Cyber desktop standard gets wakeup call from CIO Council

T he Chief Information Officer’s Council held a séance, pulled out its Ouji board and asked for the approval from Rip Van Winkle to raise the United States Government Configuration Baseline (USGCB), otherwise known as the Federal Desktop Core Configuration, from its long slumber.

The council’s Information Security and Identity Management Committee took on this dormant effort to develop and approve standard security and other configuration settings for common IT products.

...

READ MORE

T he Chief Information Officer’s Council held a séance, pulled out its Ouji board and asked for the approval from Rip Van Winkle to raise the United States Government Configuration Baseline (USGCB), otherwise known as the Federal Desktop Core Configuration, from its long slumber.

The council’s Information Security and Identity Management Committee took on this dormant effort to develop and approve standard security and other configuration settings for common IT products.

In a May 6 blog post, the council said the committee said it “updated configuration settings in current USGCB platforms (including Windows 7 and Windows Vista), reviewed a series of proposed settings, and prioritized a list of new baselines for existing platforms. These new baselines include Windows 8/8.1, IE 10, Windows Server 2012 (Domain Controller), Windows Server 2012 (Member Server), and Red Hat 6.”

The committee will approve new operating systems or versions as they become public, and create security automation, checklists and Security Content Automation Protocol (SCAP) tools with appropriate stakeholders.

The fact that the council reinvigorated this effort is a huge deal, especially at a time when agencies continue to face the same cyber problems but an exponentially larger set of vulnerabilities and risks.

The idea of a standard configuration for commodity IT has been around for some time and it’s a proven security approach. When the Air Force moved to a gold disk standard for Microsoft Windows in 2005, it cut its patch time from 57 days to 72 hours and saved $100 million per year in patch testing alone.

Karen Evans, the former Office of Management and Budget administrator for E-Government and IT, who initiated the Federal Desktop Core Configuration program in 2007 after the Air Force’s success, told the House Oversight and Government Reform Committee in 2008 that “by implementing a common configuration, we are gaining better control of our federal desktops, allowing for closer monitoring and correction of potential vulnerabilities. We are also working with the vendor community to make their applications safer.”

Nearly seven years later, Evans’ comments still ring true.

The problem is the Obama administration has not emphasized the FDDC/USGCB at the senior level over the past several years. Even though the National Institute of Standards and Technology included the concepts of standard configurations in its Special Publication 800-128, it was not included in the administration’s Cross-Agency Priority goals.

So, why the CIO Council’s renewed interest? It likely can be traced back to OMB’s resurgence in leading cybersecurity activities. It falls in line with how OMB is leading the ongoing work around rethinking identity management, the E-Gov Cyber Task Force and oversight of the Cross-Agency Priority goal for cybersecurity.

This post is part of Jason Miller’s Inside the Reporter’s Notebook feature. Read more from this edition of Jason’s Notebook.