RSS - Regulations, Statutes and Standards TMC

NIST, OMB Tout Major Windows Policy Fixes For Federal Agencies

March 29, 2007

TheNational Institute of Standards and Technology reports that the White House Office of Management and Budget (OMB) has mandated that all federal agencies implement a common set of secure configuration settings developed by NIST.

Here's the timeline, as submitted by the OMB:

NIST and the OMB both say these steps will lead to significant changes. Wanna know more? Read on..

According to the OMB and NIST:

Once these changes start to take affect in June the entire U.S. Government will be doing things differently. This will affect hardware and software acquisition, IT management, computer setup, end user training, other security policies and procedures, etc. For once everyone in the government will be doing something with computers the same way. This is a first, and its a huge change. It is also long overdue, not only from a security point of view but from a fiscal one. The cost savings will be enormous. There will also be a complete paradigm shift in how government IT personnel perceive things. No longer will local offices or individual IT people be making security decisions, management is now running the show and for once management is making a fully informed decision.

Many of OMB's past Memorandums were not implemented on time, or drastically watered down by agencies. Such as
M-06-16 that mandated (among other things) encryption of mobile computers and devices by August 2006. Few agencies have fully implemented this directive. This new security baseline initiative is different, for once OMB isn't leaving anything to chance. They are not only telling agencies exactly what to do, but they are giving them the means to do it (completed and detailed NIST specifications). They are also forcing the issue through contracting rules that disallow any purchases that are not within compliance. In addition they are working with vendors, especially Microsoft, in making sure that products will be available by the OMB deadlines. For once they're doing it right.

There is already discussion about government-wide standardized baselines (or STIGs) for Unix, Apple and Linux operating systems. The federal government Windows XP and Vista image is also likely to be available to commercial buyers. There is nothing secret about it. Most Microsoft applications will be guaranteed to work with the image, as will most mainstream applications. If you work for a large enterprise don't be surprised if you start seeing this configuration on new desktops in the near future.

This will, of course, lead to much better desktop security within the federal government. The Air Force / DISA / NIST STIGs are tough and they will truly have a positive affect. When security is left open to the current technician of the moment few take the time to harden Windows to this degree. When the end user has administrative rights to their computer then so does any piece of malware they may stumble upon. Standardizing on a tough policy and forcing the market place to become compatible is the perfect way to accomplish the goal of securing the desktop. Karen Evans, OMB's administrator of e-government and information technology, and the rest of the OMB team will deserve a lot of credit if they can pull this off.

OK, Russ here. I'm back.

Keyword- "if."

Related Tags: , , , , ,

Listed below are links to sites that reference NIST, OMB Tout Major Windows Policy Fixes For Federal Agencies:

Trackback Pings

TrackBack URL for NIST, OMB Tout Major Windows Policy Fixes For Federal Agencies:

Comments to NIST, OMB Tout Major Windows Policy Fixes For Federal Agencies

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)