NIST, OMB Tout Major Windows Policy Fixes For Federal Agencies
TheNational Institute of Standards and Technology reports that the White House Office of Management and Budget (OMB) has mandated that all federal agencies implement a common set of secure configuration settings developed by NIST.
Here's the timeline, as submitted by the OMB:
- May 1st 2007 – Agencies must submit to OMB plans:
- on how they will implement the new standard baseliine configuration,
- on how they will enforce and automate the settings,
- on how they will restrict administrative rights to change these settings to only authorized personnel.
- on how they will test their systems in advance for adverse effects of the settings,
- on how they will integrate the new security settings into their Capital Planning and Investment Control Process (NIST SP 800-65)
- on how they will ensure that all computers have vulnerability patches applied
- on how they will document any deviations from the standard baseline and the reason for the deviation
- April 20th, 2007 – OMB and the Department of Homeland Security (DHS) will make available XP and Vista images that hardware and software vendors can use for testing.
- June 30th, 2007 – All new computer purchases with Windows XP or Vista must contain the standard baseline security configuration. All new software purchases must be compatible with the new security settings. All IT companies doing business with the government must certify that their products will work with this configuration.
- February 1st, 2008 – Agencies must fully implement the standard security settings on all computers running Microsoft Windows XP and Vista.
NIST and the OMB both say these steps will lead to significant changes. Wanna know more? Read on..
According to the OMB and NIST:
Once these changes start to take affect in June the entire U.S. Government will be doing things differently. This will affect hardware and software acquisition, IT management, computer setup, end user training, other security policies and procedures, etc. For once everyone in the government will be doing something with computers the same way. This is a first, and its a huge change. It is also long overdue, not only from a security point of view but from a fiscal one. The cost savings will be enormous. There will also be a complete paradigm shift in how government IT personnel perceive things. No longer will local offices or individual IT people be making security decisions, management is now running the show and for once management is making a fully informed decision.
Many of OMB's past Memorandums were not implemented on time, or drastically watered down by agencies. Such as M-06-16 that mandated (among other things) encryption of mobile computers and devices by August 2006. Few agencies have fully implemented this directive. This new security baseline initiative is different, for once OMB isn't leaving anything to chance. They are not only telling agencies exactly what to do, but they are giving them the means to do it (completed and detailed NIST specifications). They are also forcing the issue through contracting rules that disallow any purchases that are not within compliance. In addition they are working with vendors, especially Microsoft, in making sure that products will be available by the OMB deadlines. For once they're doing it right.
There is already discussion about government-wide standardized baselines (or STIGs) for Unix, Apple and Linux operating systems. The federal government Windows XP and Vista image is also likely to be available to commercial buyers. There is nothing secret about it. Most Microsoft applications will be guaranteed to work with the image, as will most mainstream applications. If you work for a large enterprise don't be surprised if you start seeing this configuration on new desktops in the near future.
This will, of course, lead to much better desktop security within the federal government. The Air Force / DISA / NIST STIGs are tough and they will truly have a positive affect. When security is left open to the current technician of the moment few take the time to harden Windows to this degree. When the end user has administrative rights to their computer then so does any piece of malware they may stumble upon. Standardizing on a tough policy and forcing the market place to become compatible is the perfect way to accomplish the goal of securing the desktop. Karen Evans, OMB's administrator of e-government and information technology, and the rest of the OMB team will deserve a lot of credit if they can pull this off.
OK, Russ here. I'm back.
Related Tags: security settings, settings, security, configuration, agencies, standard
- Related Entries
Listed below are links to sites that reference NIST, OMB Tout Major Windows Policy Fixes For Federal Agencies:
TrackBack URL for NIST, OMB Tout Major Windows Policy Fixes For Federal Agencies: