Feds to Adopt Common Security Settings on PCs

OMB tells agencies to standardize configurations for Windows XP, Vista

Federal agencies have until next February to implement a common set of secure configuration settings, developed by the National Institute of Standards and Technology (NIST) and other organizations, on all of their Windows XP and Windows Vista systems.

But by May 1 of this year, they have to provide the White House Office of Management and Budget with draft plans for deploying and managing the new security configurations. And after June 30, the OMB wants agencies to use the common settings on all the new PCs they buy and make sure that the applications they’re purchasing have been certified to work under the settings.

Karen Evans

Karen EvansThe deadlines were detailed by Karen Evans, the de facto federal CIO, in a memorandum that was sent to agency IT officials last week.

Threat Protection

The standards being adopted were created by NIST, the U.S. Department of Homeland Security, the Defense Information Systems Agency, the National Security Agency and Microsoft Corp. They describe basic configuration settings that are designed to secure systems running Vista and Windows XP against common types of threats, such as buffer overflow attacks.

In her memo, Evans, whose official title is administrator of the OMB’s Office of Electronic Government and IT, said the use of standardized configurations is necessary for improving the overall security and reliability of federal systems.

“Common security configurations provide a baseline level of security, reduce risk from security threats and vulnerabilities, and save time and resources,” Evans wrote. Such measures, she added, should enable agencies “to improve system performance, decrease operating costs and ensure public confidence in the confidentiality, integrity and availability of government information.”

Such stipulations are vital to improving IT security within the federal government, said Alan Paller, director of research at the SANS Institute, a security training and vulnerability research firm in Bethesda, Md. Paller noted that the U.S. Air Force has already adopted a similar program under which it is using a common security configuration on all of its Windows XP systems.

Such standardization can help slow the spread of malware inside organizations and make the software patching process more efficient, according to Paller. It also forces application vendors to pay more attention to security, he said.

The governmentwide edict “comes just in time to impact developers building applications for Windows Vista,” Paller said. “No Vista application will be able to be sold to federal agencies if the application doesn’t run on the secure version of Vista.”

Indeed, in a separate memo sent to agency heads last week, Clay Johnson, the OMB’s deputy director for management, wrote that Microsoft’s shipment of Vista “provides a unique opportunity for agencies to deploy secure configurations for the first time when an operating system is released.” That makes the adoption of the common settings “critical,” he added.

The memo from Evans directs agency CIOs to provide the OMB with detailed information about a variety of issues, including their plans for testing the security configurations in nonproduction environments, automating enforcement of the settings and restricting administration privileges to authorized personnel. Agencies must also be able to install Microsoft patches distributed by the DHS when new vulnerabilities are disclosed, Evans wrote.

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon