatory FDCC
settings and noncompliance with agency directives at the agency.
[Footnote 42] Based on testing performed during summer 2009, Interior
averaged 68 percent compliance for the configuration settings, which
varied from the compliance status reported to us. In addition, the
Inspector General noted that agency components reported an additional
323 deviations at the components that were not documented and approved
according to the agency's policy. The Inspector General made a
recommendation to ensure Interior's compliance with FDCC guidance.
These results suggest that agency self-reported compliance may not
always be accurate and that continued independent testing can provide
important insight into the extent of FDCC implementation. Additional
independent testing performed by external parties could provide
opportunities for agencies to acquire additional information to assist
them in complying with FDCC requirements.
Advance Notice Can Aid in Allocating Limited Resources:
In launching an initiative such as FDCC, having sufficient notice to
marshal the necessary resources can improve agencies' chances of
success. Agencies reported that having advance notice of the
requirement to implement the initiative, with sufficient time for
preparation and training, was necessary to successfully implement the
initiative. Officials from one agency stated that such mandates should
be widely announced well in advance of anticipated completion dates to
allow all agencies appropriate lead time to ensure that budgets and
resources would be available and that requirements and resulting
impacts could be completely assessed. Further, agencies commonly
reported a lack of sufficient resources (time, money, labor, technical
expertise) to implement the FDCC settings, understand how the settings
would affect their environments, address issues found with testing,
and purchase a SCAP tool. Some agencies cited having to reallocate
approved funding to cover the costs of implementation and the purchase
of the tools. Although most agencies could not provide estimates of
the time and labor spent implementing FDCC, several agencies provided
estimates of the costs of implementation and purchasing SCAP tools,
which ranged from the tens of thousands to hundreds of thousands of
dollars. In addition, officials from a few agencies stated they did
not always have staff dedicated specifically to FDCC, which
contributed to delayed implementation. Ensuring sufficient lead time
can help agencies better plan use of their resources to implement
initiatives like FDCC.
Challenges Exist for Agencies in Fully Complying with FDCC
Requirements:
Agencies face several ongoing challenges to fully complying with FDCC
requirements, including retrofitting their existing applications and
systems to comply with the settings, assessing the risks associated
with deviations, and monitoring workstations to ensure that the
settings are applied and functioning properly.
Retrofitting Applications and Legacy Systems to Comply with
Configuration Settings in Complex Agency Environments:
Applying the configuration settings has and will continue to cause
problems for agencies due to the variety of applications, legacy
systems, and agency environments that exist within the federal
government. In particular, agencies have legacy systems or
applications that use old software that have to be reconfigured to
work with the settings. In addition, while some agency environments
consist of a small number of offices with under 10 thousand
workstations, other agency environments have multiple components with
hundreds of thousands of workstations that are spread out
geographically across the country, and in a few cases, the world.
Although agencies were required to implement all the FDCC settings,
the number and scope of the deviations that agencies had to implement
highlight the magnitude of the challenge that agencies faced in
implementing the settings. Agency officials confirmed during
interviews that there were several challenges in retrofitting their
systems and applications to comply with the settings, including the
following examples:
* Some of the settings had affected other settings on workstations and
servers, and it had been a challenge to determine which FDCC settings
were responsible.
* Some of the settings impaired the functioning of custom programs,
caused problems in environments, or interfered with basic functions
(e.g., network printing).
* The settings prevented the agencies from accessing legitimate Web
sites, such as certain federal, state, and local government sites.
* Applying particular FDCC settings to legacy systems or applications
would require agencies to update their applications or operating
systems.
However, potential solutions to these challenges are either not simple
or may not exist. As new versions of the settings or other
configurations are established, it will be important for OMB to
recognize that retrofitting systems and applications to comply with
new settings in complex environments will remain an ongoing challenge
for agencies, and that sufficient time for implementation and the use
of deviations may be necessary. However, OMB has not provided guidance
to agencies on submitting plans for mitigating deviations, including
the resources necessary for doing so. Until OMB provides guidance to
agencies on submitting plans of actions and milestones for mitigating
deviations, to include resources necessary for doing so, OMB will lack
sufficient information to make decisions about the use of deviations
and whether potential changes to FDCC are warranted.
Assessing the Risks Associated with Deviations:
A related challenge for agencies is sufficiently assessing the risks
associated with deviations from the official FDCC settings. As
mentioned earlier, all agencies in our review had deviations,
regardless of whether these deviations had been sufficiently
documented or approved. There are risks associated with deviations
from individual settings and groups of settings, not only at
individual agencies but among agencies, depending on the agency's
computing environment. For instance, having deviations such as
passwords with a minimal number of characters, combined with allowing
multiple users to connect to the workstation over the network and
enabling wireless communication on the workstation, increases the risk
that unauthorized users could gain access to workstations and
sensitive government information. However, many of the agencies in our
review did not describe a process for assessing the combined risk of
the deviations they had in place because deviations were submitted for
approval on an individual basis, were submitted as part of a
configuration that included other settings beyond FDCC, or,
particularly at agencies where deviation approval was left up to
components, the agency did not track the deviations at the component
level.
Although OMB required agencies to approve deviations, it did not
specify any guidance for agencies to use to consider the risks of
having these deviations prior to approval. Until OMB specifies
guidance for agencies to use to assess the risks of having deviations
prior to approving them, including the combined risk of deviations in
place across the agency, workstations may remain particularly
vulnerable to cyber threats.
Consistent and Comprehensive Monitoring of FDCC Implementation on
Agency Workstations:
Challenges also exist in effectively and consistently monitoring the
implementation of FDCC in order to ensure the settings have been
implemented properly and are continuing to function as intended.
Specifically, the frequency and scope with which agencies scan
workstations for compliance may not be sufficient to ensure the
settings are working properly, and the results could potentially be
incomplete or inconsistent. While some agencies scanned workstations
on a weekly or bi-weekly basis, other agencies performed scans only
when new patches or system updates had been installed or performed
scanning only on a quarterly or annual basis. The infrequent
monitoring on the part of some agencies could be due to the SCAP tool
used: agency officials without an enterprisewide tool noted that
frequent monitoring was impractical because regularly scanning each
workstation required them to individually scan up to tens of thousands
of workstations.
In addition, while some agencies scanned every workstation on their
network, other agencies only performed scans on test workstations,
which could be insufficient if agency workstation configurations do
not match the tested workstations. Scans of workstations on agency
networks may also be incomplete in cases where user populations work
remotely or have contractor-owned workstations. Agencies that use a
SCAP tool to scan all workstations connected to their network may miss
workstations belonging to these populations, which might not be
connected to the network depending on the time of the scan.
Consequently, agencies may be relying on incomplete information on
whether the settings are working as intended.
While OMB guidance indicates that agencies should monitor compliance
using SCAP, the guidance does not specify the frequency or scope in
which monitoring should be performed. Until OMB improves its guidance
on monitoring compliance using SCAP to include information on the
frequency and scope with which agencies should perform monitoring,
agencies may not be scanning with sufficient rigor to ensure the
settings have been successfully implemented and are working properly.
Having Sufficient Tools to Perform Monitoring of Workstations:
Agencies did not always have sufficient tools to monitor
implementation and compliance with FDCC. In particular, issues with
the current NIST-validated SCAP tools include the following:
* Some tools generate errors when scanning for particular settings.
* Certain settings have to be checked manually because the tools do
not scan for all settings.
* Some tools record false positives, particularly if the agency's
parameter for a particular setting is stricter than the FDCC parameter.
* It takes time for vendors to update their SCAP tools after NIST
changes SCAP content to address problems, with the result that the
tools perform scans based on incorrect content.
Agency officials we interviewed confirmed there were issues with the
SCAP tools, and many agencies and their components found it easier to
use some combination of NIST-validated SCAP tools, group policy
objects, or other configuration management software to monitor their
configurations. In addition, several agencies indicated they had
acquired or were in the process of acquiring a different SCAP tool
that would provide better functionality and capabilities in order to
meet their needs.
NIST officials confirmed they were aware of the issues with SCAP tools
and stated they are taking steps to address them. For instance, NIST
intends to release new requirements that SCAP tools must meet as well
as change validation requirements so that vendors will be required to
have their tools tested and validated against the new requirements
within 1 year of the requirements being released. NIST requested
comments on a draft of this document through January 2010, but hasn't
released a final version. Once NIST releases the new requirements for
SCAP tools and these tools are validated against these requirements,
agencies should have more sufficient tools for monitoring
implementation of FDCC.
Measuring Benefits of the Initiative:
Although agencies have anecdotally reported a variety of benefits from
efforts to implement FDCC, OMB and agencies face challenges in
accurately assessing the impact and measuring the benefits of the
initiative. This is because neither OMB nor the agencies have
developed specific metrics to measure the effectiveness and program
impact of the initiative. Specifically, they have not required or
collected measures or metrics that address how effectively the
initiative is mitigating security risks or reducing costs, two of its
stated goals. For example, an official at one agency noted several
benefits of implementing FDCC--a more secure user environment because
of reduced user permissions, a stable development platform that
resulted in cost savings and a simplification of the software
development process, and a reduction in the number of customer support
help calls and service calls by technicians. However, the official
admitted that he did not have specific metrics for quantitatively
measuring these benefits.
Implementing metrics that assess the effectiveness and program impact
could give a more complete picture of the benefits of FDCC and help
determine whether future versions of the settings or configurations
for other operating systems or servers should be instituted. In our
September 2009 report, we recommended that OMB, among other things,
direct federal agencies to use balanced sets of information security
measures that include effectiveness and impact, as well as compliance,
and to require agencies to report on such a balanced set of measures.
[Footnote 43] Without performance measures and guidance to agencies
for reporting the benefits of FDCC, OMB and federal agencies will be
limited in their ability to determine if the initiative is meeting its
goals of improving federal information security and reducing operating
costs and if the initiative should be continued or expanded.
Conclusions:
While agencies have taken steps toward implementing FDCC, work remains
to be done in order to meet all the requirements established by OMB.
Specifically, many agencies have applied an agency-defined subset of
the configuration settings to their Windows workstations; however,
none of the 24 major agencies has fully applied all the FDCC settings.
Further, not all agencies have put a process in place for documenting
or approving deviations from the FDCC baseline and have not yet
acquired the required SCAP tool to monitor compliance with the
settings. Unless agencies fulfill these requirements, OMB will not be
able to ensure the effectiveness of the initiative.
The FDCC initiative was an innovative approach by OMB to standardize
and thereby strengthen information security at federal agencies, but
lessons learned indicate ways that implementation could have been more
successful. Specifically, OMB did not establish realistic time frames
for completion or provide comprehensive guidance on FDCC deviations,
which has impacted agencies' ability to successfully implement the
initiative. In addition, collaboration among OMB, NIST, and the
agencies, as well as independent testing of FDCC implementation by
external parties, may help agencies be more successful in their
implementation efforts.
