For the past two years, I have been closely watching the genesis and implementation of a very interesting program mandated by the Office of Management and Budget (OMB) of all U.S. government agencies called the Federal Desktop Core Configuration (FDCC). The idea behind FDCC was simple: through an OMB developed standard configuration set-up, organizations can manage endpoints using Windows XP and Windows Vista so that the tenets of security—such as the rule of least privilege—are followed on machines across the federal government.
Since last year, federal agencies have been required to adhere to FDCC on its workstations and laptops as a part of greater FISMA compliance. According to Karen Evens, the then-administrator for OMB’s Office of e-Government and Information Technology who wrote the first memo outlining FDCC in 2007, said the idea for establishing this baseline was “to improve system performance, decrease operating costs, and ensure public confidence in the confidentiality, integrity and availability of government information.”
These benefits are the ‘gimmes’ and now that the FDCC has had the time to really take root, we’re going to start to see some of the other benefits that sprout up when such a large group of administrators are required to securely configure their systems.
For example, one unforeseen positive outcome is the fact that FDCC is going to make sloppy application developers think twice about their assumptions. Too many developers today rely on wide open configuration settings to make their software work on the Windows platform. When those security settings are hardened across the board such as with the FDCC, administrators are sure to raise a hue and cry when software breaks plenty loud enough for developers to hear. As a result, FDCC benefits the entire computing community because any software developer that wants to sell to the government from here on out has to consider how its software reacts in a secure environment before rolling out a release.
FDCC also has a lot of benefit to the public at large as a case study in endpoint configuration. My bet is that we’ll be able to correlate positive agency FDCC compliance statistics with fewer attacks and data breaches further on down the line. At the end of the day, secure configuration is the very bedrock that any security program is built around. It always has been and will continue to be so in the future.