This is the accessible text file for GAO report number GAO-10-202 entitled 'Information Security: Agencies Need to Implement Federal Desktop Core Configuration Requirements' which was released on April 12, 2010. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Requesters: United States Government Accountability Office: GAO: March 2010: Information Security: Agencies Need to Implement Federal Desktop Core Configuration Requirements: GAO-10-202: GAO Highlights: Highlights of GAO-10-202, a report to congressional requesters. Why GAO Did This Study: The increase in security incidents and continuing weakness in security controls on information technology systems at federal agencies highlight the continuing need for improved information security. To standardize and strengthen agencies’ security, the Office of Management and Budget (OMB), in collaboration with the National Institute of Standards and Technology (NIST), launched the Federal Desktop Core Configuration (FDCC) initiative in 2007. GAO was asked to (1) identify the goals, objectives, and requirements of the initiative; (2) determine the status of actions federal agencies have taken, or plan to take, to implement the initiative; and (3) identify the benefits, challenges, and lessons learned in implementing this initiative. To accomplish this, GAO reviewed policies, plans, and other documents at the 24 major executive branch agencies; reviewed OMB and NIST guidance and documentation; and interviewed officials. What GAO Found: The goals of FDCC are to improve information security and reduce overall information technology operating costs across the federal government by, among other things, providing a baseline level of security through the implementation of a set of standard configuration settings on government-owned desktop and laptop computers (i.e., workstations). To carry out the initiative, OMB required that executive branch agencies take several actions, including: (1) submit an implementation plan to OMB; (2) apply all configuration settings to all applicable workstations by February 2008; (3) document any deviations from the prescribed settings and have them approved by an accrediting authority; (4) acquire a specified NIST-validated tool for monitoring implementation of the settings; (5) ensure that future information technology acquisitions comply with the configuration settings; and (6) submit a status report to NIST. While agencies have taken actions to implement these requirements, none of the agencies has fully implemented all configuration settings on their applicable workstations. Specifically, most plans submitted to OMB did not address all key implementation activities; none of the agencies implemented all of the prescribed configuration settings on all applicable workstations, though several implemented agency-defined subsets of the settings; several agencies did not fully document their deviations from the settings or establish a process for approving them; six agencies did not acquire and make use of the required tool for monitoring FDCC compliance; many agencies did not incorporate language into contracts to ensure that future information technology acquisitions comply with FDCC; and many agencies did not describe plans for eliminating or mitigating their deviations in their compliance reports to NIST. Until agencies ensure that they are meeting these FDCC requirements, the effectiveness of the initiative will be limited. FDCC has the potential to increase agencies’ information security by requiring stricter security settings on workstations than those that may have been previously in place and standardizing agencies’ management of workstations, making it easier to manage changes such as applying updates or patches. In addition, a number of lessons can be learned from the management and implementation of the FDCC initiative which, if considered, could improve the implementation of future versions of FDCC or other configuration efforts. At the same time, agencies face several ongoing challenges in fully complying with FDCC requirements, including retrofitting applications and systems in their existing environments to comply with the settings, assessing the risks associated with deviations, and monitoring workstations to ensure that the settings are applied and functioning properly. As OMB moves forward with the initiative, understanding the lessons learned as well as the ongoing challenges agencies face will be essential in order to ensure the initiative is successful in ensuring public confidence in the confidentiality, integrity, and availability of government information. What GAO Recommends: GAO recommends that OMB, among other things, issue guidance on assessing the risks of deviations and monitoring compliance with FDCC. GAO also recommends that 22 agencies take steps to fully implement FDCC requirements. These agencies generally concurred with GAO’s recommendations. To view the full product, including the scope and methodology, click on [hyperlink, http://www.gao.gov/products/GAO-10-202]. For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov. [End of section] Contents: Letter: Background: FDCC Aims to Improve Agencies' Information Security and Reduce IT Operating Costs: Agencies Have Not Fully Implemented FDCC Settings, but Most Have Complied with Other Requirements: Implementing FDCC Resulted in Benefits and Lessons Learned, but Agencies Continue to Face Challenges in Meeting Requirements: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Objectives, Scope, and Methodology: Appendix II: Percentage of Agency Workstations with FDCC Settings Implemented as of September 2009: Appendix III: Recommendations to Departments and Agencies: Appendix IV: Comments from the U.S. Department of Agriculture: Appendix V: Comments from the Department of Commerce: Appendix VI: Comments from the Department of Defense: Appendix VII: Comments from the General Services Administration: Appendix VIII: Comments from the Department of Homeland Security: Appendix IX: Comments from the Department of Housing and Urban Development: Appendix X: Comments from the Department of the Interior: Appendix XI: Comments from the Department of Labor: Appendix XII: Comments from the National Aeronautics and Space Administration: Appendix XIII: Comments from the Office of Personnel Management: Appendix XIV: Comments from the Social Security Administration: Appendix XV: Comments from the Department of the Treasury: Appendix XVI: Comments from the U.S. Agency for International Development: Appendix XVII: Comments from the Department of Veterans Affairs: Appendix XVIII: GAO Contact and Staff Acknowledgments: Tables: Table 1: Number of Agency FDCC Implementation Plans That Addressed Required Actions: Table 2: Range of the Number of Less-Stringent Deviations with the Corresponding Number of Agencies: Table 3: Ten Most Common Less-Stringent FDCC Deviations at Federal Agencies: Table 4: Status of Agency Compliance with Deviation Guidance: Table 5: Status of Agency Acquisition and Use of a NIST-validated SCAP Tool: Table 6: Agency Incorporation of Language into Contracts: Table 7: Agency-Reported Percentages of Workstations with FDCC Settings Implemented as of September 2009: Figure: Figure 1: Agency-Reported Implementation of FDCC Baseline as of September 2009: Abbreviations: FDCC: Federal Desktop Core Configuration: FISMA: Federal Information Security Management Act of 2002: IT: information technology: NIST: National Institute of Standards and Technology: OMB: Office of Management and Budget: SCAP: Security Content Automation Protocol: [End of section] United States Government Accountability Office: Washington, DC 20548: March 12, 2010: The Honorable Joseph I. Lieberman: Chairman: The Honorable Susan M. Collins: Ranking Member: Committee on Homeland Security and Governmental Affairs: United States Senate: The Honorable Thomas R. Carper: Chairman: Subcommittee on Federal Financial Management, Government Information, Federal Services, and International Security: Committee on Homeland Security and Governmental Affairs: United States Senate: The frequency of information security incidents at federal agencies, the wide availability of hacking tools, and steady advances in the sophistication and effectiveness of attack technology all contribute to the urgency of protecting the federal government's information and systems. In addition to these threats, we have consistently identified significant weaknesses in the security controls on federal systems, including desktops and laptops (i.e., workstations) that have impacted the confidentiality, integrity, and availability of government information. Due to the persistent nature of these vulnerabilities and associated risks, we have designated information security as a governmentwide high-risk issue since 1997 in our biennial reports to Congress.[Footnote 1] In an attempt to standardize and thereby strengthen information security, the Office of Management and Budget (OMB) launched the Federal Desktop Core Configuration (FDCC) initiative in March 2007. The initiative mandated that federal agencies implement standardized configuration settings on workstations with Windows XP or Vista operating systems. In view of the importance of FDCC in improving the ability of the federal government to safeguard its systems and protect sensitive information, you asked us to (1) identify the goals, objectives, and requirements for the initiative; (2) determine the status of actions federal agencies have taken, or plan to take, to implement the initiative; and (3) identify the benefits, challenges, and lessons learned in implementing this initiative. We conducted our review at each of the 24 major federal agencies[Footnote 2] covered by the Chief Financial Officers Act, [Footnote 3] where we obtained and analyzed policies, plans, status reports, and agency descriptions of challenges relative to the requirements of the initiative. We also developed a data collection instrument to gather information on the status of FDCC implementation at the 24 agencies as of September 2009. We compared agency documentation and descriptions of challenges with OMB program requirements and relevant National Institute of Standards and Technology (NIST) guidance, which we confirmed through interviews with OMB and NIST officials. We also met with staff from all 24 Offices of the Inspector General regarding their audit work performed relative to the initiative to obtain information on their audit methodology, findings, and related documentation. Based on our review of the adequacy of work performed, we have sufficient assurance to rely on work completed by the inspectors general in the context of our audit objective related to whether the agency had documented deviations and had incorporated language related to use of FDCC settings into its contracts. We conducted this performance audit from December 2008 to March 2010 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Further details of our objectives, scope, and methodology are included in appendix I. Background: Cyber-based threats to federal systems and critical infrastructure are evolving and growing. These threats can be intentional or unintentional, targeted or non-targeted, and can come from a variety of sources, including criminals, terrorists, and other adversarial groups, as well as hackers and disgruntled employees. These potential attackers have a variety of techniques at their disposal, which can vastly enhance the reach and impact of their actions. For example, cyber attackers do not need to be physically close to their targets, their attacks can cross state and national borders, and they can preserve their anonymity. Further, the growing interconnectivity among different types of information systems presents increasing opportunities for such attacks. Reports of security incidents from federal agencies are on the rise, increasing by more than 200 percent from fiscal year 2006 to fiscal year 2008.[Footnote 4] In February 2009, the Director of National Intelligence testified that foreign nations and criminals had targeted government and private sector networks to potentially disrupt or destroy them, and that terrorist groups had expressed a desire to use cyber attacks as a means to target the United States.