Finally, there are several ongoing challenges facing agencies in fully
complying with the requirements, including retrofitting systems and
applications amid complex environments, assessing the risks associated
with deviations across each agency, and monitoring workstations to
ensure the settings are applied and functioning properly. As OMB
establishes additional versions of FDCC settings--or configuration
settings for other applications or operating systems--understanding
the lessons learned from implementation as well as the ongoing
challenges agencies face will be essential to the initiative's success
in ensuring public confidence in the confidentiality, integrity, and
availability of government information.
Recommendations for Executive Action:
To improve implementation of FDCC at federal agencies, we recommend
that the Director of OMB take the following six actions:
* When announcing new FDCC versions, such as Windows 7, and changes to
existing versions, include clear, realistic, and effectively
communicated deadlines for completing implementation.
* Clarify OMB policy regarding FDCC deviations to include: whether
deviations can be permanent or should be mitigated in a timely manner;
requirements for plans of actions and milestones for mitigating
deviations, including resources necessary for doing so; guidance to
use for assessing the risk of deviations across the agency; and how
frequently and to whom deviations should be reported to assist in
making decisions regarding future versions.
* Inform agencies of the various approaches for testing the settings
and implementing the initiative in phases, which may aid successful
implementation.
* Assess the efficacy of, and take steps to apply as appropriate,
other lessons learned during the initial implementation of this
initiative such as the need for (1) additional collaboration efforts,
(2) independent testing, and (3) advance notice of requirements, to
assist agencies in implementing this initiative.
* Provide guidance on using SCAP tools to include information on the
frequency and scope with which agencies should perform monitoring.
* Develop performance measures and provide guidance to agencies for
reporting the benefits of FDCC.
We are also making 56 recommendations to 22 of the 24 departments and
agencies in our review to improve their implementation of FDCC
requirements that were not being met. Appendix III contains these
recommendations.
Agency Comments and Our Evaluation:
In providing e-mail comments on a draft of this report, the lead IT
policy analyst from OMB's Office of E-Government and Information
Technology stated that OMB concurred with the report's findings,
conclusions, and 6 recommendations addressed to OMB.
We also sent a draft of this report to the 24 agencies in our review
and received written, e-mail, and/or oral responses from all 24
agencies. Of the 22 agencies to which we made recommendations, 14
(Agriculture, Defense, Environmental Protection Agency, General
Services Administration, Health and Human Services, Justice, National
Aeronautics and Space Administration, National Science Foundation,
Nuclear Regulatory Commission, Small Business Administration, Social
Security Administration, Treasury, U.S. Agency for International
Development, and Veterans Affairs) generally agreed with our
recommendations. One agency (Commerce) did not comment specifically on
our recommendations and the remaining 7 agencies generally concurred
with some of our recommendations but provided qualifying comments with
others. The agencies' comments and our responses are summarized below:
* In oral comments on a draft of the report, the Department of
Energy's Acting Associate Chief Information Officer for Cyber Security
generally concurred with 4 of our 5 recommendations. However, he
requested that our recommendations to ensure that all components
acquire and deploy a NIST-validated SCAP tool, and develop, document,
and implement a policy to monitor compliance using a NIST-validated
tool be clarified to pertain only to those components that were
required to implement FDCC. We agree that this modification clarifies
the intent of our recommendations and have modified those
recommendations as appropriate. Further, in commenting on our fifth
recommendation to ensure that FDCC acquisition language was included
in contracts, the Acting Associate Chief Information Officer for Cyber
Security stated that the department will continue to evaluate our
recommendation and determine an appropriate implementation approach.
* In written comments on a draft of the report, the Department of
Homeland Security's Chief Information Officer concurred with 3 of our
4 recommendations. He also concurred, with a caveat, with our fourth
recommendation to ensure that FDCC acquisition language was included
in contracts. The Chief Information Officer stated that the department
already has regulations in place to ensure new acquisitions meet FDCC
requirements. We agree that the department has regulations in place.
However, as indicated in our report, the FDCC acquisition language had
not been incorporated into all contracts. The Department of Homeland
Security's comments are reprinted in appendix VIII.
* In written and oral comments on a draft of the report, the
Department of Housing and Urban Development's Chief Information
Officer generally concurred with 3 of our 4 recommendations. In
written comments on our recommendation that the department ensure FDCC
acquisition language is included in contracts, he stated that the
department had a policy in place for including clauses in contracts.
After subsequent discussion with department representatives, they
orally concurred with our recommendation. In written comments on our
recommendation that the department develop, document, and implement a
policy to approve deviations to FDCC by a designated accrediting
authority, the Chief Information Officer stated that the department
had provided us with a copy of its policy for approving deviations in
December 2009. After reviewing additional documentation provided, we
agree that the department had met the requirement, modified the report
as appropriate, and removed the recommendation. The Department of
Housing and Urban Development's comments are reprinted in appendix IX.
* In written comments on a draft of the report, the Department of the
Interior's Assistant Secretary for Policy, Management, and Budget
concurred with our recommendations, subject to modifications that
reduced redundancy in the recommendations and clarified that
components should follow the department's policy related to
documenting and approving deviations, and acquiring and deploying NIST-
validated tools to monitor compliance with FDCC. We agree that the
suggested modifications clarified the intent of our recommendations,
and have modified the recommendations accordingly. The Department of
the Interior's comments are reprinted in appendix X.
* In written and oral comments on a draft of the report, the
Department of Labor's Assistant Secretary for Administration and
Management generally concurred with 1 of our 2 recommendations,
subject to modification that clarified that FDCC acquisition language
had been included in some contracts but not in all. After reviewing
additional documentation provided, we modified the recommendation as
appropriate. In written comments on our recommendation that the
department complete deployment of a NIST-validated SCAP tool, the
Assistant Secretary for Administration and Management stated that
deployment of the tool had been completed prior to the end of our
audit field work. After reviewing additional documentation provided,
we agree that the department had met the requirement, modified the
report as appropriate, and removed the recommendation. The Department
of Labor's comments are reprinted in appendix XI.
* In written and oral comments on a draft of the report, the Office of
Personnel Management's Chief Information Officer generally concurred
with 3 of our 4 recommendations. In written comments on our
recommendation on documenting deviations and having them approved by a
designated authority, he said that the department has documented its
deviations and approved them. After subsequent discussion with
department representatives, they orally concurred with our
recommendation. In addition, in written comments on our recommendation
to develop, document, and implement a policy to approve deviations to
FDCC by a designated authority, the Chief Information Officer stated
that the agency has a policy in place. After reviewing documentation
provided, we agree that the department had met the requirement,
modified the report as appropriate, and removed the recommendation.
The Office of Personnel Management's comments are reprinted in
appendix XIII.
* In e-mail and oral comments on a draft of the report, the Department
of Transportation's Chief Information Security Officer generally
concurred with our 2 recommendations, subject to modification that
clarified that the department had acquired a validated tool and was in
the process of fully deploying it. After reviewing additional
documentation provided, we modified table 5 in the report to include a
table footnote indicating a tool had been acquired but not deployed
and revised the recommendation as appropriate. In addition, in e-mail
comments on our recommendation to ensure that FDCC acquisition
language is included in contracts, the Chief Information Security
Officer stated that the department had provided a copy of the policy
guidance on contract clauses to us. After subsequent discussion with
department representatives, they orally concurred with our
recommendation.
In addition, several agencies also provided technical comments,
including one of two agencies to which we did not make
recommendations. We have incorporated these comments as appropriate.
The remaining agency to which we did not make recommendations stated
that it did not have any comments.
Furthermore, for appropriate coverage of a federal-wide information
technology contract issue, the Department of Defense suggested we add
a recommendation that contract language be included in the Federal
Acquisition Regulation "to ensure new acquisitions include FDCC
settings and products of information technology providers operate
effectively using them." However, it was not within the scope of our
review to evaluate whether such standard contract language was
necessary or what it would entail. Nonetheless, the Department of
Defense may wish to pursue this suggestion with OMB and other
stakeholders for possible promulgation of a Federal Acquisition
Regulation rule that would serve as a governmentwide template in
solicitations or contracts for ensuring that FDCC settings are
effectively incorporated and applied.
As agreed with your offices, unless you publicly announce the contents
of this report earlier, we plan no further distribution until 30 days
from the report date. At that time, we will send copies to other
interested congressional committees, secretaries of the Departments of
Agriculture, Commerce, Defense, Education, Energy, Health and Human
Services, Homeland Security, Housing and Urban Development, the
Interior, Labor, State, Transportation, the Treasury, and Veterans
Affairs; the Attorney General; the administrators of the Environmental
Protection Agency, General Services Administration, National
Aeronautics and Space Administration, Small Business Administration,
and U.S. Agency for International Development; the commissioner of the
Social Security Administration; the chairman of the Nuclear Regulatory
Commission; and the directors of the National Science Foundation,
Office of Management and Budget, and Office of Personnel Management.
The report also is available at no charge on the GAO Web site at
[hyperlink, http://www.gao.gov].
If you or your staff have any questions regarding this report, please
contact me at (202) 512-6244 or at wilshuseng@gao.gov. Contact points
for our Offices of Congressional Relations and Public Affairs may be
found on the last page of this report. Key contributors to this report
are listed in appendix XVIII.
Signed by:
Gregory C. Wilshusen:
Director, Information Security Issues:
[End of section]
Appendix I: Objectives, Scope, and Methodology:
Relative to the 24 major federal agencies covered by the Chief
Financial Officers Act, the objectives of our review were to (1)
identify the goals, objectives, and requirements for the initiative;
(2) determine the status of actions federal agencies have taken, or
plan to take, to implement the initiative; and (3) identify the
benefits, challenges, and lessons learned in implementing this
initiative.
To address our first objective, we reviewed applicable policies and
memorandums issued by the Office of Management and Budget (OMB) and
plans, artifacts, and other documentation provided by the National
Institute of Standards and Technology (NIST). We also reviewed
guidance and Federal Desktop Core Configuration (FDCC) and Security
Content Automation Protocol (SCAP) materials located on NIST's Web
site. In addition, we held discussions with OMB and NIST
representatives to further assess the initiative's requirements and
confirm that the material posted on their Web sites that we considered
was current and accurate.
To address our second and third objectives, we obtained and analyzed
polices, plans, artifacts, status reports, and other documentation
relative to the requirements of the initiative from each of the 24
federal agencies in our review. We obtained information through
interviews with officials from each of the 24 agencies, industry
officials, security experts, officials from General Services
Administration's Policy Utilization Assessment Program, and members of
the Chief Information Officers Council and FDCC Change Control Board.
We also met with staff from all 24 Offices of the Inspector General
regarding their FDCC audit work performed as part of Federal
Information Security Management Act fiscal year 2008 and 2009
reporting to obtain information on their audit methodology, findings,
and related documentation. Based on our review of the adequacy of work
performed, we have sufficient assurance to rely on work completed by
the inspectors general in the context of our audit objective related
to whether the agency had documented deviations and had incorporated
language related to the use of FDCC settings into its contracts. We
also analyzed the information we obtained from all sources to
determine the benefits, challenges, and lessons learned from
implementation of FDCC.
For our second objective, in order to determine the status of FDCC
implementation at federal agencies, we developed a data collection
instrument to obtain information on the number of workstations that
had FDCC settings applied, either with no deviations or with
deviations established at these agencies. To develop our data
collection instrument, we reviewed the requirements of the initiative
as well as the results from a previous data collection instrument used
by NIST to collect status information on FDCC as of March 2008. We
designed the draft collection instrument in close collaboration with
subject matter experts and participated in refining subsequent drafts
of the instrument. We sent the data collection instrument to the
officials at the Office of Chief Information Officer at the 24 federal
agencies and asked the agencies to provide status information as of
June 30, 2009, and as of September 30, 2009.
We e-mailed our first data collection instrument, to collect FDCC
status data as of June 30, 2009, to all 24 agencies in early June
2009. When our collection ended in July 2009, we had received 19
usable responses. After examining the results from this data
collection to identify inconsistencies and other indications of error,
we concluded that the extent of response error and the overall low
level of participation precluded the use of these data in our report.
To refine the data collection instrument to collect September 2009
data, we conducted pretests with officials from 3 agencies to clarify
any ambiguous or potentially biased questions. These pretests were
conducted by telephone with the 3 agencies, which were chosen to
represent the variety of characteristics across the 24 agencies we
would survey. These characteristics included the operating system
used, type of workstation, composition and size of the agency, and
method used to collect status information.
We sent this instrument to agency officials in mid-September 2009. We
conducted follow-up contacts by e-mail and phone to encourage response
and clarify individual answers. We received usable responses from 22
agencies, and ended the data collection period in November 2009. While
our evaluation of the instrument data indicates that it is usable for
the purposes of this report, the information may not be complete due
to the inability of some agencies to provide information in the
categories we requested, including some of the data supporting our
estimates of contractor-owned workstations with FDCC compliance, and
possibly some other estimates.
We conducted this performance audit from December 2008 to March 2010
in accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe
that the evidence obtained provides a reasonable basis for our
findings and conclusions based on our audit objectives.
[End of section]
Appendix II: Percentage of Agency Workstations with FDCC Settings
Implemented as of September 2009:
The table below shows, for the 24 agencies from which we collected
data using our data collection instrument, the percentage of
applicable Windows XP and Vista workstations that have all FDCC
settings implemented with no deviations, workstations with an agency
baseline implemented and deviations documented, and workstations that
do not have the settings implemented.
Table 7: Agency-Reported Percentages of Workstations with FDCC
Settings Implemented as of September 2009:
Agency: Agriculture;
Platform: XP;
Implemented without deviations: 8%;
Implemented with deviations (agency baseline): 0%;
Not implemented: 92%.
Agency: Agriculture;
Platform: Vista;
Implemented without deviations: 0;
Implemented with deviations (agency baseline): 0;
Not implemented: 100%.
Agency: Commerce;
Platform: XP;
Implemented without deviations: 9%;
Implemented with deviations (agency baseline): 91%;
Not implemented: 0.
Agency: Commerce;
Platform: Vista;
Implemented without deviations: 23%;
Implemented with deviations (agency baseline): 77%;
Not implemented: 0.
Agency: Defense;
Platform: XP;
Implemented without deviations: 0;
Implemented with deviations (agency baseline): 96%;
Not implemented: 4%.
Agency: Defense;
Platform: Vista;
Implemented without deviations: 99%;
Implemented with deviations (agency baseline): 0[A];
Not implemented: 1%.
Agency: Education;
Platform: XP;
Implemented without deviations: 0;
Implemented with deviations (agency baseline): 100%;
Not implemented: 0.
Agency: Education;
Platform: Vista;
Implemented without deviations: 0;
Implemented with deviations (agency baseline): 100%;
Not implemented: 0.
Agency: Energy;
Platform: XP;
Implemented without deviations: Unknown;
Implemented with deviations (agency baseline): 72%;
Not implemented: Unknown.
Agency: Energy;
Platform: Vista;
Implemented without deviations: Unknown;
Implemented with deviations (agency baseline): 71%;
Not implemented: Unknown.
Agency: Environmental Protection Agency;
Platform: XP;
Implemented without deviations: Unknown;
Implemented with deviations (agency baseline): Unknown;
Not implemented: Unknown.
Agency: Environmental Protection Agency;
Platform: Vista;
Implemented without deviations: Unknown;
Implemented with deviations (agency baseline): Unknown;
Not implemented: Unknown.
Agency: General Services Administration;
Platform: XP;
Implemented without deviations: 0;
Implemented with deviations (agency baseline): 84%;
Not implemented: 16%.
Agency: General Services Administration;
Platform: Vista;
Implemented without deviations: Not applicable;
Implemented with deviations (agency baseline): Not applicable;
Not implemented: Not applicable.
Agency: Health and Human Services;
Platform: XP;
Implemented without deviations: 0;
Implemented with deviations (agency baseline): 99%;
Not implemented: 1%.
Agency: Health and Human Services;
Platform: Vista;
Implemented without deviations: 0;
Implemented with deviations (agency baseline): 94%;
Not implemented: 6%.
Agency: Homeland Security;
Platform: XP;
Implemented without deviations: 0;
Implemented with deviations (agency baseline): 5%;
Not implemented: 95%.
Agency: Homeland Security;
Platform: Vista;
Implemented without deviations: 0;
Implemented with deviations (agency baseline): 29%;
Not implemented: 71%.
Agency: Housing and Urban Development;
Platform: XP;
Implemented without deviations: 0;
Implemented with deviations (agency baseline): 100%;
Not implemented: 0.
Agency: Housing and Urban Development;
Platform: Vista;
Implemented without deviations: Not applicable;
Implemented with deviations (agency baseline): Not applicable;
Not implemented: Not applicable.
Agency: Interior;
Platform: XP;
Implemented without deviations: 1%;
Implemented with deviations (agency baseline): 48%;
Not implemented: 51%.
Agency: Interior;
Platform: Vista;
Implemented without deviations: 69%;
Implemented with deviations (agency baseline): 18%;
Not implemented: 13%.
Agency: Justice;
Platform: XP;
Implemented without deviations: 3%;
Implemented with deviations (agency baseline): 96%;
Not implemented: 1%.
Agency: Justice;
Platform: Vista;
Implemented without deviations: 0;
Implemented with deviations (agency baseline): 100%;
Not implemented: 0.
Agency: Labor;
Platform: XP;
Implemented without deviations: 0;
Implemented with deviations (agency baseline): 100%;
Not implemented: 0.
Agency: Labor;
Platform: Vista;
Implemented without deviations: Not applicable;
Implemented with deviations (agency baseline): Not applicable;
Not implemented: Not applicable.
Agency: National Aeronautics and Space Administration;
Platform: XP;
Implemented without deviations: Unknown;
Implemented with deviations (agency baseline): 87%;
Not implemented: Unknown.
Agency: National Aeronautics and Space Administration;
Platform: Vista;
Implemented without deviations: Unknown;
Implemented with deviations (agency baseline): 52%;
Not implemented: Unknown.
Agency: National Science Foundation;
Platform: XP;
Implemented without deviations: 0;
Implemented with deviations (agency baseline): 100%;
Not implemented: 0.
Agency: National Science Foundation;
Platform: Vista;
Implemented without deviations: Not applicable;
Implemented with deviations (agency baseline): Not applicable;
Not implemented: Not applicable.
Agency: Nuclear Regulatory Commission;
Platform: XP;
Implemented without deviations: 0;
Implemented with deviations (agency baseline): 100%;
Not implemented: 0.
Agency: Nuclear Regulatory Commission;
Platform: Vista;
Implemented without deviations: Not applicable;
Implemented with deviations (agency baseline): Not applicable;
Not implemented: Not applicable.
Agency: Office of Personnel Management;
Platform: XP;
Implemented without deviations: 1%;
Implemented with deviations (agency baseline): 40%;
Not implemented: 59%.
Agency: Office of Personnel Management;
Platform: Vista;
Implemented without deviations: Not applicable;
Implemented with deviations (agency baseline): Not applicable;
Not implemented: Not applicable.
Agency: Small Business Administration;
Platform: XP;
Implemented without deviations: 0;
Implemented with deviations (agency baseline): 100%;
Not implemented: 0.
Agency: Small Business Administration;
Platform: Vista;
Implemented without deviations: Not applicable;
Implemented with deviations (agency baseline): Not applicable;
Not implemented: Not applicable.
Agency: Social Security Administration;
Platform: XP;
Implemented without deviations: 0;
Implemented with deviations (agency baseline): 100%;
Not implemented: 0.
Agency: Social Security Administration;
Platform: Vista;
Implemented without deviations: 0;
Implemented with deviations (agency baseline): 100%;
Not implemented: 0.
Agency: State;
Platform: XP;
Implemented without deviations: 0;
Implemented with deviations (agency baseline): 100%;
Not implemented: 0.
Agency: State;
Platform: Vista;
Implemented without deviations: 0;
Implemented with deviations (agency baseline): 100%;
Not implemented: 0.
Agency: Transportation;
Platform: XP;
Implemented without deviations: 0;
Implemented with deviations (agency baseline): 100;
Not implemented: 0.
Agency: Transportation;
Platform: Vista;
Implemented without deviations: Not applicable;
Implemented with deviations (agency baseline): Not applicable;
Not implemented: Not applicable.
Agency: Treasury;
Platform: XP;
Implemented without deviations: 0;
Implemented with deviations (agency baseline): 99%;
Not implemented: 1%.
Agency: Treasury;
Platform: Vista;
Implemented without deviations: 0;
Implemented with deviations (agency baseline): 99%;
Not implemented: 1%.
Agency: U.S. Agency for International Development;
Platform: XP;
Implemented without deviations: 0;
Implemented with deviations (agency baseline): 100%;
Not implemented: 0.
Agency: U.S. Agency for International Development;
Platform: Vista;
Implemented without deviations: Not applicable;
Implemented with deviations (agency baseline): Not applicable;
Not implemented: Not applicable.
Agency: Veterans Affairs;
Platform: XP;
Implemented without deviations: Unknown;
Implemented with deviations (agency baseline): Unknown;
Not implemented: Unknown.
Agency: Veterans Affairs;
Platform: Vista;
Implemented without deviations: Unknown;
Implemented with deviations (agency baseline): Unknown;
Not implemented: Unknown.
Source: GAO analysis of data reported by agencies in GAO data
collection instrument.
