Information Security:

Agencies Need to Implement Federal Desktop Core Configuration Requirements

GAO-10-202: Published: Mar 12, 2010. Publicly Released: Apr 12, 2010.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The increase in security incidents and continuing weakness in security controls on information technology systems at federal agencies highlight the continuing need for improved information security. To standardize and strengthen agencies' security, the Office of Management and Budget (OMB), in collaboration with the National Institute of Standards and Technology (NIST), launched the Federal Desktop Core Configuration (FDCC) initiative in 2007. GAO was asked to (1) identify the goals, objectives, and requirements of the initiative; (2) determine the status of actions federal agencies have taken, or plan to take, to implement the initiative; and (3) identify the benefits, challenges, and lessons learned in implementing this initiative. To accomplish this, GAO reviewed policies, plans, and other documents at the 24 major executive branch agencies; reviewed OMB and NIST guidance and documentation; and interviewed officials.

The goals of FDCC are to improve information security and reduce overall information technology operating costs across the federal government by, among other things, providing a baseline level of security through the implementation of a set of standard configuration settings on government-owned desktop and laptop computers (i.e., workstations). To carry out the initiative, OMB required that executive branch agencies take several actions, including: (1) submit an implementation plan to OMB; (2) apply all configuration settings to all applicable workstations by February 2008; (3) document any deviations from the prescribed settings and have them approved by an accrediting authority; (4) acquire a specified NIST-validated tool for monitoring implementation of the settings; (5) ensure that future information technology acquisitions comply with the configuration settings; and (6) submit a status report to NIST. While agencies have taken actions to implement these requirements, none of the agencies has fully implemented all configuration settings on their applicable workstations. Specifically, most plans submitted to OMB did not address all key implementation activities; none of the agencies implemented all of the prescribed configuration settings on all applicable workstations, though several implemented agency-defined subsets of the settings; several agencies did not fully document their deviations from the settings or establish a process for approving them; six agencies did not acquire and make use of the required tool for monitoring FDCC compliance; many agencies did not incorporate language into contracts to ensure that future information technology acquisitions comply with FDCC; and many agencies did not describe plans for eliminating or mitigating their deviations in their compliance reports to NIST. Until agencies ensure that they are meeting these FDCC requirements, the effectiveness of the initiative will be limited. FDCC has the potential to increase agencies' information security by requiring stricter security settings on workstations than those that may have been previously in place and standardizing agencies' management of workstations, making it easier to manage changes such as applying updates or patches. In addition, a number of lessons can be learned from the management and implementation of the FDCC initiative which, if considered, could improve the implementation of future versions of FDCC or other configuration efforts. At the same time, agencies face several ongoing challenges in fully complying with FDCC requirements, including retrofitting applications and systems in their existing environments to comply with the settings, assessing the risks associated with deviations, and monitoring workstations to ensure that the settings are applied and functioning properly. As OMB moves forward with the initiative, understanding the lessons learned as well as the ongoing challenges agencies face will be essential in order to ensure the initiative is successful in ensuring public confidence in the confidentiality, integrity, and availability of government information.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In fiscal year 2012, we verified that OMB, in response to our recommendation, reported that the United States Government Configuration Baseline replaced FDCC and now provides the baseline settings that Federal agencies are required to implement for security and environmental reasons.

    Recommendation: To improve implementation of FDCC at federal agencies, the Director of OMB should when announcing new FDCC versions, such as Windows 7, and changes to existing versions, include clear, realistic, and effectively communicated deadlines for completing implementation.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  2. Status: Closed - Implemented

    Comments: In fiscal year 2012, we verified that OMB, in response to our recommendation, reported that the United States Government Configuration Baseline has replaced FDCC; therefore, no further FDCC guidance is planned.

    Recommendation: To improve implementation of FDCC at federal agencies, the Director of OMB should clarify OMB policy regarding FDCC deviations to include: whether deviations can be permanent or should be mitigated in a timely manner; requirements for plans of actions and milestones for mitigating deviations, including resources necessary for doing so; guidance to use for assessing the risk of deviations across the agency; and how frequently and to whom deviations should be reported to assist in making decisions regarding future versions.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  3. Status: Closed - Implemented

    Comments: In fiscal year 2012, we verified that OMB, in response to our recommendation, informed agencies of the various approaches for testing the security settings and implementing the initiative in phases.

    Recommendation: To improve implementation of FDCC at federal agencies, the Director of OMB should inform agencies of the various approaches for testing the settings and implementing the initiative in phases, which may aid successful implementation.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  4. Status: Closed - Implemented

    Comments: In fiscal year 2012 OMB reported, in response to our recommendation for applying lessons learned during implementation, that the decisions to institutionalize the process for developing baselines in the Federal government by developing and implementing a cooperative, sustainable process, using the CIO Council to allow the full participation of the affected community in determining realistic baselines, requirements, testing, deadlines and additional materials

    Recommendation: To improve implementation of FDCC at federal agencies, the Director of OMB should assess the efficacy of, and take steps to apply as appropriate, other lessons learned during the initial implementation of this initiative such as the need for (1) additional collaboration efforts, (2) independent testing, and (3) advance notice of requirements, to assist agencies in implementing this initiative.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  5. Status: Closed - Implemented

    Comments: In fiscal year 2012, we verified that OMB , in response to our recommendation, reported that National Institute of Standards and Technology Special Publication 800-117, Guide to Adopting and Using the Security Content Automation Protocol (SCAP), provides guidance on using SCAP tools to include information on the frequency and scope with which agencies should perform monitoring.

    Recommendation: To improve implementation of FDCC at federal agencies, the Director of OMB should provide guidance on using Security Content Automation Protocol (SCAP) tools to include information on the frequency and scope with which agencies should perform monitoring.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  6. Status: Closed - Implemented

    Comments: In fiscal year 2012, we verified that OMB, in response to our recommendation, reported that the United States Government Configuration Baseline (USGCB) has replaced FDCC; therefore, no further FDCC guidance is planned.

    Recommendation: To improve implementation of FDCC at federal agencies, the Director of OMB should develop performance measures and provide guidance to agencies for reporting the benefits of FDCC.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  7. Status: Open

    Comments: USDA has not fully implemented FDCC/USGCB settings as of 2013. USDA expects to improve implementation percentages by the end of 2014 and to report deviations and compensating controls in operating environments where full implementation is not feasible.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Agriculture should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: Department of Agriculture

  8. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that USDA, in response to our recommendation, documents and certifies acceptance of risk by the designated accrediting authority for all deviations from FDCC .

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Agriculture should document deviations to FDCC and have them approved by a designated accrediting authority.

    Agency Affected: Department of Agriculture

  9. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that USDA, in response to our recommendation, developed and implemented a waiver procedure to address those systems that cannot be moved to 100 percent compliance with the FDCC model.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Agriculture should develop, document, and implement a policy to approve deviations by a designated accrediting authority.

    Agency Affected: Department of Agriculture

  10. Status: Closed - Implemented

    Comments: In fiscal year 2013 we verified that Commerce, in response to our recommendation, has issued guidance requiring all components to implement a NIST-validated security content automation protocol (SCAP) tool to monitor compliance with FDCC/USGCB settings. In addition, we verified that Commerce has ensured that all operating units are using a NIST-validated SCAP tool to monitor these settings.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Commerce should ensure all components have acquired and deployed a NIST-validated SCAP tool to monitor compliance with FDCC.

    Agency Affected: Department of Commerce

  11. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that Commerce, in response to our recommendation, developed, documented and implemented a policy requiring the use of NIST-validated SCAP tools to monitor compliance with FDCC.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Commerce should ensure all components develop, document, and implement a policy to monitor FDCC compliance using a NIST-validated SCAP tool.

    Agency Affected: Department of Commerce

  12. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that Commerce, in response to our recommendation, created an Information Technology Security Acquisition Checklist. The checklist includes language for new acquisitions that includes FDCC settings.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Commerce should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Department of Commerce

  13. Status: Closed - Not Implemented

    Comments: According to the agency's inspector general FISMA report for fiscal year 2013, for Windows-based components, USGCB secure configuration settings are not fully implemented, and any deviations from USGCB baseline settings are not fully documented. Additionally, the inspector general reported that they did not identify any comprehensive audit reports in the Federal audit community that addressed the implementation of USGCB secure configuration settings.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Defense should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: Department of Defense

  14. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that DOD, in response to our recommendation, requires all information assurance and information assurance-enabled information technology products incorporated into DoD information systems to be configured in accordance with DoD-approved security configuration guidelines.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Defense should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Department of Defense

  15. Status: Closed - Implemented

    Comments: In fiscal year 2014 we verified that Energy, in response to our recommendation, completed implementation of its FDCC secure configuration settings. Additionally, according to the agency?s inspector general FISMA report for fiscal year 2013, for Windows-based components, FDCC secure configuration settings are fully implemented, and any deviations from FDCC baseline settings are fully documented.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Energy should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: Department of Energy

  16. Status: Open

    Comments: The Department of Energy had expected to finalize its implementation plan for USGCB requirements by December 31, 2013.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Energy should ensure all components that are required to implement FDCC have acquired and deployed a NIST-validated SCAP tool to monitor compliance with FDCC.

    Agency Affected: Department of Energy

  17. Status: Open

    Comments: The Department of Energy had expected to finalize its implementation plan for USGCB requirements by December 31, 2013.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Energy should ensure all components that are required to implement FDCC develop, document, and implement a policy to monitor FDCC compliance using a NIST-validated SCAP tool.

    Agency Affected: Department of Energy

  18. Status: Closed - Implemented

    Comments: In fiscal year 2013 we verified that DOE, in response to our recommendation, has issued an order for its cyber security program that includes a requirement for contractors, where appropriate, to consider federally established configurations such as the Federal Desktop Core Configuration. In addition, DOE contracting officers may incorporate in contracts a Federal Acquisition Regulation clause on including common security configurations available from the National Institute of Standards and Technology. While these actions do not ensure that language on including FDCC settings is included in every applicable contract, they generally address this recommendation.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Energy should ensure that language is included in contracts of those components that are required to implement FDCC to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Department of Energy

  19. Status: Closed - Implemented

    Comments: An FDCC Baseline has been completed, implemented, and documented in Appendix B of EPA's Windows XP Professional with SP3 Standard Configuration Document (SCD) and posted to the Agency's intranet.

    Recommendation: To improve the agency's implementation of FDCC, the Administrator of the Environmental Protection Agency should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: Environmental Protection Agency

  20. Status: Closed - Implemented

    Comments: In fiscal year 2012 we verified that EPA, in response to our recommendation, developed and implemented a policy and IT Waiver Process.

    Recommendation: To improve the agency's implementation of FDCC, the Administrator of the Environmental Protection Agency should develop, document, and implement a policy to approve deviations to FDCC by a designated accrediting authority.

    Agency Affected: Environmental Protection Agency

  21. Status: Closed - Implemented

    Comments: In fiscal year 2012 we verified that GSA, in response to our recommendation, reported that all OCIO managed systems that are not legacy systems received FDCC settings through Group Policy Objects.

    Recommendation: To improve the agency's implementation of FDCC, the Administrator of the General Services Administration should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: General Services Administration

  22. Status: Closed - Not Implemented

    Comments: According to the agency's inspector general FISMA report for fiscal year 2013, for Windows-based components, USGCB secure configuration settings are not fully implemented, and any deviations from USGCB baseline settings are not fully documented.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Health and Human Services should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: Department of Health and Human Services

  23. Status: Closed - Implemented

    Comments: In fiscal year 2014 we verified that HHS, in response to our recommendation, reported that it issued the Standard for Security Content Automation Protocol -Compliant Tools policy in June of 2010. HHS is currently utilizing a NIST-validated SCAP tool to monitor and report on FDCC compliance.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Health and Human Services should develop, document, and implement a policy to monitor FDCC compliance using a NIST-validated SCAP tool.

    Agency Affected: Department of Health and Human Services

  24. Status: Closed - Implemented

    Comments: In fiscal year 2014 we verified that HHS, in response to our recommendation, reported it developed Standard for Security Configurations Language in HHS Contracts, to implement Federal Acquisition Regulation language regarding Common Security Configuration and HHS information security requirements. In January 2010, the Department initiated efforts to revise its Contractor Oversight Guide. The resulting document, Security and Privacy Considerations to Guide IT Procurements, was released as final in May 2012 .

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Health and Human Services should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Department of Health and Human Services

  25. Status: Closed - Implemented

    Comments: In fiscal year 2013, GAO verified that the Department of Homeland Security, in response to GAO's recommendation, has fully implemented secure configuration settings that meet Federal Desktop Core Configuration/ U.S. Government Configuration Baseline (USGCB) requirements on applicable workstations in all but one of its components. The remaining component is applying USGCB settings and is scheduled to be 85 to 90 percent compliant by January 2014.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Homeland Security complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: Department of Homeland Security

  26. Status: Closed - Implemented

    Comments: The Department of Homeland Security U.S Government Configuration Baseline (USGCB) establishes an approved waiver review process by an accredited authority. DHS Components must submit a Waiver and Exception request to its Chief Information Officer whenever they are unable to bring a system control weakness into compliance or when it requires permanent exception to DHS policy

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Homeland Security should develop, document, and implement a policy to approve deviations to FDCC by a designated accrediting authority.