[Footnote 5] As recently as July 2009, media accounts reported that a widespread and coordinated attack over the course of several days targeted Web sites operated by major government agencies, including the Departments of Homeland Security and Defense, the Federal Aviation Administration, and the Federal Trade Commission, causing disruptions to the public availability of government information. Such attacks highlight the importance of developing a concerted response to safeguard federal information systems. Previously Reported Weaknesses in Agency Information Security Controls: Compounding the growing number and kinds of threats, we--along with agencies and their inspectors general--have identified significant weaknesses in the security controls on federal information systems,[Footnote 6] which have resulted in pervasive vulnerabilities. These include deficiencies in the security of financial systems and information and vulnerabilities in other critical federal information systems and networks. These weaknesses exist in all major categories of information security controls at federal agencies; for example, in fiscal year 2008, weaknesses were reported in such controls at 23 of the 24 major agencies. Specifically, agencies did not consistently authenticate users to prevent unauthorized access to systems; apply encryption to protect sensitive data; and log, audit, and monitor security-relevant events, among other actions. Our recent work focusing on specific agencies has also revealed security weaknesses, as illustrated by the following examples: * In 2009, we reported that three National Aeronautics and Space Administration centers had not, among other things, sufficiently restricted system access and privileges to only those users that needed access to perform their assigned duties, appropriately implemented encryption to safeguard sensitive information, and expeditiously applied a critical operating system patch or patches for a number of general third-party applications.[Footnote 7] At the same time, the agency experienced numerous cyber attacks and malicious software infections, thereby exposing critical and sensitive data to unauthorized access, disclosure, and manipulation. We recommended that the agency take steps to mitigate these weaknesses and fully implement a comprehensive information security program. * In the same year, we reported that the Financial Crimes Enforcement Network, a bureau within the Department of the Treasury, had not consistently implemented effective password controls or effectively controlled user identification and authentication.[Footnote 8] As a result, there was increased risk that malicious individuals could gain inappropriate access to sensitive systems and data. We recommended that the agency take steps to fully implement an agencywide security program. * In 2008, we reported that although the Department of Energy's Los Alamos National Laboratory--one of the nation's weapons laboratories-- had implemented measures to enhance the information security of its unclassified network, there were still vulnerabilities in monitoring and auditing compliance with security policies and controlling and documenting changes to a computer system's hardware and software. [Footnote 9] * Finally, we reported in 2007 that the Department of Homeland Security had significant weaknesses in computer security controls intended to protect the information systems used to support its U.S. Visitor and Immigration Status Indicator Technology program for border security.[Footnote 10] For example, the department had not implemented controls to effectively prevent, limit, and detect access to computer networks, systems, and information. Specifically, it had not provided adequate logging or user accountability for the mainframe, workstations, or servers and had not consistently maintained secure configurations on the application servers and workstations at a key data center and points of entry. In each of these cases, we made recommendations for strengthening or fully implementing agencies' information security programs. Federal Law Assigns Responsibility to OMB, NIST, and Agencies for Information Security: In addition to the responsibilities of individual agencies, OMB and NIST play key roles in ensuring the security of federal systems and information. Under the Federal Information Security Management Act of 2002 (FISMA),[Footnote 11] OMB is responsible for developing and overseeing the implementation of policies, principles, standards, and guidelines on information security, and reviewing agency information security programs at least annually. In addition, the act requires that OMB report to Congress no later than March 1 of each year on the status of agency compliance with FISMA. The act, which sets forth a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support federal operations and assets, also assigned NIST responsibility for developing standards and guidelines (for systems other than national security systems) that include minimum information security requirements. FISMA also assigns specific responsibilities to agencies to document and implement agencywide security programs and report on their security policies, procedures, and practices. For example, agencies are responsible for developing and complying with minimally acceptable system configuration requirements. Finally, FISMA requires agency inspectors general to annually evaluate agency information security activities. OMB Initiated FDCC and Provided Guidance for Agency Implementation: To help carry out its responsibilities for ensuring federal information security, OMB launched the FDCC initiative in March 2007. This initiative required federal agencies to implement common security configurations on Windows XP and Vista operating systems[Footnote 12] by February 2008.[Footnote 13] Subsequently, OMB issued several other memorandums detailing additional requirements and guidance to agencies on completing implementation of the initiative. OMB also has responsibility for approving any changes to the settings or setting parameters. At the request of OMB, NIST published the first beta version of the FDCC configuration settings in July 2007 for federal workstations that use Windows XP or Windows Vista as their operating system. FDCC was based on settings developed by the Air Force in partnership with the National Security Agency, Defense Information Systems Agency, NIST, and representatives from the Army, Navy, and Marines. Over the course of the next 11 months, NIST made several updates to the content and posted the revised versions on its Web site. The first major version of the configuration settings, version 1.0, was posted on NIST's Web site in June 2008 after a period of public comment. Based on implementation information reported by the agencies to NIST in March 2008, agency feedback on settings that were problematic to implement, and comments from the federal community, OMB had NIST remove 40 settings from the original beta version for version 1.0. In addition to publishing the FDCC settings, NIST also has responsibility for: * Developing resources, in collaboration with Microsoft, to aid agencies in deploying and testing the security configuration settings within their computing environments. These include group policy objects,[Footnote 14] which allow agencies to deploy the settings to desktop and laptop computers agencywide, and virtual hard-disk files, [Footnote 15] which allow agencies to test the settings in a non- operational environment. These files were first made available for agencies to download from NIST's Web site starting in July 2007 and were later updated with the release of major version 1.0. * Establishing the Security Content Automation Protocol (SCAP), [Footnote 16] which can be used to support the automated checking, measuring, and monitoring of the FDCC settings for compliance. Product vendors can create a tool (i.e., application) that uses SCAP for these activities. * Validating SCAP tools to ensure that a tool uses the features and functionality available through SCAP. In order for a tool to receive validation, a vendor must first have the tool tested by 1 of 10 independent testing laboratories accredited under NIST's National Voluntary Laboratory Accreditation Program.[Footnote 17] The testing results are then sent by the laboratory to NIST for review. If the tool passes, NIST will validate the SCAP tool, which is valid for 1 calendar year. * Making technical changes to the SCAP that support the FDCC settings, such as when new specifications are added, existing specifications are updated, or when a more efficient method is found to test a particular setting. NIST has released two additional major versions to make technical modifications to the SCAP: version 1.1 in October 2008 and version 1.2 in April 2009. NIST also publishes patch content updates based on Microsoft's patch releases. * Posting frequently asked questions on its Web site on behalf of OMB to answer agencies' questions about testing, deployment, reporting deviations, and use of SCAP tools for evaluation of compliance. The questions have also provided clarification of the settings requirements and their applicability to different types of computers, including contractor-owned or operated machines. These questions are revised on a periodic basis as needed and as determined by NIST. FDCC Aims to Improve Agencies' Information Security and Reduce IT Operating Costs: In its March 2007 directives to agencies to implement FDCC, OMB established two goals for the initiative: improve information security and reduce overall information technology (IT) operating costs for agencies that use or plan to use Windows XP or Vista operating systems on their workstations.[Footnote 18] By implementing the initiative, OMB intended that agencies should be able to achieve the following objectives: * Provide a baseline level of security through the use of standardized configuration settings that limit access privileges granted to users and other access controls, thereby controlling what a user may or may not do on his or her workstation. The settings create a baseline from which agencies may increase the level of security by making the settings more restrictive or by employing firewalls and intrusion detection systems along with other security devices and practices. * Reduce risk from security threats and vulnerabilities by employing the use of standards that are more restrictive than the default settings of the manufacturer. For example, the required settings do not allow the installation of unauthorized software, which lowers the risk of introducing a virus or other malicious device along with the software. * Save time and resources by requiring all FDCC workstations within an agency to use the same settings. This standardization also allows an agency's IT department to be more efficient in repairing computer problems. * Improve system performance by restricting the access privileges of administrators and users to only those necessary to perform their duties. This helps to limit downloading of unapproved software and information that could tie up system and help desk resources. * Decrease operating costs by using standard configuration settings that allow IT personnel to solve a workstation problem once and then replicate that solution for every workstation in the agency, saving labor and time. * Ensure public confidence in the confidentiality, integrity, and availability of government information by standardizing strong security settings across all federal agencies. This will help to protect federal systems from cyber attacks and may help to ensure the public's confidence that their personal information will not be compromised. OMB Established Requirements for Agency Implementation of FDCC: In its initial memorandums and subsequent guidance, OMB identified several requirements with which agencies were directed to comply in order to implement FDCC. The following are the key FDCC requirements: * Submit a draft implementation plan to OMB by May 1, 2007.[Footnote 19] Agencies were required to submit an implementation plan to OMB describing how they intended to (1) test configuration settings in a non-production environment to identify any adverse effects on system functionality; (2) implement the settings and automate monitoring and use; (3) restrict administration of these settings to authorized professionals; (4) ensure, by June 30, 2007, that new IT acquisitions include the settings and require IT providers to certify that their products operate effectively using the settings; (5) apply Microsoft patches available from the Department of Homeland Security when addressing new Windows XP or Vista vulnerabilities; (6) provide to NIST documentation of any deviations[Footnote 20] from these settings and the rationale for the deviations; and (7) ensure the settings are incorporated into agency capital planning and investment control processes. * Adopt the Windows XP and Vista security configuration settings by February 1, 2008.