Note: Percentages in the table have been rounded. Both the number of
government-owned and contractor-owned workstations were included in
agency totals if the number of contractor-owned workstations was not
separated from the number of government-owned workstations that was
provided by the agency. Agencies that did not have Vista workstations
were listed as not applicable. An agency that was unable to provide
sufficient data to determine the status of implementation was listed
as unknown.
[A] Agency reported having no deviations for the implementation of the
settings on this operating system.
[End of table]
[End of section]
Appendix III: Recommendations to Departments and Agencies:
Agriculture:
To improve the department's implementation of FDCC, we recommend that
the Secretary of Agriculture take the following three actions:
* complete implementation of the agency's FDCC baseline, including
establishing firm milestones for completion;
* document deviations to FDCC and have them approved by a designated
accrediting authority; and:
* develop, document, and implement a policy to approve deviations by a
designated accrediting authority.
Commerce:
To improve the department's implementation of FDCC, we recommend that
the Secretary of Commerce take the following three actions:
* ensure all components have acquired and deployed a NIST-validated
SCAP tool to monitor compliance with FDCC;
* ensure all components develop, document, and implement a policy to
monitor FDCC compliance using a NIST-validated SCAP tool; and:
* ensure that language is included in contracts to ensure new
acquisitions include FDCC settings and products of information
technology providers operate effectively using them.
Defense:
To improve the department's implementation of FDCC, we recommend that
the Secretary of Defense take the following two actions:
* complete implementation of the agency's FDCC baseline, including
establishing firm milestones for completion, and:
* ensure that language is included in contracts to ensure new
acquisitions include FDCC settings and products of information
technology providers operate effectively using them.
Energy:
To improve the department's implementation of FDCC, we recommend that
the Secretary of Energy take the following five actions:
* complete implementation of the agency's FDCC baseline, including
establishing firm milestones for completion;
* document deviations to FDCC and have them approved by a designated
accrediting authority;
* ensure all components that are required to implement FDCC have
acquired and deployed a NIST-validated SCAP tool to monitor compliance
with FDCC;
* ensure all components that are required to implement FDCC develop,
document, and implement a policy to monitor FDCC compliance using a
NIST-validated SCAP tool; and:
* ensure that language is included in contracts of those components
that are required to implement FDCC to ensure new acquisitions include
FDCC settings and products of information technology providers operate
effectively using them.
Environmental Protection Agency:
To improve the agency's implementation of FDCC, we recommend that the
Administrator of the Environmental Protection Agency take the
following two actions:
* complete implementation of the agency's FDCC baseline, including
establishing firm milestones for completion, and:
* develop, document, and implement a policy to approve deviations to
FDCC by a designated accrediting authority.
General Services Administration:
To improve the agency's implementation of FDCC, we recommend that the
Administrator of the General Services Administration take the
following action:
* complete implementation of the agency's FDCC baseline, including
establishing firm milestones for completion.
Health and Human Services:
To improve the department's implementation of FDCC, we recommend that
the Secretary of Health and Human Services take the following three
actions:
* complete implementation of the agency's FDCC baseline, including
establishing firm milestones for completion;
* develop, document, and implement a policy to monitor FDCC compliance
using a NIST-validated SCAP tool; and:
* ensure that language is included in contracts to ensure new
acquisitions include FDCC settings and products of information
technology providers operate effectively using them.
Homeland Security:
To improve the department's implementation of FDCC, we recommend that
the Secretary of Homeland Security take the following four actions:
* complete implementation of the agency's FDCC baseline, including
establishing firm milestones for completion;
* develop, document, and implement a policy to approve deviations to
FDCC by a designated accrediting authority;
* develop, document, and implement a policy to monitor FDCC compliance
using a NIST-validated SCAP tool; and:
* ensure that language is included in contracts to ensure new
acquisitions include FDCC settings and products of information
technology providers operate effectively using them.
Housing and Urban Development:
To improve the department's implementation of FDCC, we recommend that
the Secretary of Housing and Urban Development take the following
three actions:
* acquire and deploy a NIST-validated SCAP tool to monitor compliance
with FDCC;
* develop, document, and implement a policy to monitor FDCC compliance
using a NIST-validated SCAP tool; and:
* ensure that language is included in contracts to ensure new
acquisitions include FDCC settings and products of information
technology providers operate effectively using them.
Interior:
To improve the department's implementation of FDCC, we recommend that
the Secretary of the Interior take the following three actions:
* complete implementation of the agency's FDCC baseline, including
establishing firm milestones for completion;
* ensure all components implement the department's existing policy to
document deviations to FDCC and have those deviations approved by a
designated accrediting authority; and:
* ensure all components implement the department's existing policy to
acquire and deploy a NIST-validated SCAP tool and monitor compliance
with FDCC.
Justice:
To improve the department's implementation of FDCC, we recommend that
the Attorney General take the following four actions:
* complete implementation of the agency's FDCC baseline, including
establishing firm milestones for completion;
* develop, document, and implement a policy to approve deviations to
FDCC by a designated accrediting authority;
* complete deployment of a NIST-validated SCAP tool to monitor FDCC
compliance; and:
* ensure that language is included in contracts to ensure new
acquisitions include FDCC settings and products of information
technology providers operate effectively using them.
Labor:
To improve the department's implementation of FDCC, we recommend that
the Secretary of Labor take the following action:
* complete efforts to ensure that language is included in contracts to
ensure new acquisitions include FDCC settings and products of
information technology providers operate effectively using them.
National Aeronautics and Space Administration:
To improve the agency's implementation of FDCC, we recommend that the
Administrator of the National Aeronautics and Space Administration
take the following action:
* complete implementation of the agency's FDCC baseline, including
establishing firm milestones for completion.
National Science Foundation:
To improve the agency's implementation of FDCC, we recommend that the
Director of the National Science Foundation take the following action:
* complete deployment of a NIST-validated SCAP tool to monitor FDCC
compliance.
Nuclear Regulatory Commission:
To improve the agency's implementation of FDCC, we recommend that the
Chairman of the Nuclear Regulatory Commission take the following two
actions:
* develop, document, and implement a policy to approve deviations to
FDCC by a designated accrediting authority, and:
* ensure that all components include language in contracts to ensure
new acquisitions include FDCC settings and products of information
technology providers operate effectively using them.
Office of Personnel Management:
To improve the agency's implementation of FDCC, we recommend that the
Director of the Office of Personnel Management take the following
three actions:
* complete implementation of the agency's FDCC baseline, including
establishing firm milestones for completion;
* document deviations to FDCC and have them approved by a designated
accrediting authority; and:
* ensure that language is included in contracts to ensure new
acquisitions include FDCC settings and products of information
technology providers operate effectively using them.
Small Business Administration:
To improve the agency's implementation of FDCC, we recommend that the
Administrator of the Small Business Administration take the following
two actions:
* develop, document, and implement a policy to approve deviations to
FDCC by a designated accrediting authority, and:
* ensure that language is included in contracts to ensure new
acquisitions include FDCC settings and products of information
technology providers operate effectively using them.
Social Security Administration:
To improve the agency's implementation of FDCC, we recommend that the
Commissioner of the Social Security Administration take the following
four actions:
* develop, document, and implement a policy to approve deviations to
FDCC by a designated accrediting authority;
* complete deployment of a NIST-validated SCAP tool to monitor
compliance with FDCC;
* develop, document, and implement a policy to monitor FDCC compliance
using a NIST-validated SCAP tool; and:
* ensure that language is included in contracts to ensure new
acquisitions include FDCC settings and products of information
technology providers operate effectively using them.
Transportation:
To improve the department's implementation of FDCC, we recommend that
the Secretary of Transportation take the following two actions:
* complete deployment of a NIST-validated SCAP tool to monitor
compliance with FDCC, and:
* ensure that language is included in contracts to ensure new
acquisitions include FDCC settings and products of information
technology providers operate effectively using them.
Treasury:
To improve the department's implementation of FDCC, we recommend that
the Secretary of the Treasury take the following two actions:
* complete implementation of the agency's FDCC baseline, including
establishing firm milestones for completion, and:
* ensure that all components include language in contracts to ensure
new acquisitions include FDCC settings and products of information
technology providers operate effectively using them.
U.S. Agency for International Development:
To improve the agency's implementation of FDCC, we recommend that the
Administrator of the U.S. Agency for International Development take
the following action:
* ensure that language is included in contracts to ensure new
acquisitions include FDCC settings and products of information
technology providers operate effectively using them.
Veterans Affairs:
To improve the department's implementation of FDCC, we recommend that
the Secretary of Veterans Affairs take the following four actions:
* complete implementation of the agency's FDCC baseline, including
establishing firm milestones for completion;
* acquire and deploy a NIST-validated SCAP tool to monitor compliance
with FDCC;
* develop, document, and implement a policy to monitor FDCC compliance
using a NIST-validated SCAP tool; and:
* ensure that language is included in contracts to ensure new
acquisitions include FDCC settings and products of information
technology providers operate effectively using them.
[End of section]
Appendix IV: Comments from the U.S. Department of Agriculture:
United States Department of Agriculture:
Office of the Chief Information Officer:
1400 Independence Avenue SW:
Washington, DC 20250:
To: Gregory Wilshusen:
Director:
Information Security Issues:
Government Accountability Office:
From: [Signed by] Christopher L. Smith:
Chief Information Officer:
Office of the Chief Information Officer:
Subject: USDA Comments on Draft Report GA0-10-202:
The United States Department of Agriculture (USDA) is pleased with the
opportunity to review and comment on the draft GAO report Information
Security: Agencies Need to Implement Federal Desktop Core
Configuration Requirements (GA0-10-202).
USDA agrees with and accepts the findings of the draft Report, as they
pertain to USDA. The draft Report recommends that the Secretary of
Agriculture take the following three actions:
* complete implementation of the agency's FDCC baseline, including
establishing firm milestones for completion;
* document deviations to FDCC and have them approved by a designated
accrediting authority (DAA); and;
* develop, document, and implement a policy to approve deviations by a
designated accrediting authority.
We support GAO's call for further clarification from OMB on the
governmentwide standards for documenting deviations from the FDCC and
would be pleased to work with OMB, NIST and other departments and
agencies to further that end.
[End of section]
Appendix V: Comments from the Department of Commerce:
Note: GAO comment supplementing those in the report text appear at the
end of this appendix.
The Secretary Of Commerce:
Washington, D.C. 20230:
February 18, 2010:
Mr. Gregory C. Wilshusen:
Director, Information Security Issues:
Government Accountability Office:
Washington, DC 20548:
Dear Mr. Wilshusen:
Thank you for the opportunity to review the General Accountability
Office's (GAO) draft report, "Information Security: Agencies Need to
Implement Federal Desktop Core Configuration Requirements" (GA0-10-
202).
We concur that this report is a reasonable assessment of the current
Federal Desktop Core Configuration (FDCC) situation among federal
agencies. The Department of Commerce (Department) offers the following
comments regarding the GAO's conclusions.
