OMB Deadline for FDCC Compliance Looming

The Office of Management and Budget (OMB) memorandum M-07-11 requires federal agencies to adopt a common set of configuration standards for all Windows XP and Vista machines. The configuration standards, referred to as the Federal Desktop Core Configuration (FDCC), was developed by the National Institute of Standards and Technology (NIST) with support from the Department of Defense (DoD) and the Department of Homeland Security (DHS). The OMB mandates that federal agencies must submit to the OMB a summary of all computers running Windows XP and Vista and the number of those that are FDCC compliant by Feb 1st. By March 31st, these agencies must submit a technical report detailing the status of their implementations of the FDCC standards throughout their environments (here)

Although there has been no end of criticism for the federal governments ability to implement even basic levels of security and many have called FISMA a dismal failure this should be seen as a positive move in driving towards greater visibility into and control over federal computing environments. Defining the desired configuration state of assets within the computing environment against a security baseline developed by organizations like NIST, and then auditing the environment against this baseline to identify assets that deviate so that remediation actions can be taken, is a positive step towards moving IT Security from a purely reactive ad-hoc process to one that adopts pre-incident measures to eliminate attack vectors before they result in successful attack, it also supports continuous compliance initiatives and can help reduce direct costs from technical support calls and indirect costs from streamlining patch or change management processes.


  • The biggest challenge facing organizations today is the complete lack of pervasive visibility into their computing environments and this is no different for government agencies. You can’t measure or protect what you can’t see. It seems like a fairly trivial problem to solve but the reality is that most organizations are blind to at least 15% of their computing assets. The reasons are many but have to do with myopic systems management products that do not have support for legacy systems or heterogeneous computing environments, mobile users that are difficult to track and manage, the proliferation of non-corporate devices that enter a network and the problems of space and time faced by network based scanning tools, not to mention the disparate, yet overlapping technologies, deployed by the various IT groups who seem to never be able to cooperate.
  • Probably the second biggest challenge organizations will face is service or application disruption caused by the configuration standards impacting an internally developed or 3rd party application. Most organizations use internally developed applications, some use hundreds, most of these do not adhere to standards, are generally poorly maintained and tend to require certain ports or services to be available to run. Agencies will want to test the FDCC standard on their standard images prior to deployment to ensure that their common operating environment (COE) images and associated approved applications can function without requiring modification to the systems.
  • The third challenge will be the disruption to users themselves, many of whom have become accustomed to a certain level of access, mobility, or service. FDCC suggests implementation of FIPS compliant encryption, disabling wireless services, restricting the use of ActiveX, and the removal of administrative rights – these are all important for securing a Windows system but they also have ramifications to how users interact with the systems and the networks themselves. Agencies will want to ensure that their user population can function with these controls in place and are able to perform their jobs because at the end of the day IT’s main charter is to serve the business or organization that employs them and ensure that services are available to provide the functions required by the business.
  • The fourth challenge is a tools problem, currently there is no FDCC validation so agencies will struggle in the near term with navigating the vendor hype and finding a solution that can effectively and efficiently help them meet the FDCC compliance initiatives while limiting any negative impact on the environment.

These challenges are not in surmountable, but they have the potential to cause significant problems if not addressed early in the cycle.

BigFix provides systems and security configuration management solutions and recently introduced support for assessment and remediation against the FDCC standards (here)

4 thoughts on “OMB Deadline for FDCC Compliance Looming

  1. Great insights. I agree, FDCC is the at the top of lots of agendas lately. BigFix looks very interesting. I wonder how it compares with, say, Triumfant? System Owners are clearly going to need help to automate this process, and soon!

  2. Hey Mike,

    I wasn’t familiar with Triumfant until you mentioned it. I glanced at their website and sat through their demo and from what I can tell the big difference would be that BigFix does not require central processing for assessment and remediation. Any of the issues, configurations, settings, or otherwise that would be identified as part of policy, such as FDCC, would be continuously assessed and the agent would remediate any non-compliant conditions independent of the central server.

  3. Pingback: Why Should We Spend on Security? « Observations of a digitally enlightened mind

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s