    Agency Affected: Department of Homeland Security

  27. Status: Closed - Implemented

    Comments: In fiscal year 2012 we verified that DHS, in response to our recommendation, developed and implemented a policy to monitor FDCC using a NIST-validated SCAP tool.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Homeland Security should develop, document, and implement a policy to monitor FDCC compliance using a NIST-validated SCAP tool.

    Agency Affected: Department of Homeland Security

  28. Status: Closed - Implemented

    Comments: DHS already had regulations in place to ensure new acquisitions meet FDCC requirements. The Department of Homeland Security Acquisition Regulation (HSAR) of June 2006 establishes uniform acquisition policies and procedures, which implement and supplement the Federal Acquisition Regulation (FAR).

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Homeland Security should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Department of Homeland Security

  29. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that HUD, in response to our recommendation, acquired and deployed a NIST-validated SCAP tool to monitor compliance with FDCC.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Housing and Urban Development should acquire and deploy a NIST-validated SCAP tool to monitor compliance with FDCC.

    Agency Affected: Department of Housing and Urban Development

  30. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that HUD, in response to our recommendation, revised its Handbook to include a policy directing FDCC compliance monitoring on all its information systems.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Housing and Urban Development should develop, document, and implement a policy to monitor FDCC compliance using a NIST-validated SCAP tool.

    Agency Affected: Department of Housing and Urban Development

  31. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that HUD, in response to our recommendation, issued a memorandum to include Federal Acquisition Regulation language in solicitations and contracts that require the delivery of information technology hardware, software, data products or services as an end product.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Housing and Urban Development should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Department of Housing and Urban Development

  32. Status: Closed - Implemented

    Comments: In fiscal year 2011 DOI reported, in response to our recommendation, that they completed implementation of its baseline with all workstations being FDCC compliant.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of the Interior should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: Department of the Interior

  33. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that DOI, in response to our recommendation, ensured all Components implemented the department's existing policy to document deviations to FDCC and have those deviations approved by a designated accrediting authority.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of the Interior should ensure all components implement the department's existing policy to document deviations to FDCC and have those deviations approved by a designated accrediting authority.

    Agency Affected: Department of the Interior

  34. Status: Open

    Comments: DOI efforts to acquire and deploy SCAP tool is delayed due to lack of funding. Current target date of completion is 12-31-2014.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of the Interior should ensure all components implement the department's existing policy to acquire and deploy a NIST-validated SCAP tool and monitor compliance with FDCC.

    Agency Affected: Department of the Interior

  35. Status: Closed - Implemented

    Comments: In fiscal year 2014 we verified that Justice, in response to our recommendation, substantially implemented the FDCC baseline for its workstations. According to the agency?s fiscal year 2013 FISMA report, 74% of the recommended settings for Windows XP assets were compliant with the United States Government Configuration Baselines.

    Recommendation: To improve the department's implementation of FDCC, the Attorney General should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: Department of Justice

  36. Status: Closed - Implemented

    Comments: In fiscal year 2014 we verified that Justice, in response to our recommendation, updated its Configuration Management Plan to document and implement the policy for approving configuration setting deviations to FDCC and other configuration benchmarks by a designated accrediting authority.

    Recommendation: To improve the department's implementation of FDCC, the Attorney General should develop, document, and implement a policy to approve deviations to FDCC by a designated accrediting authority.

    Agency Affected: Department of Justice

  37. Status: Closed - Implemented

    Comments: In fiscal year 2014 we verified that Justice, in response to our recommendation, procured a NIST-validated SCAP-compliant tool to provide enterprise-wide and centrally coordinated FDCC monitoring and reporting, among other capabilities. Justice reported that 85% of its assets are being monitored in near real-time by TEM BigFix.

    Recommendation: To improve the department's implementation of FDCC, the Attorney General should complete deployment of a NIST-validated SCAP tool to monitor FDCC compliance.

    Agency Affected: Department of Justice

  38. Status: Closed - Implemented

    Comments: In fiscal year 2014 we verified that Justice, in response to our recommendation, developed new contract language in alignment with Office of Management and Budget guidance.

    Recommendation: To improve the department's implementation of FDCC, the Attorney General should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Department of Justice

  39. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that DOL, in response to our recommendation, issued Contracting Officer Notice 2008-14, Mandatory Language for Common Security Configuration to Departmental contracting offices. This notice requires FDCC language be incorporated on all applicable solicitations and contracts.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Labor should complete efforts to ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Department of Labor

  40. Status: Closed - Not Implemented

    Comments: According to the agency's inspector general FISMA report for fiscal year 2013, for Windows-based components, USGCB secure configuration settings are not fully implemented, and any deviations from USGCB baseline settings are not fully documented.

    Recommendation: To improve the agency's implementation of FDCC, the Administrator of the National Aeronautics and Space Administration should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: National Aeronautics and Space Administration

  41. Status: Closed - Implemented

    Comments: In fiscal year 2012 we verified that the National Science Foundation, in response to our recommendation, deployed two SCAP compliant tools to monitor FDCC compliance.

    Recommendation: To improve the agency's implementation of FDCC, the Director of the National Science Foundation should complete deployment of a NIST-validated SCAP tool to monitor FDCC compliance.

    Agency Affected: National Science Foundation

  42. Status: Closed - Implemented

    Comments: Nuclear Regulatory Commission (NRC) ensured deviations are documented and approved by a designated accrediting authority.

    Recommendation: To improve the agency's implementation of FDCC, the Chairman of the Nuclear Regulatory Commission should develop, document, and implement a policy to approve deviations to FDCC by a designated accrediting authority.

    Agency Affected: Nuclear Regulatory Commission

  43. Status: Closed - Implemented

    Comments: Nuclear Regulatory Commission (NRC) ensured that future information technology acquisitions comply with the Federal Desktop Core Configuration (FDCC) requirements.

    Recommendation: To improve the agency's implementation of FDCC, the Chairman of the Nuclear Regulatory Commission should ensure that all components include language in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Nuclear Regulatory Commission

  44. Status: Closed - Implemented

    Comments: In fiscal year 2011, we verified that OPM, in response to our recommendation, reported it had completed implementation of its baseline with all workstations being FDCC compliant.

    Recommendation: To improve the agency's implementation of FDCC, the Director of the Office of Personnel Management should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: Office of Personnel Management

  45. Status: Closed - Implemented

    Comments: OPM documented deviations from the FDCC baseline for all new images and ensured that deviations were approved by its Chief Information Officer (CIO).

    Recommendation: To improve the agency's implementation of FDCC, the Director of the Office of Personnel Management should document deviations to FDCC and have them approved by a designated accrediting authority.

    Agency Affected: Office of Personnel Management

  46. Status: Closed - Implemented

    Comments: OPM inserted a clause into the Bill of Materials template for new workstation/laptop procurements and included language in the recent contracts which specify FDCC compliance for new acquisitions.

    Recommendation: To improve the agency's implementation of FDCC, the Director of the Office of Personnel Management should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Office of Personnel Management

  47. Status: Open

    Comments: The Small Business Administration expects to implement a policy to approve deviations from requirements of the Federal Desktop Core Configuration/U.S. Government Configuration Baseline by August 2013.

    Recommendation: To improve the agency's implementation of FDCC, the Administrator of the Small Business Administration should develop, document, and implement a policy to approve deviations to FDCC by a designated accrediting authority.

    Agency Affected: Small Business Administration

  48. Status: Open

    Comments: In fiscal year 2013 we verified that the Small Business Administration (SBA), in response to GAO's recommendation, has developed contract language requiring Federal Desktop Core Configuration/ U.S. Government Configuration Baseline (FDCC/USGCB) settings, and products that operate effectively with these settings. SBA plans to incorporate this language into all new information technology investments starting in fiscal year 2014.

    Recommendation: To improve the agency's implementation of FDCC, the Administrator of the Small Business Administration should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Small Business Administration

  49. Status: Closed - Implemented

    Comments: SSA published security configuration guidelines that incorporate Federal Desktop Core Configuration settings as implemented by SSA.

    Recommendation: To improve the agency's implementation of FDCC, the Commissioner of the Social Security Administration should develop, document, and implement a policy to approve deviations to FDCC by a designated accrediting authority.

    Agency Affected: Social Security Administration

  50. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that SSA, in response to our recommendation, completed deployment of its NIST-validated SCAP tool for monitoring FDCC compliance.

    Recommendation: To improve the agency's implementation of FDCC, the Commissioner of the Social Security Administration should complete deployment of a NIST-validated SCAP tool to monitor compliance with FDCC.

    Agency Affected: Social Security Administration

  51. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that SSA, in response to our recommendation, developed and implemented a policy to monitor FDCC using a NIST-validated SCAP tool.