* As noted in GA0-10-202, there remain some technically problematic
FDCC settings for many agencies and, as such, there may be some
scenarios where risk should be accepted.
* FDCC applicability has been clarified by the National
Telecommunications and Information Administration's guidance; however,
it has not been officially issued in an updated memorandum from the
Office of Management and Budget (OMB).
* There is not clear guidance from OMB in regard to FDCC deviations
and how these deviations are documented by federal agencies; the FDCC
deviations are an operational necessity in some cases.
* Collaboration on future secure configuration standards should
involve a broader audience.
* On page 11, the report states that FDCC provides a baseline level of
Security; however, during meetings with GAO, the Department's National
Institute of Standards and Technology has expressed that we do not
consider FDCC to be a baseline. [See comment 1]
We look forward to further communications with GAO regarding its
conclusions.
Sincerely,
Signed by:
Gary Locke:
The following are GAO's comments on the Department of Commerce's
letter dated February 18, 2010.
GAO Comment:
1. In its March 2007 directives,[Footnote 44] OMB stated that an
objective of FDCC was to provide a baseline level of security to
agencies. We used OMB's characterization of FDCC for this report.
[End of section]
Appendix VI: Comments from the Department of Defense:
Office Of The Assistant Secretary Of Defense:
Networks And Information Integration:
6000 Defense Pentagon:
Washington, D.C. 20301-6000:
Gregory C. Wilshusen:
Director, Information Security Issues:
Government Accountability Office:
441 G Street, NW:
Washington, DC 20548:
Dear Mr. Wilshusen:
This is the Department of Defense (DoD) response to the Government
Accountability Office (GAO) draft report, GAO-10-202, "Information
Security: Agencies Need to Implement Federal Desktop Core
Configuration (FDCC) Requirements" dated January 20, 2010 (GAO Code
311014).
I share the GAO conclusion that the FDCC initiative was an innovative
approach by OMB to standardize and thereby strengthen information
security at federal agencies.
I appreciate the opportunity to provide the enclosed comments on the
draft report. My staff and I are responsible for overseeing the
implementation of the GAO report recommendations. My point of contact
for questions regarding FDCC is Mr. John Hunter, (703) 602-9927.
Sincerely,
Signed by:
Gary D. Guissanie:
Acting Deputy Assistant Secretary of Defense (Cyber, Identity and
Information Assurance):
Enclosure: As stated:
[End of letter]
GAO Draft Report Dated January 20, 2010:
GA0-10-202 (GAO Code 311014):
"Information Security: Agencies Need To Implement Federal Desktop Core
Configuration Requirements"
Department Of Defense Comments To The GAO Recommendations:
Recommendation 1: The GAO recommends that the Secretary of Defense
complete implementation of the agency's Federal Desktop Core
Configuration (FDCC) baseline, including establishing firm milestones
for completion. (See pages 51-52/GAO Draft Report)
DoD Response: Concur. The Department of Defense has made significant
progress in implementing the FDCC baseline, and the Assistant
Secretary of Defense (Networks and Information Integration) will work
with the Components to establish firm milestones for completion.
Recommendation 2: The GAO recommends that the Secretary of Defense
ensure that language is included in contracts to ensure new
acquisitions include FDCC settings and products of information
technology providers operate effectively using them. (See pages 51-
52/GAO Draft Report)
DoD Response: Concur. The Assistant Secretary of Defense (Networks and
Information Integration) will work closely with the OSD staff and
Components to ensure new acquisitions include FDCC settings.
Additional Recommendation From Department Of Defense: Contract
language should be included in the Federal Acquisition Regulation
(FAR) "to ensure new acquisitions include FDCC settings and products
of information technology providers operate effectively using them."
This would provide the appropriate coverage for a Federal-wide IT
contract issue.
Rationale: FDCC is a Federal Government-wide mandate not a Defense-
specific acquisition requirement.
[End of section]
Appendix VII: Comments from the General Services Administration:
U.S. General Services Administration:
GSA Administrator:
1800 F Street, NW:
Washington, DC 20405-0002:
Telephone: (202) 501-0880:
Fax: (202) 219-1243:
[hyperlink, http://www.gsa.gov]
February 22, 2010:
The Honorable Gene L. Dodaro:
Acting Comptroller General of the United States:
U.S. Government Accountability Office:
Washington, DC 20548:
Dear Mr. Dodaro:
The U.S. General Services Administration (GSA) appreciates the
opportunity to review and comment on the draft report, "Information
Security: Agencies Need to Implement Federal Desktop Core
Configuration (FDCC) Requirements" (GAO-10-202). The U.S. Government
Accountability Office (GAO) recommends that the GSA Administrator
improve the agency's implementation of FDCC.
We agree with the findings and recommendation and will take
appropriate action. GSA will complete implementation of the agency's
FOGG baseline, including establishing firm milestones for completion.
If you have any additional questions or concerns, please do not
hesitate to contact me. Staff inquiries may be directed to Ms.
Kathleen Turco, Chief Financial Officer. She can be reached at (202)
501-1721.
Sincerely,
Signed by:
Martha Johnson:
Administrator:
cc:
Mr. Gregory C. Wilshusen:
Director, Information Technology Security Issues:
GAO:
[End of section]
Appendix VIII: Comments from the Department of Homeland Security:
U.S. Department of Homeland Security:
Washington, DC 20528:
Memorandum For: Gregory C. Wilshusen:
Director, Information Security Issues:
Government Accountability Office:
From: Richard A. Spires:
Chief Information Officer:
Subject: Comment to GAO Report #10-202 "Information Security: Agencies
Need to Implement Federal Desktop Core Configuration Requirements"
The Department of Homeland Security (OHS) Office of the Chief
Information Officer (OCIO) has reviewed the findings of the Government
Accountability Office (GAO) Report, 410-237 "Information Security:
Agencies Need to Implement Federal Desktop Core Configuration
Requirements," dated February 2010.
The increase in security incidents and continuing weakness in security
controls on information technology systems at federal agencies
highlight the continuing need for improved information security. To
standardize and strengthen agencies' security, the Office of
Management and Budget (OMB), in collaboration with the National
Institute of Standards and Technology (MST), launched the Federal
Desktop Core Configuration (FDCC) initiative in 2007. GAO was asked to
(1) identify the goals, objectives, and requirements of the
initiative; (2) determine the status of actions federal agencies have
taken, or plan to take, to implement the initiative; and (3) identify
the benefits, challenges, and lessons learned in implementing this
initiative. To accomplish this, GAO reviewed policies, plans, and
other documents at the 24 major executive branch agencies; reviewed
OMB and NISI guidance and documentation; and interviewed officials.
GAO recommended that DHS take four actions to improve the Department's
implementation of FDCC. OCIO's comments on the specific
recommendations are as follows:
Recommendation #1: Complete implementation of the agency's FDCC
baseline, including establishing firm milestones for completion.
OCIO March 2010 Response: OCIO concurs. DHS developed a FDCC draft
baseline which is currently under review by the designated accrediting
authority. A copy of the FDCC draft baseline and the FDCC compliance
milestone tracking status is enclosed for your reference.
Recommendation #2: Develop, document, and implement a policy to
approve deviations to FDCC by a designated accrediting authority.
OCIO March 2010 Response: OCIO concurs. DHS has developed a process to
approve deviations from the FDCC baseline, which is maintained and
controlled by the DI-IS Infrastructure Change Control Board (ICCB). A
copy of the draft "FDCC Baseline Update Process" is enclosed for your
reference.
Recommendation #3: Develop, document, and implement a policy to
monitor FDCC compliance using a NIST-validated Security Content
Automation Protocol (SCAP) tool.
OCIO March 2010 Response: OCIO concurs. Each DHS Component has chosen
a NIST-validated SCAP tool that best fits into its IT infrastructure.
Below is a list of the SCAP tools used by each Component to monitor
their FDCC compliance:
* Customs and Border Protection uses Big Fix.
* U.S. Citizenship and Immigration Services uses McAfee.
* Federal Emergency Management Agency uses Tenable Nessus.
* Federal Law Enforcement Training Center uses Tenable Nessus and
McAfee.
* DHS Headquarters uses Tenable Nessus and McAfee.
* Immigration and Customs Enforcement uses Big Fix.
* DHS Office of Inspector General uses Tenable Nessus.
* Transportation Services Administration uses Secure Elements C5.
* U.S. Coast Guard uses Secutor Prime.
* U.S. Secret Service uses Threat Guard.
Recommendation #4: Ensure that language is included in contracts to
ensure new acquisitions include FDCC settings and products of
information technology providers operate effectively using them.
OCIO March 2010 Response: OCIO concurs with caveat. DHS already has
regulations in place to ensure new acquisitions meet FDCC
requirements. The Department of Homeland Security Acquisition
Regulation (HSAR) of lune 2006 establishes uniform acquisition
policies and procedures, which implement and supplement the Federal
Acquisition Regulation (FAR).
HSAR Section 3052.204-70 "Security requirements for unclassified
information technology resources of the HSAR" states:
Within 6 months after contract award, the contractor, hall submit
written proof of IT Security accreditation to DHS for approval by the
DHS Contracting Officer. Accreditation will proceed according to the
criteria of the DHS Sensitive System Policy Publication, 4300A
(Version 2.1, July 26, 2004) or any replacement publication, which the
Contracting Officer will provide upon request. This accreditation will
include a final security plan, risk assessment, security test and
evaluation, and disaster recovery plan/continuity of operations plan.
This accreditation, when accepted by the Contracting Officer, shall be
incorporated into the contract as a compliance document. The
contractor shall comply with the approved accreditation documentation.
DHS Sensitive System Policy Publication 4300A, ID 3.7.e states:
"Workstations shall be configured in accordance with DHS guidance on
FDCC."
Enclosures::
DHS FDCC baseline:
DHS FDCC compliance milestone tracking status:
DHS FDCC Baseline Update Process:
MD 4300A "DHS Sensitive Systems Policy Directive 4300A:"
311014 Draft GAO #10-202 for Agency Comment, "Information Security:
Agencies Need to Implement Federal Desktop Core Configuration
Requirements"
[End of section]
Appendix IX: Comments from the Department of Housing and Urban
Development:
Note: GAO's comments supplementing those in the report's text appear
at the end of this appendix.
U.S. Department Of Housing And Urban Development:
Office Of The Chief Information Officer:
Washington, D.C. 20410-3000:
February 17, 2010:
Mr. Gregory C. Wilshusen:
Director, Information Security Issues:
U.S. Government Accountability Office:
441 G Street, NW:
Washington, DC 20548:
Dear Mr. Wilshusen:
Thank you for the opportunity to comment on the Government
Accountability Office (GAO) draft report entitled, Information
Security: Agencies Need to Implement Federal Desktop Core
Configuration Requirements (GA0-10-202).
The Department of Housing and Urban Development reviewed the draft
report and concurs with the following recommendations for Executive
Actions:
* acquire and deploy a NIST-validated SCAP tool to monitor compliance
with FDCC;
* develop, document, and implement a policy to monitor FDCC compliance
using a NIST-validated SCAP tool.
With respect to the above items, HUD anticipates a contract award in
the 3rd quarter of Fiscal Year 2010, with implementation by September
30, 2010.
However, HUD provides the following comments to address the remaining
recommendations:
* develop, document, and implement a policy to approve deviations to
FDCC by a designated accrediting authority. [See comment 1]
The Department has developed a FDCC Waiver Request Standard Operating
Procedure (SOP). In response to a GAO request, the attached document
was provided on December 15, 2009.
* ensure that language is included in contracts to ensure new
acquisitions include FDCC settings and products of information
technology providers operate effectively using them. [See comment 2]
Attached is a standard contract clause that the HUD Chief Procurement
Officer issued in June 2007 for use in all IT contracts. HUD is in
compliance with the above language requirement for new acquisitions.
The Department remains committed to improving information security and
reducing Information Technology operating costs, the major goals of
the FDCC. More definitive information with timelines will be provided
once the final report has been issued.
If you have any questions or require additional information, please
contact Jerry E. Williams, Chief Information Officer, at 202-708-0306.
Sincerely,
Signed by: [Illegible], for:
Jerry E. Williams:
Chief Information Officer:
Enclosure:
The following are GAO's comments on the Department of Housing and
Urban Development's letter dated February 17, 2010.
GAO Comments:
1. After reviewing additional documentation provided by department
representatives, we agreed that the department had met the requirement
and modified the column "have policy to approve deviations by
designated authority" in table 4 from "no" to "yes." The
recommendation to this finding was removed from the report.
2. After subsequent discussion with department representatives, they
orally concurred with our recommendation.
[End of section]
Appendix X: Comments from the Department of the Interior:
United States Department of the Interior:
Office Of The Secretary:
Washington, DC 20240:
February 23, 2010:
Mr. Gregory C. Wilshusen:
Director, Information Security Issues:
U.S. Government Accountability Office:
441 G Street, N.W.
Washington, D.C. 20548:
Dear Mr. Wilshusen:
Thank you for providing the Department of the Interior the opportunity
to review and comment on the draft Government Accountability Office
Report entitled, "Information Security: Agencies Need to Implement
Federal Desktop Core Configuration Requirements" (GA0-10-202).
The Department concurs with the recommendations subject to the
modifications suggested in the enclosure.
We hope the technical comments and the additional information provided
will assist you in preparing the final report. If you have any
questions, or need additional information, please contact the
Department's Chief Information Security Officer (CISO), Lawrence K.
Ruffin, at (202) 208-5419 or Davene Barton at (202) 208-5438.
Sincerely,
Signed by:
Rhea Suh:
Assistant Secretary:
Policy, Management and Budget:
Enclosure:
[End of section]
Appendix XI: Comments from the Department of Labor:
Note: GAO's comments supplementing those in the report's text appear
at the end of this appendix.
U.S. Department of Labor:
Office of the Assistant Secretary for Administration and Management:
Washington, D.C. 20210:
February 12, 2010:
Gregory C. Wilshusen:
Director, Information Security Issues:
Government Accountability Office:
441 G Street, N.W.
Washington, DC 20548:
Dear Mr. Wilshusen:
This letter is provided in response to the draft report GA0-10-202,
Agencies Need to Implement Federal Desktop Core Configuration
Requirements, dated February 2010. We take seriously our
responsibility to ensure the protection of our computer systems and
information with which we are entrusted.
Overall, the draft reports provide a fair depiction of the Department
of Labor (DOL) efforts to meet the OMB's mandate for implementing the
Federal Desktop Core Configuration (FDCC). However I ask that the GAO
reconsider their assessment regarding the Department's implementation
of a National Institute of Standards and Technology (NIST)-validated
Security Content Automation Protocol (SCAP) tool and FDCC acquisition
language. The areas in the draft report to reconsider include:
* Page 26, Table 5: Through the deployment and use of ThreatGuard DOL
has met the requirements for acquiring and utilizing a NISI-validated
SCAP tool, thus the table should indicate a "Yes' response. DOL
currently utilizes the tool to monitor all DOL agency FDCC baseline
configurations and also conducts periodic scans of agency baselines
configuration to ensure continuing compliance. [See comment 1]
* Page 28, Table 6: All appropriate new contracts awarded since the
issuance of the OMB mandate includes the required FDCC acquisition
language as appropriate, thus the table should indicate partial
implementation. This statement is further supported by the FY09 OIG
FISMA assessment results. DOL acknowledges that challenges exist in
updating legacy contracts issued prior to OMB mandate. Additionally,
DOL has begun a comprehensive exercise to review and modify all
appropriate legacy contracts to include the required FDCC language
over the next 18 months. [See comment 2]
* Page 55, Bullet 1: Recommends DOL complete deployment of a NIST-
validated SCAP tool to monitor FDCC compliance. DOL has implemented a
NIST-validated SCAP tool called ThreatGuard. The tool provides DOL
adequate capabilities for monitoring its compliance with FDCC and
other NIST issued SCAP content. DOL is planning to enhance its use of
ThreatGuard and other DOL implemented NIST-validated SCAP tools to
provide real-time monitoring of baseline configurations in Fiscal Year
2011. [See comment 3]
* Page 55, Bullet 2: Recommends DOL ensure FDCC language is included
in contracts. As mentioned above, all new contacts comply with the
FDCC mandate. DOL plans to modify all legacy contracts to included the
required FDCC language over the next 18 months. [See comment 4]
Thank you again for the opportunity to comment on the draft report. If
you have any questions or you require further discussion about our
comments, please have your staff contact Mrs. Tonya Manning, DOL Chief
Information Security Officer, at Manning.Tonya@dol.gov or 202-693-4431.
Sincerely,
Signed by:
T. Michael Kerr:
Assistant Secretary for Administration and Management:
Chief Information Officer:
The following are GAO's comments on the Department of Labor's letter
dated February 12, 2010.
GAO Comments:
1. After reviewing additional documentation provided, we agreed that
the department had met the requirement and modified the column "NIST-
validated SCAP tool acquired and deployed" in table 5 from "no" to
"yes."
2. After reviewing additional documentation provided by department
representatives, we agreed that the department had partially met the
requirement and modified the column "language incorporated" in table 6
from "no" to "partially."
3. The recommendation to this finding was removed (see comment 1).
4. The recommendation to this finding was modified as appropriate (see
comment 2).
[End of section]
Appendix XII: Comments from the National Aeronautics and Space
Administration:
National Aeronautics and Space Administration:
Headquarters:
Office of the Chief Information Officer:
Washington, DC 20546-0001:
February 19, 2010:
Mr. Gregory C. Wilshusen:
Director, Information Security Issues:
United States Government Accountability Office:
Washington, DC 20548:
Dear Mr. Wilshusen:
The National Aeronautics and Space Administration (NASA) appreciates
the opportunity to review and comment on the draft report entitled,
"Information Security: Agencies Need to Implement Federal Desktop Core
Configuration Requirements" (GA0-10-202).
In the draft report, GAO makes one recommendation relating to NASA's
implementation of Federal Desktop Core Configuration (FDCC)
requirements, specifically:
Recommendation: To improve the agency's implementation of FDCC, we
recommend that the Administrator of the National Aeronautics and Space
Administration complete implementation of the agency's FDCC baseline,
including establishing firm milestones for completion.
Response:
NASA will establish firm milestones to complete an implementation of
the agency's FDCC baseline while exercising caution not to disable
unique mission orientated capabilities. IT security is a compromise
between available capabilities and applicable controls.
NASA set a goal for 85 percent of the agency systems within the
defined FDCC software and system scope to comply with the original
core configuration requirement. NASA believes general purpose office
automation systems are more amenable to the use of the FDCC controls
than systems which provide Agency mission-unique functions. Therefore,
the 85 percent implementation baseline goal represents an operational
reality and offers a reasonable balance between security configuration
and operational necessities.
NASA would like to note that future guidance and configurations must
keep pace with industry updates in common operating systems and
applications. The FDCC technical guidance and policy releases tend to
lag behind software releases. In order to remain relevant and viable,
FDCC technical and policy development must advance at the pace of
Federal Agency procurements of new commercial software.
Thank you for the opportunity to review the draft report. We look
forward to your final report to Congress. If you have any questions or
require additional information, please don't hesitate to contact the
NASA Deputy CIO for IT Security, Jerry Davis at (202) 358-1401.
Sincerely,
Signed by:
Linda Cureton:
Chief Information Officer:
[End of section]
Appendix XIII: Comments from the Office of Personnel Management:
Note: GAO's comments supplementing those in the report's text appear
at the end of this appendix.
UNITED STATES OFFICE OF PERSONNEL MANAGEMENT:
Office of the Director:
Washington, DC 20415:
Memorandum For Gregory C. Wilshusen:
Director:
Government Accountability Office:
From: [Signed by] Matthew E. Perry:
Chief Information Officer:
Subject: Government Accountability Office Audit Regarding Agencies
Need to Implement Federal Desktop Core Configuration Requirements:
This memorandum is in response to the GAO (Government Accountability
Office) audit finding released in February of 2010, GA0-10-202 Federal
Desktop Core Configuration (FDCC). This memorandum will address two
areas; comments specific to the factual representations within the
report, as well as a response to the recommendations section of the
report.
Comments specific to the report:
1. Page 24, Table 4 states that the Office of Personnel Management
(OPM) did not provide deviations and had no policy to review
deviations. This is incorrect. OPM provided Office of Management and
Budget (OMB) the list of deviations for their data call on March 31
2008. OPM has updated its workstation configuration policy to require
that deviations be documented and approved through our Change Control
process. Both of these artifacts were provided to GAO during their
engagement.
2. Page 43-44, "GAO recommends that OMB, among other things, issue
explicit guidance on assessing the risks of deviations and monitoring
compliance with FDCC. GAO also recommends that agencies take steps to
fully implement FDCC requirements." For FDCC to be successful, the
guidance should come with funding.
3. Page 3, The initiative mandated that Federal agencies implement
standardized configuration settings on workstations with Windows XP or
Vista operating systems. FDCC needs to be updated to include Windows7.
Response to the GAO Audit Recommendations:
Finding. "complete implementation of the agency's FDCC baseline,
including establishing firm milestones for completion;"
Response: OPM has completed several significant milestones for OPM's
FDCC compliance including integrating FDCC compliance into the new
image creation process for PCs deployed after March 2008. This ensures
that all new PCs adhere to OPM standards for FDCC compliance. OPM has
not established a timeline for testing and evaluating images that were
deployed prior to the FDCC adoption in March of 2008. OPM has a FY
2010 project defined to coordinate the testing of FDCC settings with
OPM legacy images and test all legacy COTS and custom developed
applications for interoperability. Due to the complexity of this
initiative, we anticipate that this project will be completed in 2011.
Finding: "document deviations to FDCC and have them approved by a
designated accrediting authority;" [See comment 1]
Response: OPM has been documenting deviations for all FDCC settings
since 2008. All images along with the deviations presently go through
the OPM Change Control Board (CCB) for approval and documentation.
This CCB process is in line with the accreditation boundary of the
LAN/WAN general support system which includes image security controls
and is monitored as part of OPM's continuous monitoring processes.
Finding: "develop, document, and implement a policy to approve
deviations to FDCC by a designated accrediting authority;" [See
comment 2]
Response: OPM has updated and provided GAO the OPM Workstation
Hardening Policy which details the FDCC requirements as well as the
requirements to monitor and manage deviations within our change
control processes.
Finding: "ensure that language is included in contracts to ensure new
acquisitions include FDCC settings and products of information
technology providers operate effectively using them."
Response: In practice, the FDCC language has been inserted into major
IT initiatives ongoing at OPM, however, standard language has not been
universally adopted within all contracts. The CIO's office will work
to make the language standard in all new contracts and identify the
best means to address contract modifications for existing contracts.
In summary, OPM has addressed many of the FDCC compliance requirements
and all laptop computers and images deployed after March 2008 adhere
to the FDCC security settings. Additional projects are underway to
address legacy images to ensure uniform compliance.
The following are GAO's comments on the Office of Personnel
Management's letter dated March 2, 2010.
GAO Comments:
1. After subsequent discussion with agency representatives, they
orally concurred with our recommendation.
2. After reviewing additional documentation provided by agency
representatives, we agreed that the agency had met the requirement and
modified the column "have policy to approve deviations by designated
authority" in table 4 from "no" to "yes." The recommendation to this
finding was removed from the report.
[End of section]
Appendix XIV: Comments from the Social Security Administration:
Social Security Administration:
The Commissioner:
Baltimore, Md 21235-0001:
March 2, 2010:
Mr. Gregory Wilshusen:
Director, Information Security Issues:
U.S. Government Accountability Office:
441 G Street, NW:
Washington, D.C. 20548:
Dear Mr. Wilshusen:
Thank you for the opportunity to review and comment on the Government
Accountability Office (GAO) draft report, "Information Security:
Agencies Need to Implement Federal Desktop Core Configuration
Requirements" (GAO-10-202). Attached is our response to the report.
If you have any questions, please contact me or have your staff
contact Candace Skumik, Director, Audit Management and Liaison Staff
at (410) 965-4636.
Sincerely,
Signed by:
Michael J. Astrue:
Enclosure:
Comments On The Government Accountability Office (GAO) Draft Report,
"Information Security: Agencies Need To Implement Federal Desktop Core
Configuration (FDCC) Requirements" (GAO-10-202):
Recommendation 1:
Develop, document, and implement a policy to approve deviations to
FDCC by a designated accrediting authority.
Comment:
We agree. We already have a formal systems security policy that we
used to approve deviations to FDCC. Our policy and process for
managing security configurations is contained in our Information
Systems Security Handbook, Chapter 17. We will review this policy to
ensure that it adequately documents the review and approval of FDCC
deviations.
As an agency that manages more than 100,000 Windows systems, we take
the implementation of the FDCC settings very seriously. We continually
look for ways to reduce our exposure to cybersecurity threats and
protect our network and systems. Since the announcement of Commonly
Accepted Security Configurations for Windows Operating Systems in
2007, we have successfully met all FDCC milestones. We have procured a
validated Security Content Automation Protocol (SCAP) product, tested
our Windows configuration settings using the SCAP product, and
provided justification for SCAP deviations. Many of the SCAP
deviations we found are the result of more stringent agency settings
that exceed the FDCC standard. Our Office of Systems maintains
approved security configurations for Windows-based systems that
incorporate FDCC settings to securely accomplish our mission. We
conduct regular security assessments to review our approved security
configurations.
Recommendation 2:
Complete deployment of a NIST-validated SCAP tool to monitor
compliance with FDCC.
Comment:
We agree. We are currently testing McAfee's National Institute of
Standards and Technology (NIST)-validated Security Content Automation
Protocol (SCAP) tool and anticipate deployment by the end of April
2010.
Recommendation 3:
Develop, document, and implement a policy to monitor FDCC compliance
using a NIST-validated SCAP tool.
Comment:
We agree. We will finalize our policy to monitor FDCC compliance as we
approach completion of NIST-validated SCAP tool testing.
Recommendation 4:
Ensure that language is included in contracts to ensure new
acquisitions include FDCC settings and products of information
technology providers operate effectively using them.
Comment:
We agree. We will include language in our contracts to ensure that new
acquisitions include FDCC settings and that information technology
products can operate effectively using the settings, where appropriate.
[End of section]
Appendix XV: Comments from the Department of the Treasury:
DEPARTMENT OF THE TREASURY:
WASHINGTON, D.C. 20220:
February 12, 2010:
Mr. Gregory C. Wilshusen:
Director, information Security Issues:
U.S. Government Accountability Office:
410 G Street, NW:
Washington, DC 20548:
Thank you for your draft report on "Information Security: Agencies
Need to Implement Federal Desktop Core Configuration Requirements." In
demonstrating our commitment to the Federal Desktop Core Configuration
(FDCC) initiative, Treasury has implemented he 674 FDCC settings on
the Department's 130,000 personal computers and laptops.
The Department appreciates GAO's recommendations to complete the
implementation of our FDCC baseline and to incorporate contract
language to ensure new acquisitions include FDCC settings and products
of IT providers operate effectively when using them. Responding to these
recommendations, the Department has developed language for new
acquisition contracts and anticipates completing implementation in
Fiscal Year 2010 for one remaining bureau. Additionally, the
Department has now completed implementation of its baseline with 100%
of its personal computers and laptops being FDCC compliant. With these
accomplishments, Treasury will receive the maximum protection and
benefit from FDCC guidelines.
Thank you for your important efforts during this review. Please do not
hesitate to contact me at 202-622-1200 should you have any questions.
Sincerely,
Signed by:
Michael D. Duffy:
Deputy Assistant Secretary for Information Systems and Chief
Information Officer:
[End of section]
Appendix XVI: Comments from the U.S. Agency for International
Development:
U.S. Agency tor International Development:
1300 Pennsylvania Avenue, NW:
Washington, DC 20523:
February 18, 2010:
Mr. Thomas Melito:
Director:
International Affairs and Trade:
U.S. Government Accountability Office:
441 G Street, N.W.
Washington, D.C. 20548:
Dear Mr. Melito:
am pleased to provide the U.S. Agency for International Development's
(USAID) formal response on the draft GAO report entitled, "Information
Security Agencies Need to implement Federal Desktop Core Configuration
Requirements" (GAO-10-202).
The enclosed USAID comments are provided for incorporation with this
letter as an appendix to the final report.
Thank you for the opportunity to respond to the GAO draft report and
for the courtesies extended by your staff in the conduct of this audit
review.
Sincerely,
Signed by:
Drew W. Luten:
Senior Deputy Assistant Administrator:
Bureau of Management:
Enclosure: a/s:
USAID COMMENTS ON GAO Draft Report No. (GAO-10-202):
GAO Recommendation 1: To improve the agency's implementation of FDCC,
we recommend that the Administrator of the Agency for International
Development take the following action:
* Ensure that language is included in contracts to ensure new
acquisitions include FDCC settings and products of information
technology providers operate effectively using them.
USAID Management Response: USAID concurs with the recommendation.
[End of section]
Appendix XVII: Comments from the Department of Veterans Affairs:
Department of Veterans Affairs:
Office of the Secretary:
March 8, 2010:
Mr. Gregory C. Wilshusen:
Director:
Information Security Issues:
441 G Street, NW:
Washington, DC 20548:
Dear Mr. Wilshusen:
The Department of Veterans Affairs (VA) has reviewed the Government
Accountability Office's (GAO) draft report, Information Security:
Agencies Need to Implement Federal Desktop Core Configuration
Requirements (GAO-10202). VA agrees with GAO's conclusions and concurs
with GAO's four recommendations to the Department.
The enclosure provides specific details on VA's actions to GAO's
recommendations. VA appreciates the opportunity to comment on your
draft report.
Sincerely,
Signed by:
John R. Gingrich:
Chief of Staff:
Enclosure:
Department of Veterans Affairs (VA) Comment to Government
Accountability Office (GAO Draft Report Information Security: Agencies
Need to Implement Federal Desktop Core Configuration Requirements (GAO-
10-202):
GAO recommendation: To improve the departments implementation of FDCC,
we recommend that the Secretary of Veterans Affairs take the following
four actions:
Recommendation 1: Complete implementation of the agency's FDCC
baseline, including establishing firm milestones for completion.
VA Comments: Concur. The target date for completion of all FDCC
baseline settings is September 30, 2010. A project plan, complete with
milestones, has been established to monitor FDCC compliance.
GAO Recommendation 2: Acquire and deploy a NIST-validated SCAP tool to
monitor compliance with FDCC.
VA Comments: Concur. The VA owns three SCAP tools; however, due to
challenges involved in deploying each, none have been implemented to
date. VA plans to overcome these challenges and complete
implementation by September 30, 2010.
GAO Recommendation 3: Develop, document, and implement a policy to
monitor FDCC compliance using a NEST-validated SCAP tool.
VA Comments: Concur. A project plan has been established to monitor
FDCC compliance. The target date for issuance of a draft policy and
handbook (procedures) is September 2010.
GAO Recommendation 4: Ensure that language is included in contracts to
ensure new acquisitions include FDCC settings and products of
information technology providers operate effectively using them.
VA Comments: Concur. Draft VA Handbook 6500.6, Contract Security
(currently in final review by VA Records Management) provides the
following language that can be added to contracts, as appropriate,
regarding FDCC. The highlighted revisions address future versions of
browsers and operating systems.
Information System Design And Development:
Information systems that are designed or developed for, or on behalf
of VA at non-VA facilities shall comply with all VA directives
developed in accordance with FISMA, HIPAA, MST, and related VA
security and privacy control requirements for Federal information
systems. This includes standards for the protection of electronic PHI,
outlined in 45 C.F.R Part 164, Subpart C, information and system
security categorization level designations in accordance with FIPS 199
and FIPS 200 with implementation of all baseline security controls
commensurate with the FIPS 199 system security categorization
(reference Appendix D of VA Handbook 6500, VA Information Security
Program). During the development cycle a Privacy Impact Assessment
(PIA) must be completed, provided to the COTR, and approved by the VA
Privacy Service in accordance with Directive 6507, VA Privacy Impact
Assessment.
The contractor/subcontractor shall certify to the COTR that
applications are fully functional and operate correctly as intended on
systems using the VA Federal Desktop Core Configuration (FDCC) once
approved, and the common security configuration guidelines provided by
N1ST or the VA. This includes Internet Explorer 7 configured to
operate on Windows XP, and Vista (inProtected Mode on Vista).
