FDCC compliance slowed by manual checks
Connecting state and local government leaders
Windows XP has seven items that need to be checked by hand, Windows Vista has eight checks and Internet Explorer has one.
Ensuring that each agency desktop computer is compliant with the Office of Management and Budget's Federal Desktop Core Configuration requires 16 checks that need to be done by hand. Such manual checks can complicate agency efforts to hit today's OMB deadline for reporting FDCC compliance, said Amrit Williams, chief technology officer at enterprise systems and security management company BigFix.
"It puts a lot of burden on the folks who have to generate the reports and do the assessments,' he said. 'Most people are struggling just to do the automated stuff. Not only must they scan their environments to generate a report, but they have to modify the [resulting] reports to accommodate information coming from these manual checks."
Today is the day agencies must submit a report to OMB about how many computers they have that are compliant with FDCC settings. NIST is also expected today to release a list of those tools that can perform the FDCC checks automatically. While some companies already offer automated scanning tools, these tools probably will not be able to execute all the checks required under FDCC.
According to Mitre lead information security engineer Andrew Buttner, who spoke at the National Institute of Standards and Technology's 2008 Federal Desktop Core Configuration Implementers Workshop last week, a FDCC Security Content Automation Protocol testing team found that 98 percent of the checks needed for FDCC could be done automatically. However, Windows Vista, Windows XP and Internet Explorer all had settings that could only be updated and checked by hand.
Buttner said Windows XP has a total of 279 FDCC checks and Windows Vista has 328 FDCC checks. In addition, Internet Explorer 7, which runs on both operating systems, has an additional 122 FDCC checks.
Of these sets, Windows XP has seven items that need to be checked by hand, Windows Vista has eight checks and Internet Explorer has one.
"We mark those 16 as unknown tests in the content, which basically says it is unknown how to automate the checking of that setting," Buttner said. The unknown status means either that the check cannot be automated or that the checking process doesn't work, the documentation states.
The SCAP team is currently working with Microsoft to find ways that these settings could be checked in an automated fashion. "They are the subject matter experts and hopefully know how to perform that test," Buttner said. "As of today, we're still waiting to get those answers back."
Among the checks that remain unautomated include those that offer the ability to check IPv6 settings in the firewall, and to check some Kerberos settings with Windows XP and Windows Vista, and one in Internet Explorer that permits the browser to automatically install programs.
Until some sort of path to automation is provided, Williams said, the manual checks will "add a level of complexity" to all aspects of the FDCC process, from reporting and assessment to remediation.
In some cases the administrators must visit each desktop computer, such as the IPv6 settings, and check the setting from there. With other checks, such as those around Kerberos, they can be checked at the server level.
Plus the manual checks introduce yet another level of complexity, if the agency is using an external party to manage their computers. "If they are using an automated tool, it is agreed upon that they do not have to interact with the server operation team ' they can just run the tool and generate the report,' Williams said. 'But if they do not own the box, now they have to go to the third party and ask them to do the manual checks."
How much this affects agencies trying to get in compliance with FDCC is an open question.
'Agencies have two choices, they can do the checks manually or use nonvalidated SCAP-capable tools and accept some risk,' said Peter Mell, who leads NIST's SCAP project. 'There are hundreds of settings, but it can be done. We have a staff member who does it regularly.'
Williams' company BigFix offers software (BigFix Enterprise Server) that does asset discovery and compliance testing and enforcement, and includes a template for checking network machines for FDCC compliance. Like other offerings, the software has to work around the manual checks.
"We're struggling with the same issues that everyone else is,' Williams said. 'So we just have a note in our report that says it does not include the following checks."
Jason Miller contributed to this report.
NEXT STORY: R. Fink | Of Rummy and reality