    Recommendation: To improve the agency's implementation of FDCC, the Commissioner of the Social Security Administration should develop, document, and implement a policy to monitor FDCC compliance using a NIST-validated SCAP tool.

    Agency Affected: Social Security Administration

  52. Status: Closed - Implemented

    Comments: In fiscal year 2013 we verified that The Social Security Administration, in response to GAO's recommendation, has developed contract language requiring Federal Desktop Core Configuration/ U.S. Government Configuration Baseline (FDCC/USGCB) settings, and products that operate effectively with these settings. SSA expects to publish a policy on IT security acquisitions for its components by the fourth quarter of fiscal year 2013 that will instruct them on including FDCC/USGCB requirements in contracts.

    Recommendation: To improve the agency's implementation of FDCC, the Commissioner of the Social Security Administration should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Social Security Administration

  53. Status: Closed - Implemented

    Comments: In fiscal year 2013 we verified that Transportation, in response to our recommendation, requires all operating units to comply with FDCC/ USGCB settings on all applicable systems, and uses NIST-validated SCAP tools to assess compliance.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Transportation should complete deployment of a NIST-validated SCAP tool to monitor compliance with FDCC.

    Agency Affected: Department of Transportation

  54. Status: Closed - Implemented

    Comments: In fiscal year 2013 we verified that Transportation, in response to GAO's recommendation, issued a policy letter requiring that contracts include an interim clause specifying that contractors certify their products are compliant with U.S. Government Configuration Baselines (USGCB), which is the successor to FDCC. This clause also specifies that contractors certify their applications operate correctly with and do not alter these baselines. The policy letter, issued in 2012, directs that this clause be included in all new solicitations where appropriate.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Transportation should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Department of Transportation

  55. Status: Closed - Implemented

    Comments: Treasury has completed implementation of its baseline with all of its workstations being FDCC compliant.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of the Treasury should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: Department of the Treasury

  56. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that Treasury, in response to our recommendation, requires all components to include common security configurations language in information technology contracts.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of the Treasury should ensure that all components include language in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Department of the Treasury

  57. Status: Closed - Implemented

    Comments: USAID requires all applicable contracts awarded for the acquisition of Information Technology contain language within the contract constraints section to encompass the requirements set-forth within the FDCC and enable USAID to ensure performing vendors adhere to these standards as they apply to USAID systems and software.

    Recommendation: To improve the agency's implementation of FDCC, the Administrator of the U.S. Agency for International Development should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Department of State: Agency for International Development

  58. Status: Closed - Implemented

    Comments: In fiscal year 2013 we verified that VA, in response to our recommendation, has substantially implemented FDCC settings or, as appropriate, U.S. Government Configuration Baseline (USGCB) settings. USGCB is the initiative that replaced FDCC.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Veterans Affairs should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.

    Agency Affected: Department of Veterans Affairs

  59. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that VA, in response to our recommendation, acquired and deployed a NIST-validated SCAP tool to monitor VA's compliance with FDCC configurations.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Veterans Affairs should acquire and deploy a NIST-validated SCAP tool to monitor compliance with FDCC.

    Agency Affected: Department of Veterans Affairs

  60. Status: Closed - Implemented

    Comments: In fiscal year 2013 we verified that VA, in response to our recommendation, has substantially implemented FDCC settings or, as appropriate, U.S. Government Configuration Baseline settings, the initiative that replaced FDCC. These steps increase assurance that the agency?s information security will be strengthened by adhering to federal security settings.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Veterans Affairs should develop, document, and implement a policy to monitor FDCC compliance using a NIST-validated SCAP tool.

    Agency Affected: Department of Veterans Affairs

  61. Status: Closed - Implemented

    Comments: VA now includes information and information system security/privacy language for inclusion in contracts, as appropriate, regarding FDCC.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Veterans Affairs should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.

    Agency Affected: Department of Veterans Affairs

  62. Status: Closed - Implemented

    Comments: In fiscal year 2013 we verified that the Department of Energy, in response to our recommendation, has documented deviations to FDCC settings and has ensured that these deviations were approved by a designated approving authority.

    Recommendation: To improve the department's implementation of FDCC, the Secretary of Energy should document deviations to FDCC and have them approved by a designated accrediting authority.

    Agency Affected: Department of Energy

 

Explore the full database of GAO's Open Recommendations »

Sep 16, 2014

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Apr 17, 2014

Apr 2, 2014

Jan 28, 2014

Jan 8, 2014

Sep 26, 2013

Looking for more? Browse all our products here