The standard installation, operation, maintenance, updating, and
patching of software shall not alter the configuration settings for
the VA approved and FDCC configuration. Information technology staff
must also use the Windows Installer Service for installation to the
default "program files" directory and silently install and uninstall.
[End of section]
Appendix XVIII: GAO Contact and Staff Acknowledgments:
GAO Contact:
Gregory C. Wilshusen, (202) 512-6244 or wilshuseng@gao.gov:
Staff Acknowledgments:
In addition to the individual named above, Jeffrey Knott (Assistant
Director), John Bainbridge, William Cook, Kami Corbett, Neil Doherty,
Michele Fejfar, Nancy Glover, Valerie Hopkins, Lee McCracken, Zsaroq
Powe, Carl Ramirez, and Shawn Ward made key contributions to this
report.
[End of section]
Footnotes:
[1] Most recently, GAO, High-risk Series: An Update, [hyperlink,
http://www.gao.gov/products/GAO-09-271] (Washington, D.C.: January
2009).
[2] The 24 major departments and agencies are the Departments of
Agriculture, Commerce, Defense, Education, Energy, Health and Human
Services, Homeland Security, Housing and Urban Development, the
Interior, Justice, Labor, State, Transportation, the Treasury, and
Veterans Affairs; the Environmental Protection Agency, General
Services Administration, National Aeronautics and Space
Administration, National Science Foundation, Nuclear Regulatory
Commission, Office of Personnel Management, Small Business
Administration, Social Security Administration, and U.S. Agency for
International Development.
[3] 31 U.S.C. § 901.
[4] GAO, Information Security: Agencies Make Progress in
Implementation of Requirements, but Significant Weaknesses Persist,
[hyperlink, http://www.gao.gov/products/GAO-09-701T] (Washington,
D.C.: May 19, 2009).
[5] Statement of the Director of National Intelligence before the
Senate Select Committee on Intelligence, Annual Threat Assessment of
the Intelligence Community for the Senate Select Committee on
Intelligence (Washington, D.C.: Feb. 12, 2009).
[6] GAO, Information Security: Agencies Continue to Report Progress,
but Need to Mitigate Persistent Weaknesses, [hyperlink,
http://www.gao.gov/products/GAO-09-546] (Washington, D.C.: July17,
2009).
[7] GAO, Information Security: NASA Needs to Remedy Vulnerabilities in
Key Networks, [hyperlink, http://www.gao.gov/products/GAO-10-4]
(Washington, D.C.: Oct.15, 2009).
[8] GAO, Information Security: Further Actions Needed to Address Risks
to Bank Secrecy Act Data, [hyperlink,
http://www.gao.gov/products/GAO-09-195] (Washington, D.C.: Jan. 30,
2009).
[9] GAO, Information Security: Actions Needed to Better Protect Los
Alamos National Laboratory's Unclassified Computer Network,
[hyperlink, http://www.gao.gov/products/GAO-08-1001] (Washington,
D.C.: Sept. 9, 2008).
[10] GAO, Information Security: Homeland Security Needs to Immediately
Address Significant Weaknesses in Systems Supporting the US-VISIT
Program, [hyperlink, http://www.gao.gov/products/GAO-07-870]
(Washington, D.C.: Jul. 13, 2007).
[11] Enacted as title III of the E-Government Act of 2002, Pub. L. No.
107-347, 116 Stat. 2899, 2946 (Dec. 17, 2002).
[12] According to agency-reported data, approximately 3.7 million
workstations in use at the 24 federal agencies use either Windows XP
or Windows Vista as the operating system.
[13] OMB Memorandum for Chief Information Officers, Managing Security
Risk By Using Common Security Configurations (Washington, D.C.: Mar.
20, 2007); OMB, Memorandum for the Heads of Departments and Agencies:
Implementation of Commonly Accepted Security Configurations for
Windows Operating Systems, M-07-11 (Washington, D.C.: Mar. 22, 2007).
[14] A group policy object is a collection of group policy settings
that is used as part of Microsoft's Active Directory service. The
service enables an administrator to define and make changes to various
security and policy settings for groups of users and computers.
[15] A virtual hard disk holds a virtual machine or computer, which
uses software to emulate a computer with a complete hardware system,
on another computer. Virtual hard disks can be used to validate the
effectiveness of the security configurations and test for
compatibility issues with legacy applications in a simulated
environment rather than on actual workstations.
[16] SCAP was developed by NIST in collaboration with the Departments
of Defense and Homeland Security and Mitre Corp to provide a
standardized approach to maintaining the security of enterprise
systems. With the announcement of FDCC, SCAP was utilized to check the
configuration settings on workstations. The FDCC SCAP content is
hosted on the National Checklist Program Web site. The National
Vulnerability database is also being expanded to host the SCAP
component standards. See also NIST, Guide to Adopting and Using the
Security Content Automation Protocol (SCAP) (Draft), Special
Publication 800-117 (Gaithersburg, MD: May 2009).
[17] Under the NIST National Voluntary Laboratory Accreditation
Program, NIST accredits independent laboratories to perform specific
tests outlined in the SCAP Validation Program Derived Test
Requirements document on SCAP tools seeking validation. NIST
determines whether to validate a SCAP tool based on the test results
provided by the laboratory. Laboratories are accredited based on
requirements defined in NIST Handbook 150 and NIST Handbook 150-17.
[18] OMB Memorandum for Chief Information Officers, March 20, 2007;
OMB, M-07-11 (Mar. 22, 2007).
[19] OMB Memorandum for Chief Information Officers, March 20, 2007.
[20] A deviation occurs when the parameter for a particular setting is
different from the approved or official parameter for the setting. A
deviation can have more or less stringent parameters from that of the
approved parameter.
[21] OMB, M-07-11 (Mar. 22, 2007).
[22] NIST frequently asked questions posted on NIST's FDCC Web site,
January 28, 2008; OMB Memorandum for Chief Information Officers,
Guidance on the Federal Desktop Core Configuration (FDCC), M-08-22
(Washington, D.C.: Aug. 11, 2008).
[23] Federal Information Processing Standards are standards to be used
by federal organizations that are developed and published by NIST as
part of its mandates under 40 U.S.C. § 11331 and 15 U.S.C. § 278g-3,
as amended by FISMA.
[24] Encryption is used to provide basic data confidentiality and
integrity for data by transforming plain text into cipher text using a
special value known as a key and a mathematical process known as an
algorithm. A cryptographic hash function computes (or hashes) a fixed-
length message digest from an arbitrary-length message. A message
digest may be considered as an "electronic fingerprint" of the
original message. Signing with a digital signature is used to detect
unauthorized modifications to data and to authenticate the identity of
the signer.
[25] A log is a record of the events occurring within an
organization's systems and networks. Log management is essential to
ensuring that computer security records are stored in sufficient
detail for an appropriate period of time. Routine log analysis is
beneficial for identifying security incidents, policy violations,
fraudulent activity, and operational problems. Shutting down the
system if it is unable to log a security event helps to ensure that an
administrator will review the log and correct the problem in order to
recover the system for the user.
[26] OMB Memorandum for Chief Information Officers, March 20, 2007.
[27] NIST Frequently Asked Questions posted on NIST's FDCC Web site,
March 4, 2008; Chief Information Officers Council e-mail to chief
information officers on behalf of OMB, March 24, 2008.
[28] OMB, M-08-22 (Aug. 11, 2008).
[29] A department or agency accrediting authority is a senior
management official or executive with the authority to formally accept
responsibility for operating an information system at an acceptable
level of risk to agency operations, agency assets, or individuals.
[30] OMB Memorandum to Chief Information Officers, Establishment of
Windows XP and VISTA Virtual Machine and Procedures for Adopting the
Federal Desktop Core Configurations (Washington, D.C.: July 31, 2007).
[31] OMB, M-08-22 (Aug. 11, 2008).
[32] OMB Memorandum for Chief Information Officers and Chief
Acquisition Officers, Ensuring New Acquisitions Include Common
Security Configurations, M-07-18 (Washington, D.C.: June 1, 2007). In
February 2008, the Federal Acquisition Regulation was revised to
require agencies to use common security configurations, as
appropriate. See 48 C.F.R. § 39.101(d) (73 FR 10967, 10968, Feb. 28,
2008).
[33] Plans of action and milestones, also known as remedial action
plans, can help agencies identify and assess security weaknesses in
information systems such as deviations in system configurations, and
set priorities and monitor progress in correcting them.
[34] NIST Frequently Asked Questions posted on NIST's FDCC Web site,
March 4, 2008; Chief Information Officers Council e-mail to chief
information officers on behalf of OMB, March 24, 2008.
[35] OMB, Memorandum for Heads of Executive Departments and Agencies,
FY 2008 Reporting Instructions for the Federal Information Security
Management Act and Agency Privacy Management, M-08-21 (Washington,
D.C.: July 14, 2008).
[36] OMB Memorandum for Heads of Executive Departments and Agencies,
FY 2009 Reporting Instructions for the Federal Information Security
Management Act and Agency Privacy Management, M-09-29 (Washington,
D.C.: Aug. 20, 2009).
[37] These 5 agencies were the Departments of Education, Energy, and
Transportation; the Small Business Administration; and the Social
Security Administration.
[38] Agency implementation of FDCC may also not include implementation
of Windows Firewall or Internet Explorer 7 settings if these
applications are not being used by the agency.
[39] Encryption algorithms are mathematical processes used to
transform plain text into cipher text for the purposes of encryption.
[40] The Chief Information Officers Council established an FDCC Change
Control Board in June 2009 to make recommendations to OMB and NIST for
changes to the FDCC settings. The board has established a yearly
process during which it solicits suggestions for modifications to the
settings from federal agencies, reviews the suggestions, and provides
recommendations to NIST by July 1 of each year. The board plans to
make its first recommendations on settings in July 2010.
[41] The General Services Administration, under the direction of OMB,
established the Policy Utilization Assessment Program in order to (1)
conduct a series of implementation diagnostics to determine the extent
and effectiveness of agency implementation and utilization of OMB
information technology policies throughout the federal government; (2)
establish an assessment methodology and best practices for use by
individual agencies in improving policy implementation; and (3)
document lessons learned and governmentwide trends to assist OMB in
improving future information technology policy development efforts.
[42] Office of the Inspector General, U.S. Department of the Interior,
Evaluation of Information Technology System Configuration, ISD-EV-MOA-
0003-2009 (Washington, D.C.: Sept. 23, 2009).
[43] GAO, Information Security: Concerted Effort Needed to Improve
Federal Performance Measures, [hyperlink,
http://www.gao.gov/products/GAO-09-617] (Washington, D.C.: Sept. 14,
2009).
[44] OMB Memorandum for Chief Information Officers, March 20, 2007;
OMB, M-07-11 (Mar. 22, 2007).
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