[Footnote 21] Agencies were required to implement the FDCC configuration settings on all government-owned desktops and laptops that use Windows XP or Vista operating systems and the Internet Explorer 7 or Windows Firewall applications. This requirement was later clarified to include desktops and laptops that are owned or operated by a contractor on behalf of or for the federal government or that are integrated into a federal system. The requirement excludes servers, embedded computers, process control systems, specialized scientific or experimental systems, and similar systems using these operating systems.[Footnote 22] FDCC major version 1.0 includes 674 configuration settings for Windows XP and Windows Vista systems, when bundled with Internet Explorer 7 and Windows Firewall. Examples of these settings include the following: - Specifies the number of minutes a locked-out account remains locked out before it automatically unlocks. - Specifies the minimum number of characters a password must have. - Specifies whether or not the user is prompted for a password when the system resumes from sleep mode. - Requires the use of Federal Information Processing Standards- compliant[Footnote 23] algorithms for encryption, hashing, and signing.[Footnote 24] - Shuts the system down immediately if it is unable to log security audits.[Footnote 25] - Creates a log when Windows firewall with advanced security allows an inbound connection. The log will detail why and when the connection was formed. * Document deviations and have them approved by a designated accrediting authority. Agencies were required to document deviations initially as part of their draft implementation plan efforts.[Footnote 26] OMB later required agencies to report these deviations to NIST in March 2008.[Footnote 27] OMB also later noted[Footnote 28] that configuration setting deviations are to be approved by the department or agency accrediting authority.[Footnote 29] * Acquire a SCAP tool and use it to monitor FDCC. Agencies are required to acquire a NIST-validated SCAP tool[Footnote 30] and to use these tools when monitoring the settings.[Footnote 31] * Ensure that new acquisitions include security configuration settings. Agencies are required to ensure that new acquisitions include FDCC settings and products of information technology providers operate effectively using them.[Footnote 32] * Submit FDCC compliance reports to NIST by March 31, 2008. Agencies were required to submit a spreadsheet that summarized workstation counts, setting deviations, and descriptions of plans of action and milestones[Footnote 33] for the deviations, along with related reports generated by a SCAP tool for each operational environment present within the agency.[Footnote 34] * Report on status of FDCC compliance in annual FISMA reporting. Agencies were required to report the status of compliance with FDCC as part of FISMA reporting for fiscal year 2008. This requirement included reporting on whether the configuration settings had been adopted and implemented, with deviations documented; whether language relating to the use of FDCC settings had been included in contracts; and whether all workstations had the security settings implemented.[Footnote 35] Agency inspectors general were asked to assess agencies' compliance with the reporting requirements. For fiscal year 2009, agencies and agency inspectors general were required to report the status of compliance with specific requirements including whether deviations had been documented and language relating to the use of FDCC settings had been included in all contracts. [Footnote 36] Agencies Have Not Fully Implemented FDCC Settings, but Most Have Complied with Other Requirements: None of the agencies has fully implemented all FDCC configuration settings on all applicable workstations, although most have complied with other requirements. Specifically, 11 agencies reported they had completed implementation of an agency-approved subset of the FDCC settings and do not plan to implement all the configuration settings, while the remaining agencies reported they are still completing implementation of the settings. However, most agencies have generally complied with other initiative requirements. For instance, 19 agencies have fully documented their deviations and 16 have established a policy for having those deviations approved by a designated authority. In addition, 15 agencies have acquired and deployed a NIST-validated SCAP tool to monitor the compliance of their setting implementation. Eight agencies have also incorporated language into their contracts to ensure that new acquisitions comply with FDCC. Most Agencies Submitted FDCC Implementation Plans to OMB, but Did Not Address All Required Activities: While agencies were required to submit a draft implementation plan to OMB by May 1, 2007, fewer than half of the agencies developed plans that addressed the seven actions necessary to fully implement the initiative. Of the 24 agencies, 19 provided their plans to us, while 5 agencies either did not develop an implementation plan or were unable to locate a copy of the plan.[Footnote 37] Of the 19 plans, 11 described how the agency intended to implement each of the seven actions required by OMB. The remaining 8 plans either did not address the actions or described only some of them. Table 1 shows how many agencies addressed each of the required actions in their FDCC implementation plans. Table 1: Number of Agency FDCC Implementation Plans That Addressed Required Actions: Required action: 1. Test configurations in a non-production environment to identify adverse effects on system functionality; Agency plans that addressed the action: 16. Required action: 2. Implement the configurations and automate monitoring and use; Agency plans that addressed the action: 16. Required action: 3. Restrict administration of these configurations to authorized professionals; Agency plans that addressed the action: 15. Required action: 4. Ensure by June 30, 2007, that new acquisitions include the configurations and require information technology providers to certify that their products operate effectively using the configurations; Agency plans that addressed the action: 11. Required action: 5. Apply Microsoft patches available from Department of Homeland Security when addressing new Windows XP or Vista vulnerabilities; Agency plans that addressed the action: 12. Required action: 6. Provide NIST documentation of any deviations from these configurations and the rationale for the deviations; Agency plans that addressed the action: 15. Required action: 7. Ensure these configurations are incorporated into agency capital planning and investment control processes; Agency plans that addressed the action: 12. Source: GAO analysis of agency FDCC implementation plans submitted to OMB. [End of table] Officials from one of the agencies whose plan did not address the required activities told us that OMB had provided feedback and requested changes to the plan, but the remaining agencies indicated that OMB had not provided feedback on the submitted plans and had not requested any changes. OMB was unable to confirm whether the 24 agencies had submitted the implementation plans by the required deadline because, officials stated, this information had been archived with the previous administration. As discussed later in the section on lessons learned, agencies experienced problems in implementing this requirement due to unrealistic deadlines. All Agencies Reported Implementing a Subset of FDCC Settings: Though agencies were required to adopt and implement the FDCC settings by February 1, 2008, as of September 2009, none of the 24 major agencies reported that they had adopted and fully implemented the complete set of prescribed settings on all applicable workstations. Instead, all agencies planned to implement a subset of the FDCC settings, which they referred to as their agency baseline; these baselines included deviations from the approved parameters established by FDCC, in some cases for up to one-fifth of the settings.[Footnote 38] As of September 2009, 11 agencies reported they had completed implementation of their baselines on all applicable workstations, and 11 were still in the process of finishing implementation of their baseline. The other 2 agencies were unable to provide sufficient data to determine the status of implementation because they either lacked a SCAP tool or had data reliability issues due to using multiple tools. (See appendix II for more details on the status of each agency in implementing the FDCC settings, as of September 2009.) For those agencies that were still in the process of completing implementation of their baseline, agency officials reported various milestones for expected completion; however, some of those deadlines had not been met, and other agency officials did not report a milestone for completion. For example, a few agency officials indicated they would complete implementation by September 2009; however, this deadline was not met. Figure 1 summarizes the status of agency-reported implementation of their FDCC baselines for applicable workstations with Windows XP and Vista operating systems. Figure 1: Agency-Reported Implementation of FDCC Baseline as of September 2009: [Refer to PDF for image: vertical bar graph] Percentage of workstations: 0–24%; XP: 2; Vista: 1. Percentage of workstations: 25–49%; XP: 2; Vista: 1. Percentage of workstations: 50–74%; XP: 1; Vista: 2. Percentage of workstations: 75–100%; XP: 17; Vista: 9. Source: GAO analysis of data reported by agencies in GAO data collection instrument. [End of figure] Agency officials told us that several factors had influenced their decision to establish deviations, whether less or more stringent, from the settings. These factors included cases where FDCC settings: * had an adverse impact on applications, production, or legacy systems; * conflicted with agency policy; * prohibited agency administrators from completing tasks; and: * impaired the capability to provide customer support or remote assistance. In establishing their baselines, agencies allowed a range of deviations, some with parameters that were less stringent (e.g., less secure) than the approved parameters, while others were more stringent. Of the 24 agencies, 23 provided us a list of their deviations and 1 agency indicated it had not developed a list. Each of the 23 lists identified deviations that were less stringent than the FDCC settings. Specifically, 15 agencies had 10 or more less-stringent deviations, and 6 agencies had 40 or more less-stringent deviations, which is 6 percent of the 674 total number of FDCC settings. Table 2 shows the range of the number of less-stringent deviations and the corresponding number of agencies. Table 2: Range of the Number of Less-Stringent Deviations with the Corresponding Number of Agencies: Range of deviations: 1-9; Number of agencies: 8. Range of deviations: 10-19; Number of agencies: 4. Range of deviations: 20-39; Number of agencies: 5. Range of deviations: 40-75; Number of agencies: 3. Range of deviations: 76-130; Number of agencies: 3. Source: GAO analysis of agency reported data. [End of table] Our analysis revealed ten most common less-stringent deviations across the federal government. For example, 21 of the 23 agencies that provided deviation lists had a deviation for the use of encryption algorithms[Footnote 39] that are compliant with Federal Information Processing Standards, and 17 agencies had a deviation for the setting regarding digital signatures of client communications. Table 3 shows the 10 most common less-stringent deviations and the number of agencies that reported having them. Table 3: Ten Most Common Less-Stringent FDCC Deviations at Federal Agencies: FDCC setting: Determines whether Federal Information Processing Standards-compliant encryption algorithms must be used; Operating system: XP/Vista; Number of agencies: 21. FDCC setting: Determines whether the computer always digitally signs client communications; Operating system: XP/Vista; Number of agencies: 17. FDCC setting: Determines what happens when an attempt is made to install a device driver that has not been certified by the Windows Hardware Quality Lab; Operating system: XP; Number of agencies: 16. FDCC setting: Determines which password hashing algorithm is used for network logons; Operating system: XP/Vista; Number of agencies: 12. FDCC setting: Determines which users are allowed to use a network utility tool; Operating system: XP; Number of agencies: 12. FDCC setting: Determines whether the Server Message Block server is required to perform packet signing; Operating system: XP/Vista; Number of agencies: 12. FDCC setting: Determines who can connect to the workstation over the network; Operating system: XP/Vista; Number of agencies: 11. FDCC setting: Determines the least number of characters that a password for a user account can contain; Operating system: XP/Vista; Number of agencies: 11. FDCC setting: Determines whether a wireless configuration service can be used; Operating system: XP; Number of agencies: 10. FDCC setting: Determines whether users can make remote assistance invitations for workstations; Operating system: XP/Vista; Number of agencies: 9. Source: GAO analysis of agency data. [End of table] Additionally, 7 agencies listed deviations that were more stringent (e.g., had parameters that were more secure) than the FDCC settings. Of the 7 agencies with more-stringent deviations, 1 had 10 or more of these more-stringent deviations, while the remaining 6 agencies had fewer than 10. There is also a common set of these more-stringent deviations among the 7 agencies. For example, 3 agencies have a deviation for duration accounts can be locked out, 2 agencies have a deviation for how many invalid logon attempts can occur before an account is locked out, and 2 agencies have a deviation for the type of user who can format and eject removable media. Until those agencies that have not completed implementation of their FDCC baseline (see appendix II) establish firm milestones for completion and complete implementation, agencies risk not achieving the potential benefits of the initiative. Most Agencies Documented Deviations, but Eight Did Not Establish a Policy for Approving Them: Although OMB guidance indicates that agencies are to document and have a designated accrediting authority approve deviations from FDCC, several agencies did not do so. Of the 24 agencies, 23 had deviations and 1 did not maintain a list. Of the 23, 19 had fully documented their deviations but 4 had not. In addition, 16 agencies established a policy to have deviations approved by a designated accrediting authority, while 8 agencies have not established such a policy. Table 4 shows which agencies have documented deviations and have a policy in place to approve deviations by a designated authority. Table 4: Status of Agency Compliance with Deviation Guidance: Agency: Agriculture; Documented deviations: No; Have policy to approve deviations by designated authority: No. Agency: Commerce; Documented deviations: Yes; Have policy to approve deviations by designated authority: Yes. Agency: Defense; Documented deviations: Yes; Have policy to approve deviations by designated authority: Yes. Agency: Education; Documented deviations: Yes; Have policy to approve deviations by designated authority: Yes. Agency: Energy; Documented deviations: No; Have policy to approve deviations by designated authority: Yes. Agency: Environmental Protection Agency; Documented deviations: Yes; Have policy to approve deviations by designated authority: No. Agency: General Services Administration; Documented deviations: Yes; Have policy to approve deviations by designated authority: Yes. Agency: Health and Human Services; Documented deviations: Yes; Have policy to approve deviations by designated authority: Yes. Agency: Homeland Security; Documented deviations: Yes; Have policy to approve deviations by designated authority: No. Agency: Housing and Urban Development; Documented deviations: Yes; Have policy to approve deviations by designated authority: Yes. Agency: Interior; Documented deviations: No[A]; Have policy to approve deviations by designated authority: No[A]. Agency: Justice; Documented deviations: Yes; Have policy to approve deviations by designated authority: No. Agency: Labor; Documented deviations: Yes; Have policy to approve deviations by designated authority: Yes. Agency: National Aeronautics and Space Administration; Documented deviations: Yes; Have policy to approve deviations by designated authority: Yes. Agency: National Science Foundation; Documented deviations: Yes; Have policy to approve deviations by designated authority: Yes. Agency: Nuclear Regulatory Commission; Documented deviations: Yes; Have policy to approve deviations by designated authority: No. Agency: Office of Personnel Management; Documented deviations: No; Have policy to approve deviations by designated authority: Yes. Agency: Small Business Administration; Documented deviations: Yes; Have policy to approve deviations by designated authority: No. Agency: Social Security Administration; Documented deviations: Yes; Have policy to approve deviations by designated authority: No. Agency: State; Documented deviations: Yes; Have policy to approve deviations by designated authority: Yes. Agency: Transportation; Documented deviations: Yes; Have policy to approve deviations by designated authority: Yes. Agency: Treasury; Documented deviations: Yes; Have policy to approve deviations by designated authority: Yes. Agency: U.S. Agency for International Development; Documented deviations: Yes; Have policy to approve deviations by designated authority: Yes. Agency: Veterans Affairs; Documented deviations: Yes; Have policy to approve deviations by designated authority: Yes. Source: GAO analysis of agency documentation and responses by agency inspectors general to fiscal year 2009 FISMA reporting question. [A] Although the Department of the Interior documented deviations and had them approved by a designated authority at the department level, all of its agency components had not implemented these requirements. [End of table] Agency officials who had not documented deviations said they either did not maintain lists for field offices or had not yet completed the process for establishing the agency baseline and documenting the deviations. Officials from agencies that did not have a policy in place for approving deviations told us they were still working to develop an approval process. Until agencies document their FDCC deviations or have a policy in place to approve those deviations, they cannot fully assess the potential risk of not implementing the required settings and they cannot ensure that configuration baselines are effectively controlled and maintained. Six Agencies Have Yet to Acquire a SCAP Tool and Use It to Monitor FDCC Configurations: Agencies were required to obtain a NIST-validated SCAP tool and use it to consistently monitor the implementation of the configuration; however, while 15 agencies reported acquiring and deploying NIST- validated tools, 6 had not. Of the 3 remaining agencies, some of their components have a NIST-validated SCAP tool, while the other components either do not have a tool or do not use a NIST-validated tool for monitoring workstation configurations. Regardless of whether the tool has been validated or not, most agencies used one to monitor FDCC implementation. However, 2 agencies that had a validated tool had not yet established a policy for monitoring compliance. Table 5 shows which federal agencies have acquired a NIST-validated tool and were using it to monitor their workstation configurations. Table 5: Status of Agency Acquisition and Use of a NIST-validated SCAP Tool: Agency: Agriculture; NIST-validated SCAP tool acquired and deployed: Yes; NIST-validated SCAP tool used to monitor compliance: Yes. Agency: Commerce; NIST-validated SCAP tool acquired and deployed: Partially; NIST-validated SCAP tool used to monitor compliance: Partially. Agency: Defense; NIST-validated SCAP tool acquired and deployed: Yes; NIST-validated SCAP tool used to monitor compliance: Yes. Agency: Education; NIST-validated SCAP tool acquired and deployed: Yes; NIST-validated SCAP tool used to monitor compliance: Yes. Agency: Energy; NIST-validated SCAP tool acquired and deployed: Partially; NIST-validated SCAP tool used to monitor compliance: Partially. Agency: Environmental Protection Agency; NIST-validated SCAP tool acquired and deployed: Yes; NIST-validated SCAP tool used to monitor compliance: Yes. Agency: General Services Administration; NIST-validated SCAP tool acquired and deployed: Yes; NIST-validated SCAP tool used to monitor compliance: Yes. Agency: Health and Human Services; NIST-validated SCAP tool acquired and deployed: Yes; NIST-validated SCAP tool used to monitor compliance: No[B]. Agency: Homeland Security; NIST-validated SCAP tool acquired and deployed: Yes; NIST-validated SCAP tool used to monitor compliance: No. Agency: Housing and Urban Development; NIST-validated SCAP tool acquired and deployed: No; NIST-validated SCAP tool used to monitor compliance: No. Agency: Interior; NIST-validated SCAP tool acquired and deployed: Partially; NIST-validated SCAP tool used to monitor compliance: Partially. Agency: Justice; NIST-validated SCAP tool acquired and deployed: No[A]; NIST-validated SCAP tool used to monitor compliance: No[C]. Agency: Labor; NIST-validated SCAP tool acquired and deployed: Yes; NIST-validated SCAP tool used to monitor compliance: Yes. Agency: National Aeronautics and Space Administration; NIST-validated SCAP tool acquired and deployed: Yes; NIST-validated SCAP tool used to monitor compliance: Yes. Agency: National Science Foundation; NIST-validated SCAP tool acquired and deployed: No[A]; NIST-validated SCAP tool used to monitor compliance: No[C]. Agency: Nuclear Regulatory Commission; NIST-validated SCAP tool acquired and deployed: Yes; NIST-validated SCAP tool used to monitor compliance: Yes. Agency: Office of Personnel Management; NIST-validated SCAP tool acquired and deployed: Yes; NIST-validated SCAP tool used to monitor compliance: Yes. Agency: Small Business Administration; NIST-validated SCAP tool acquired and deployed: Yes; NIST-validated SCAP tool used to monitor compliance: Yes. Agency: Social Security Administration; NIST-validated SCAP tool acquired and deployed: No[A]; NIST-validated SCAP tool used to monitor compliance: No. Agency: State; NIST-validated SCAP tool acquired and deployed: Yes; NIST-validated SCAP tool used to monitor compliance: Yes. Agency: Transportation; NIST-validated SCAP tool acquired and deployed: No[A]; NIST-validated SCAP tool used to monitor compliance: No[C]. Agency: Treasury; NIST-validated SCAP tool acquired and deployed: Yes; NIST-validated SCAP tool used to monitor compliance: Yes. Agency: U.S. Agency for International Development; NIST-validated SCAP tool acquired and deployed: Yes; NIST-validated SCAP tool used to monitor compliance: Yes. Agency: Veterans Affairs; NIST-validated SCAP tool acquired and deployed: No; NIST-validated SCAP tool used to monitor compliance: No. Source: GAO analysis of agency data. [A] Agency has acquired a NIST-validated tool but has not completed deployment at the agency. [B] Although the agency lacks a policy for monitoring compliance, it does perform scanning of its workstations using a NIST-validated SCAP tool. [C] Agency or components within the agency used a SCAP tool not currently validated by NIST to monitor compliance. Note: Agency was given a rating of "partially" if some components had acquired a validated SCAP tool and used it to monitor compliance but other components had not. [End of table] At agencies that did not have a NIST-validated SCAP tool, officials told us they were in the process of acquiring a tool but had been delayed due to funding issues. For those agencies where only some components had acquired a tool, officials told us their components were responsible for acquiring a tool and noted that funding had been an issue. At agencies without a policy for monitoring implementation, officials told us that either a policy had not been finalized or a policy would be developed once a SCAP tool had been acquired. However, officials from one of these agencies noted that although they lacked a policy, they were still performing some monitoring of workstations. Until agencies acquire and deploy a NIST-validated SCAP tool and develop, document, and implement policies to monitor compliance, they will not be able to ensure that the FDCC settings have been successfully implemented to help protect the confidentiality, integrity, and availability of their information. Most Agencies Have Not Incorporated Language into Contracts: Although OMB requires agencies to include language in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them, most agencies have not done so. Eight agencies had incorporated the language into their contracts, while 13 agencies had not, and 3 agencies had partially implemented the requirement. Table 6 shows which agencies have incorporated language into their contracts. Table 6: Agency Incorporation of Language into Contracts: Agency: Agriculture; Language incorporated: Yes. Agency: Commerce; Language incorporated: No. Agency: Defense; Language incorporated: No. Agency: Education; Language incorporated: Yes. Agency: Energy; Language incorporated: No. Agency: Environmental Protection Agency; Language incorporated: Yes. Agency: General Services Administration; Language incorporated: Yes. Agency: Health and Human Services; Language incorporated: No. Agency: Homeland Security; Language incorporated: No. Agency: Housing and Urban Development; Language incorporated: No. Agency: Interior; Language incorporated: Yes. Agency: Justice; Language incorporated: No. Agency: Labor; Language incorporated: Partially. Agency: National Aeronautics and Space Administration; Language incorporated: Yes. Agency: National Science Foundation; Language incorporated: Yes. Agency: Nuclear Regulatory Commission; Language incorporated: Partially. Agency: Office of Personnel Management; Language incorporated: No. Agency: Small Business Administration; Language incorporated: No. Agency: Social Security Administration; Language incorporated: No. Agency: State; Language incorporated: Yes. Agency: Transportation; Language incorporated: No. Agency: Treasury; Language incorporated: Partially. Agency: U.S. Agency for International Development; Language incorporated: No. Agency: Veterans Affairs; Language incorporated: No. Source: GAO analysis and agency inspector general-provided responses for FISMA fiscal year 2009 reporting. Note: Agencies were given a rating of "partially" if some components had incorporated the language into contracts but others had not, or if some contracts had the language incorporated, but others did not. [End of table] Officials from agencies that had not included language in the contracts had either included language in only a portion of the contracts reviewed, or the agency indicated it was still working on incorporating the language into its contracts. In addition, two agencies had one or more components that had not included the language in contracts. Until these agencies ensure that language is included into contracts to ensure that new acquisitions include FDCC settings and products of information technology providers operate effectively using them, agencies will not be able to ensure that new acquisitions are in compliance with FDCC requirements. Majority of Agencies Reported Status of Compliance with FDCC to NIST, but Many Indicated No Plans to Mitigate Deviations: Although most agencies submitted a compliance status report to NIST, the documentation was not always complete, including plans for mitigating deviations, or timely. Agencies were required to report to NIST the status of their compliance with FDCC by March 31, 2008, and submit a list of deviations, their plans of action and milestones for mitigating the deviations, and copies of reports generated by their SCAP tools. The majority of the agencies in our review submitted documentation to NIST; however, 2 agencies told us they had not submitted information to NIST, and 1 agency was unable to locate all the documents submitted. Of the 21 agencies that provided documentation, 12 agencies submitted all of the required information and documents. The remaining 9 agencies were either missing the required information or did not submit all of the required SCAP tool reports. In addition, while many of the agencies listed deviations, they either noted they did not plan to mitigate the deviations, or made general statements about addressing them at some point in the future. Furthermore, only 13 of the agencies in our review generally met the March 31, 2008, deadline for submission, while the remaining agencies took an additional month or more to provide documentation to NIST. As discussed later in the section on lessons learned, agencies experienced problems in implementing this requirement due to unrealistic deadlines. Implementing FDCC Resulted in Benefits and Lessons Learned, but Agencies Continue to Face Challenges in Meeting Requirements: While implementation of FDCC can result in improvements to agencies' information security as well as other benefits, such as cost savings, attempting to meet the requirements yielded lessons learned that could improve the implementation of future versions of FDCC or other workstation configurations. In addition, agencies continue to face significant challenges in meeting FDCC requirements, monitoring their implementation of the settings, and measuring benefits of the initiative, among other things. Implementing FDCC Can Enhance Security at Federal Agencies: FDCC has the potential both to increase agencies' information security and to standardize their management of workstations. Other potential benefits include cost savings arising from reduced power usage. FDCC implementation enhances security by requiring stricter security settings on workstations than those that may have been previously in place at federal agencies. Specifically, some of the key configuration settings serve to secure agency workstations by restricting user and administrative rights to particular system functions. These settings reduce the potential for malware and other known vulnerabilities to affect agency workstations because the stricter access rights would prevent their automatic download and installation. As an example, officials at two agencies reported that FDCC was responsible for protecting their workstations from recent malicious code infections. The settings also reinforce access controls by restricting users' rights to what is necessary for their work. Ten of the agencies in our review attributed either increased security or increased security awareness to implementation of the settings and were generally supportive of a stricter configuration for the agency. FDCC implementation also enabled agencies to reap the benefits of having more standardized configurations within agency computing environments. For example, a more secure enterprisewide Windows configuration and consistent workstation profile (i.e., the set of configuration settings and other software applied to a workstation) across the agency can not only improve security but can also make it easier to manage changes to the security features of workstation software, such as applying updates or patches. Updates or patches can be applied more expeditiously because there are fewer workstation profiles that they must be tested on, which also reduces the amount of necessary supporting documentation. Agency officials we spoke to confirmed that FDCC provided an improved understanding of their computing environment as well as a consistent desktop image across the department. Another official stated that adopting and implementing the configuration settings would raise awareness of the importance of workstation configuration management across the government. Beyond the benefits to enhancing security within agency computing environments, there are other potential, if unanticipated, benefits to implementing particular settings and standardizing them across the federal government. For example, while settings related to activating and password-protecting screen savers can provide added security by locking the workstation while the user is not present, they could also reduce power consumption and lead to savings in utility costs. One agency official said his agency was anticipating saving between $10 million and $15 million a year by implementing the power settings, and would be deploying a tool to track this data. In addition, an agency official from the Chief Information Officers Council's FDCC Change Control Board said the board was working on recommending what it considered "green settings" to OMB, which would also potentially reduce consumption of power and the paper used to print documents.[Footnote 40] Officials at one agency also told us that because they had observed several benefits--including improved security, cost avoidance through acquisition of workstations with settings already implemented, and a simplification of the software development process--by implementing their agency FDCC baseline, they were in the process of developing or finalizing configuration settings for other operating systems and servers. Lessons Learned: There are a number of lessons to be learned from the management and implementation of the FDCC initiative which, if considered, could improve the implementation of future versions of FDCC or other configuration efforts. Having Realistic and Established Time Frames for Completion Is Needed to Ensure Successful Implementation: OMB did not provide a realistic time frame for agencies to meet the requirements of the initiative and complete implementation of FDCC by February 2008. This is due in large part to OMB not considering several constraints when establishing time frames for agencies to complete the requirements and implement the beta version of the settings within 7 months, including: * Agencies were required to submit draft plans to implement the settings by May 1, 2007, approximately 3 months before being informed of the settings they were required to implement. * Only one SCAP tool was validated in time for agencies to use to report the status of implementation to NIST, and one agency found that the tool did not produce the needed reports required for NIST reporting. The earliest any of the other tools were validated was 7 months after the deadline. * Multiple changes occurred to the FDCC content--including the settings, SCAP, and resources--that agencies were supposed to use in order to complete implementation by the February 2008 deadline. In addition, another version of the settings was released between the February deadline and the March 2008 compliance reporting deadline. Furthermore, once the beta version of the settings was revised and major version 1.0 was released in June 2008, OMB did not establish a deadline for agencies to complete implementation of this version. OMB officials confirmed they have not established a schedule for announcing changes to FDCC versions or implementation deadlines. However, they stated they were working with the Chief Information Officers Council and its newly developed FDCC Change Control Board to provide a framework for soliciting input and feedback on future versions of the settings on a yearly basis. Nevertheless, without realistic deadlines that are effectively communicated with sufficient notice, agencies will continue to face challenges in meeting implementation deadlines for future versions of FDCC. Clarifying Guidance on Requirements for Deviations Is Necessary for Consistent Implementation: OMB and NIST guidance with regard to deviations was not always comprehensive, and agencies interpreted it in divergent ways. Specifically, OMB memorandums and guidance published on NIST's Web site were not clear as to: * under what conditions deviations were permitted; * whether deviations could be permanent, or should be mitigated in a timely manner; * how deviations should be documented, tracked, and approved by a designated authority; and: * how frequently and to whom deviations should be reported. As a result, agencies interpreted this guidance in significantly different ways. Only one agency interpreted the requirements to mean that no deviations were permitted, while other agencies, by contrast, interpreted full implementation of FDCC to mean applying 85 to 95 percent of the settings, with deviations allowed under certain circumstances. In addition, most agencies responded, either in their descriptions of plans of action and milestones or in interviews, that they had permanent deviations from FDCC, indicating they interpreted the guidance to mean that deviations could be permanent. However, several agencies also reported they may reduce the number of deviations as they upgrade, modify, or replace existing systems and applications. In addition, agency processes to document and approve deviations varied. For example, some agencies documented and approved deviations at the agency level while other agencies allowed their components to determine the number of deviations and approve them. Some agency officials told us their list of deviations may not be complete because they provided deviations from only a few components, or did not track or maintain a list of deviations at the component level. For those agencies, officials noted they did not have visibility into the deviations documented and approved at the component level because responsibility for this was delegated to the components. Furthermore, agencies' interpretation of the requirement to report deviations to NIST varied, with some agencies stating they were only supposed to report deviations to NIST in March 2008, while other agencies said they reported deviations to NIST whenever they updated their lists. OMB officials stated that full compliance with the configuration meant implementing all the settings without deviations on all applicable workstations, although they allowed agencies to document deviations and later required them to be approved. Nevertheless, without further clarification on the approval, permanence, and reporting of deviations, the federal government will continue to be hindered in consistently implementing FDCC, and OMB will be hindered in assessing the status and effectiveness of implementation across federal agencies. Certain Testing Approaches Facilitated Successful Implementation: The variety of approaches agencies took to testing the settings prior to implementation affected how successful they were. In one case, an agency implemented the settings without testing, discovered problems, and subsequently changed its approach to include testing prior to implementation. Another agency reported having success with collaborative testing among agency components, which included officials from the components sharing results and other information at regular meetings. Officials from another agency stated that automated testing was a better approach because it allows for easier confirmation that there is a standard workstation configuration in use on the agency's systems. Ensuring that testing is carried out prior to implementation, with opportunities for information sharing and consideration of the benefits of automation, can help agencies make implementation of future versions of FDCC or similar configurations more successful. Phased Approach to Implementation Aided Successful Implementation: Agencies that implemented the settings in a phased, or sequential, fashion were able to avoid disruption in their operations and identify problems that arose during implementation. Officials from four agencies cited the benefits of or need for using such a phased implementation approach, rather than implementing the settings in one pass. One agency's officials observed that sequential implementation was key to avoiding system disruption and down time because settings were not applied to all components within the agency at the same time. Following such an approach for future versions of FDCC and other configurations could prove beneficial to agencies. Further Collaboration between Agencies, OMB, and NIST Is Desired: Another success factor in implementing FDCC was frequent communication and collaboration among and within agencies. Officials from two agencies noted that collaboration among its agency components on testing was helpful in addressing problems that occurred. Agencies noted that keeping the lines of communication open, both among agency components and between OMB and NIST and other agencies, would help in making such an initiative more successful. One agency official recommended that there should be a way for NIST to communicate operational impacts prior to the release of new FDCC settings, and another suggested that future versions of FDCC should be vetted by the broader IT community before being rolled out to agencies. Officials from another agency stressed the importance of having communication and outreach among agencies to discuss FDCC issues and changes. Lastly, officials from one agency suggested having FDCC compliance sessions where agencies could discuss issues and learn from one another's experiences. Further collaboration between OMB, NIST, and agencies could increase the effectiveness of implementation among agencies and the chances for the success of similar future initiatives. Independent Testing Provides an Important Perspective on Agency Compliance: Independent testing performed by the General Services Administration and Department of the Interior's Inspector General found compliance results that differed from agency-reported information. In a policy utilization assessment[Footnote 41] conducted over 2 years in multiple phases, the General Services Administration tested FDCC implementation at three agencies between December 2008 and February 2009. The results generally differed from agency-reported information on the level of policy implementation, level of compliance, and number of deviations reported between October 2008 and November 2008. At all three agencies, the scan results showed a higher level of policy implementation than the agencies had reported. In addition, two agencies learned they had a lower number of deviations on the workstation sample than they had reported, and two agencies were provided a more accurate indication of their level of compliance. In September 2009, the Inspector General of the Department of the Interior reported widespread noncompliance with mandatory FDCC settings and noncompliance with agency directives at the agency. [Footnote 42] Based on testing performed during summer 2009, Interior averaged 68 percent compliance for the configuration settings, which varied from the compliance status reported to us. In addition, the Inspector General noted that agency components reported an additional 323 deviations at the components that were not documented and approved according to the agency's policy. The Inspector General made a recommendation to ensure Interior's compliance with FDCC guidance. These results suggest that agency self-reported compliance may not always be accurate and that continued independent testing can provide important insight into the extent of FDCC implementation. Additional independent testing performed by external parties could provide opportunities for agencies to acquire additional information to assist them in complying with FDCC requirements. Advance Notice Can Aid in Allocating Limited Resources: In launching an initiative such as FDCC, having sufficient notice to marshal the necessary resources can improve agencies' chances of success. Agencies reported that having advance notice of the requirement to implement the initiative, with sufficient time for preparation and training, was necessary to successfully implement the initiative. Officials from one agency stated that such mandates should be widely announced well in advance of anticipated completion dates to allow all agencies appropriate lead time to ensure that budgets and resources would be available and that requirements and resulting impacts could be completely assessed. Further, agencies commonly reported a lack of sufficient resources (time, money, labor, technical expertise) to implement the FDCC settings, understand how the settings would affect their environments, address issues found with testing, and purchase a SCAP tool. Some agencies cited having to reallocate approved funding to cover the costs of implementation and the purchase of the tools. Although most agencies could not provide estimates of the time and labor spent implementing FDCC, several agencies provided estimates of the costs of implementation and purchasing SCAP tools, which ranged from the tens of thousands to hundreds of thousands of dollars. In addition, officials from a few agencies stated they did not always have staff dedicated specifically to FDCC, which contributed to delayed implementation. Ensuring sufficient lead time can help agencies better plan use of their resources to implement initiatives like FDCC. Challenges Exist for Agencies in Fully Complying with FDCC Requirements: Agencies face several ongoing challenges to fully complying with FDCC requirements, including retrofitting their existing applications and systems to comply with the settings, assessing the risks associated with deviations, and monitoring workstations to ensure that the settings are applied and functioning properly. Retrofitting Applications and Legacy Systems to Comply with Configuration Settings in Complex Agency Environments: Applying the configuration settings has and will continue to cause problems for agencies due to the variety of applications, legacy systems, and agency environments that exist within the federal government. In particular, agencies have legacy systems or applications that use old software that have to be reconfigured to work with the settings. In addition, while some agency environments consist of a small number of offices with under 10 thousand workstations, other agency environments have multiple components with hundreds of thousands of workstations that are spread out geographically across the country, and in a few cases, the world. Although agencies were required to implement all the FDCC settings, the number and scope of the deviations that agencies had to implement highlight the magnitude of the challenge that agencies faced in implementing the settings. Agency officials confirmed during interviews that there were several challenges in retrofitting their systems and applications to comply with the settings, including the following examples: * Some of the settings had affected other settings on workstations and servers, and it had been a challenge to determine which FDCC settings were responsible. * Some of the settings impaired the functioning of custom programs, caused problems in environments, or interfered with basic functions (e.g., network printing). * The settings prevented the agencies from accessing legitimate Web sites, such as certain federal, state, and local government sites. * Applying particular FDCC settings to legacy systems or applications would require agencies to update their applications or operating systems. However, potential solutions to these challenges are either not simple or may not exist. As new versions of the settings or other configurations are established, it will be important for OMB to recognize that retrofitting systems and applications to comply with new settings in complex environments will remain an ongoing challenge for agencies, and that sufficient time for implementation and the use of deviations may be necessary. However, OMB has not provided guidance to agencies on submitting plans for mitigating deviations, including the resources necessary for doing so. Until OMB provides guidance to agencies on submitting plans of actions and milestones for mitigating deviations, to include resources necessary for doing so, OMB will lack sufficient information to make decisions about the use of deviations and whether potential changes to FDCC are warranted. Assessing the Risks Associated with Deviations: A related challenge for agencies is sufficiently assessing the risks associated with deviations from the official FDCC settings. As mentioned earlier, all agencies in our review had deviations, regardless of whether these deviations had been sufficiently documented or approved. There are risks associated with deviations from individual settings and groups of settings, not only at individual agencies but among agencies, depending on the agency's computing environment. For instance, having deviations such as passwords with a minimal number of characters, combined with allowing multiple users to connect to the workstation over the network and enabling wireless communication on the workstation, increases the risk that unauthorized users could gain access to workstations and sensitive government information. However, many of the agencies in our review did not describe a process for assessing the combined risk of the deviations they had in place because deviations were submitted for approval on an individual basis, were submitted as part of a configuration that included other settings beyond FDCC, or, particularly at agencies where deviation approval was left up to components, the agency did not track the deviations at the component level. Although OMB required agencies to approve deviations, it did not specify any guidance for agencies to use to consider the risks of having these deviations prior to approval. Until OMB specifies guidance for agencies to use to assess the risks of having deviations prior to approving them, including the combined risk of deviations in place across the agency, workstations may remain particularly vulnerable to cyber threats. Consistent and Comprehensive Monitoring of FDCC Implementation on Agency Workstations: Challenges also exist in effectively and consistently monitoring the implementation of FDCC in order to ensure the settings have been implemented properly and are continuing to function as intended. Specifically, the frequency and scope with which agencies scan workstations for compliance may not be sufficient to ensure the settings are working properly, and the results could potentially be incomplete or inconsistent. While some agencies scanned workstations on a weekly or bi-weekly basis, other agencies performed scans only when new patches or system updates had been installed or performed scanning only on a quarterly or annual basis. The infrequent monitoring on the part of some agencies could be due to the SCAP tool used: agency officials without an enterprisewide tool noted that frequent monitoring was impractical because regularly scanning each workstation required them to individually scan up to tens of thousands of workstations. In addition, while some agencies scanned every workstation on their network, other agencies only performed scans on test workstations, which could be insufficient if agency workstation configurations do not match the tested workstations. Scans of workstations on agency networks may also be incomplete in cases where user populations work remotely or have contractor-owned workstations. Agencies that use a SCAP tool to scan all workstations connected to their network may miss workstations belonging to these populations, which might not be connected to the network depending on the time of the scan. Consequently, agencies may be relying on incomplete information on whether the settings are working as intended. While OMB guidance indicates that agencies should monitor compliance using SCAP, the guidance does not specify the frequency or scope in which monitoring should be performed. Until OMB improves its guidance on monitoring compliance using SCAP to include information on the frequency and scope with which agencies should perform monitoring, agencies may not be scanning with sufficient rigor to ensure the settings have been successfully implemented and are working properly. Having Sufficient Tools to Perform Monitoring of Workstations: Agencies did not always have sufficient tools to monitor implementation and compliance with FDCC. In particular, issues with the current NIST-validated SCAP tools include the following: * Some tools generate errors when scanning for particular settings. * Certain settings have to be checked manually because the tools do not scan for all settings. * Some tools record false positives, particularly if the agency's parameter for a particular setting is stricter than the FDCC parameter. * It takes time for vendors to update their SCAP tools after NIST changes SCAP content to address problems, with the result that the tools perform scans based on incorrect content. Agency officials we interviewed confirmed there were issues with the SCAP tools, and many agencies and their components found it easier to use some combination of NIST-validated SCAP tools, group policy objects, or other configuration management software to monitor their configurations. In addition, several agencies indicated they had acquired or were in the process of acquiring a different SCAP tool that would provide better functionality and capabilities in order to meet their needs. NIST officials confirmed they were aware of the issues with SCAP tools and stated they are taking steps to address them. For instance, NIST intends to release new requirements that SCAP tools must meet as well as change validation requirements so that vendors will be required to have their tools tested and validated against the new requirements within 1 year of the requirements being released. NIST requested comments on a draft of this document through January 2010, but hasn't released a final version. Once NIST releases the new requirements for SCAP tools and these tools are validated against these requirements, agencies should have more sufficient tools for monitoring implementation of FDCC. Measuring Benefits of the Initiative: Although agencies have anecdotally reported a variety of benefits from efforts to implement FDCC, OMB and agencies face challenges in accurately assessing the impact and measuring the benefits of the initiative. This is because neither OMB nor the agencies have developed specific metrics to measure the effectiveness and program impact of the initiative. Specifically, they have not required or collected measures or metrics that address how effectively the initiative is mitigating security risks or reducing costs, two of its stated goals. For example, an official at one agency noted several benefits of implementing FDCC--a more secure user environment because of reduced user permissions, a stable development platform that resulted in cost savings and a simplification of the software development process, and a reduction in the number of customer support help calls and service calls by technicians. However, the official admitted that he did not have specific metrics for quantitatively measuring these benefits. Implementing metrics that assess the effectiveness and program impact could give a more complete picture of the benefits of FDCC and help determine whether future versions of the settings or configurations for other operating systems or servers should be instituted. In our September 2009 report, we recommended that OMB, among other things, direct federal agencies to use balanced sets of information security measures that include effectiveness and impact, as well as compliance, and to require agencies to report on such a balanced set of measures. [Footnote 43] Without performance measures and guidance to agencies for reporting the benefits of FDCC, OMB and federal agencies will be limited in their ability to determine if the initiative is meeting its goals of improving federal information security and reducing operating costs and if the initiative should be continued or expanded. Conclusions: While agencies have taken steps toward implementing FDCC, work remains to be done in order to meet all the requirements established by OMB. Specifically, many agencies have applied an agency-defined subset of the configuration settings to their Windows workstations; however, none of the 24 major agencies has fully applied all the FDCC settings. Further, not all agencies have put a process in place for documenting or approving deviations from the FDCC baseline and have not yet acquired the required SCAP tool to monitor compliance with the settings. Unless agencies fulfill these requirements, OMB will not be able to ensure the effectiveness of the initiative. The FDCC initiative was an innovative approach by OMB to standardize and thereby strengthen information security at federal agencies, but lessons learned indicate ways that implementation could have been more successful. Specifically, OMB did not establish realistic time frames for completion or provide comprehensive guidance on FDCC deviations, which has impacted agencies' ability to successfully implement the initiative. In addition, collaboration among OMB, NIST, and the agencies, as well as independent testing of FDCC implementation by external parties, may help agencies be more successful in their implementation efforts. Finally, there are several ongoing challenges facing agencies in fully complying with the requirements, including retrofitting systems and applications amid complex environments, assessing the risks associated with deviations across each agency, and monitoring workstations to ensure the settings are applied and functioning properly. As OMB establishes additional versions of FDCC settings--or configuration settings for other applications or operating systems--understanding the lessons learned from implementation as well as the ongoing challenges agencies face will be essential to the initiative's success in ensuring public confidence in the confidentiality, integrity, and availability of government information. Recommendations for Executive Action: To improve implementation of FDCC at federal agencies, we recommend that the Director of OMB take the following six actions: * When announcing new FDCC versions, such as Windows 7, and changes to existing versions, include clear, realistic, and effectively communicated deadlines for completing implementation. * Clarify OMB policy regarding FDCC deviations to include: whether deviations can be permanent or should be mitigated in a timely manner; requirements for plans of actions and milestones for mitigating deviations, including resources necessary for doing so; guidance to use for assessing the risk of deviations across the agency; and how frequently and to whom deviations should be reported to assist in making decisions regarding future versions. * Inform agencies of the various approaches for testing the settings and implementing the initiative in phases, which may aid successful implementation. * Assess the efficacy of, and take steps to apply as appropriate, other lessons learned during the initial implementation of this initiative such as the need for (1) additional collaboration efforts, (2) independent testing, and (3) advance notice of requirements, to assist agencies in implementing this initiative. * Provide guidance on using SCAP tools to include information on the frequency and scope with which agencies should perform monitoring. * Develop performance measures and provide guidance to agencies for reporting the benefits of FDCC. We are also making 56 recommendations to 22 of the 24 departments and agencies in our review to improve their implementation of FDCC requirements that were not being met. Appendix III contains these recommendations. Agency Comments and Our Evaluation: In providing e-mail comments on a draft of this report, the lead IT policy analyst from OMB's Office of E-Government and Information Technology stated that OMB concurred with the report's findings, conclusions, and 6 recommendations addressed to OMB. We also sent a draft of this report to the 24 agencies in our review and received written, e-mail, and/or oral responses from all 24 agencies. Of the 22 agencies to which we made recommendations, 14 (Agriculture, Defense, Environmental Protection Agency, General Services Administration, Health and Human Services, Justice, National Aeronautics and Space Administration, National Science Foundation, Nuclear Regulatory Commission, Small Business Administration, Social Security Administration, Treasury, U.S. Agency for International Development, and Veterans Affairs) generally agreed with our recommendations. One agency (Commerce) did not comment specifically on our recommendations and the remaining 7 agencies generally concurred with some of our recommendations but provided qualifying comments with others. The agencies' comments and our responses are summarized below: * In oral comments on a draft of the report, the Department of Energy's Acting Associate Chief Information Officer for Cyber Security generally concurred with 4 of our 5 recommendations. However, he requested that our recommendations to ensure that all components acquire and deploy a NIST-validated SCAP tool, and develop, document, and implement a policy to monitor compliance using a NIST-validated tool be clarified to pertain only to those components that were required to implement FDCC. We agree that this modification clarifies the intent of our recommendations and have modified those recommendations as appropriate. Further, in commenting on our fifth recommendation to ensure that FDCC acquisition language was included in contracts, the Acting Associate Chief Information Officer for Cyber Security stated that the department will continue to evaluate our recommendation and determine an appropriate implementation approach. * In written comments on a draft of the report, the Department of Homeland Security's Chief Information Officer concurred with 3 of our 4 recommendations. He also concurred, with a caveat, with our fourth recommendation to ensure that FDCC acquisition language was included in contracts. The Chief Information Officer stated that the department already has regulations in place to ensure new acquisitions meet FDCC requirements. We agree that the department has regulations in place. However, as indicated in our report, the FDCC acquisition language had not been incorporated into all contracts. The Department of Homeland Security's comments are reprinted in appendix VIII. * In written and oral comments on a draft of the report, the Department of Housing and Urban Development's Chief Information Officer generally concurred with 3 of our 4 recommendations. In written comments on our recommendation that the department ensure FDCC acquisition language is included in contracts, he stated that the department had a policy in place for including clauses in contracts. After subsequent discussion with department representatives, they orally concurred with our recommendation. In written comments on our recommendation that the department develop, document, and implement a policy to approve deviations to FDCC by a designated accrediting authority, the Chief Information Officer stated that the department had provided us with a copy of its policy for approving deviations in December 2009. After reviewing additional documentation provided, we agree that the department had met the requirement, modified the report as appropriate, and removed the recommendation. The Department of Housing and Urban Development's comments are reprinted in appendix IX. * In written comments on a draft of the report, the Department of the Interior's Assistant Secretary for Policy, Management, and Budget concurred with our recommendations, subject to modifications that reduced redundancy in the recommendations and clarified that components should follow the department's policy related to documenting and approving deviations, and acquiring and deploying NIST- validated tools to monitor compliance with FDCC. We agree that the suggested modifications clarified the intent of our recommendations, and have modified the recommendations accordingly. The Department of the Interior's comments are reprinted in appendix X. * In written and oral comments on a draft of the report, the Department of Labor's Assistant Secretary for Administration and Management generally concurred with 1 of our 2 recommendations, subject to modification that clarified that FDCC acquisition language had been included in some contracts but not in all. After reviewing additional documentation provided, we modified the recommendation as appropriate. In written comments on our recommendation that the department complete deployment of a NIST-validated SCAP tool, the Assistant Secretary for Administration and Management stated that deployment of the tool had been completed prior to the end of our audit field work. After reviewing additional documentation provided, we agree that the department had met the requirement, modified the report as appropriate, and removed the recommendation. The Department of Labor's comments are reprinted in appendix XI. * In written and oral comments on a draft of the report, the Office of Personnel Management's Chief Information Officer generally concurred with 3 of our 4 recommendations. In written comments on our recommendation on documenting deviations and having them approved by a designated authority, he said that the department has documented its deviations and approved them. After subsequent discussion with department representatives, they orally concurred with our recommendation. In addition, in written comments on our recommendation to develop, document, and implement a policy to approve deviations to FDCC by a designated authority, the Chief Information Officer stated that the agency has a policy in place. After reviewing documentation provided, we agree that the department had met the requirement, modified the report as appropriate, and removed the recommendation. The Office of Personnel Management's comments are reprinted in appendix XIII. * In e-mail and oral comments on a draft of the report, the Department of Transportation's Chief Information Security Officer generally concurred with our 2 recommendations, subject to modification that clarified that the department had acquired a validated tool and was in the process of fully deploying it. After reviewing additional documentation provided, we modified table 5 in the report to include a table footnote indicating a tool had been acquired but not deployed and revised the recommendation as appropriate. In addition, in e-mail comments on our recommendation to ensure that FDCC acquisition language is included in contracts, the Chief Information Security Officer stated that the department had provided a copy of the policy guidance on contract clauses to us. After subsequent discussion with department representatives, they orally concurred with our recommendation. In addition, several agencies also provided technical comments, including one of two agencies to which we did not make recommendations. We have incorporated these comments as appropriate. The remaining agency to which we did not make recommendations stated that it did not have any comments. Furthermore, for appropriate coverage of a federal-wide information technology contract issue, the Department of Defense suggested we add a recommendation that contract language be included in the Federal Acquisition Regulation "to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them." However, it was not within the scope of our review to evaluate whether such standard contract language was necessary or what it would entail. Nonetheless, the Department of Defense may wish to pursue this suggestion with OMB and other stakeholders for possible promulgation of a Federal Acquisition Regulation rule that would serve as a governmentwide template in solicitations or contracts for ensuring that FDCC settings are effectively incorporated and applied. As agreed with your offices, unless you publicly announce the contents of this report earlier, we plan no further distribution until 30 days from the report date. At that time, we will send copies to other interested congressional committees, secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the commissioner of the Social Security Administration; the chairman of the Nuclear Regulatory Commission; and the directors of the National Science Foundation, Office of Management and Budget, and Office of Personnel Management. The report also is available at no charge on the GAO Web site at [hyperlink, http://www.gao.gov]. If you or your staff have any questions regarding this report, please contact me at (202) 512-6244 or at wilshuseng@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. Key contributors to this report are listed in appendix XVIII. Signed by: Gregory C. Wilshusen: Director, Information Security Issues: [End of section] Appendix I: Objectives, Scope, and Methodology: Relative to the 24 major federal agencies covered by the Chief Financial Officers Act, the objectives of our review were to (1) identify the goals, objectives, and requirements for the initiative; (2) determine the status of actions federal agencies have taken, or plan to take, to implement the initiative; and (3) identify the benefits, challenges, and lessons learned in implementing this initiative. To address our first objective, we reviewed applicable policies and memorandums issued by the Office of Management and Budget (OMB) and plans, artifacts, and other documentation provided by the National Institute of Standards and Technology (NIST). We also reviewed guidance and Federal Desktop Core Configuration (FDCC) and Security Content Automation Protocol (SCAP) materials located on NIST's Web site. In addition, we held discussions with OMB and NIST representatives to further assess the initiative's requirements and confirm that the material posted on their Web sites that we considered was current and accurate. To address our second and third objectives, we obtained and analyzed polices, plans, artifacts, status reports, and other documentation relative to the requirements of the initiative from each of the 24 federal agencies in our review. We obtained information through interviews with officials from each of the 24 agencies, industry officials, security experts, officials from General Services Administration's Policy Utilization Assessment Program, and members of the Chief Information Officers Council and FDCC Change Control Board. We also met with staff from all 24 Offices of the Inspector General regarding their FDCC audit work performed as part of Federal Information Security Management Act fiscal year 2008 and 2009 reporting to obtain information on their audit methodology, findings, and related documentation. Based on our review of the adequacy of work performed, we have sufficient assurance to rely on work completed by the inspectors general in the context of our audit objective related to whether the agency had documented deviations and had incorporated language related to the use of FDCC settings into its contracts. We also analyzed the information we obtained from all sources to determine the benefits, challenges, and lessons learned from implementation of FDCC. For our second objective, in order to determine the status of FDCC implementation at federal agencies, we developed a data collection instrument to obtain information on the number of workstations that had FDCC settings applied, either with no deviations or with deviations established at these agencies. To develop our data collection instrument, we reviewed the requirements of the initiative as well as the results from a previous data collection instrument used by NIST to collect status information on FDCC as of March 2008. We designed the draft collection instrument in close collaboration with subject matter experts and participated in refining subsequent drafts of the instrument. We sent the data collection instrument to the officials at the Office of Chief Information Officer at the 24 federal agencies and asked the agencies to provide status information as of June 30, 2009, and as of September 30, 2009. We e-mailed our first data collection instrument, to collect FDCC status data as of June 30, 2009, to all 24 agencies in early June 2009. When our collection ended in July 2009, we had received 19 usable responses. After examining the results from this data collection to identify inconsistencies and other indications of error, we concluded that the extent of response error and the overall low level of participation precluded the use of these data in our report. To refine the data collection instrument to collect September 2009 data, we conducted pretests with officials from 3 agencies to clarify any ambiguous or potentially biased questions. These pretests were conducted by telephone with the 3 agencies, which were chosen to represent the variety of characteristics across the 24 agencies we would survey. These characteristics included the operating system used, type of workstation, composition and size of the agency, and method used to collect status information. We sent this instrument to agency officials in mid-September 2009. We conducted follow-up contacts by e-mail and phone to encourage response and clarify individual answers. We received usable responses from 22 agencies, and ended the data collection period in November 2009. While our evaluation of the instrument data indicates that it is usable for the purposes of this report, the information may not be complete due to the inability of some agencies to provide information in the categories we requested, including some of the data supporting our estimates of contractor-owned workstations with FDCC compliance, and possibly some other estimates. We conducted this performance audit from December 2008 to March 2010 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. [End of section] Appendix II: Percentage of Agency Workstations with FDCC Settings Implemented as of September 2009: The table below shows, for the 24 agencies from which we collected data using our data collection instrument, the percentage of applicable Windows XP and Vista workstations that have all FDCC settings implemented with no deviations, workstations with an agency baseline implemented and deviations documented, and workstations that do not have the settings implemented. Table 7: Agency-Reported Percentages of Workstations with FDCC Settings Implemented as of September 2009: Agency: Agriculture; Platform: XP; Implemented without deviations: 8%; Implemented with deviations (agency baseline): 0%; Not implemented: 92%. Agency: Agriculture; Platform: Vista; Implemented without deviations: 0; Implemented with deviations (agency baseline): 0; Not implemented: 100%. Agency: Commerce; Platform: XP; Implemented without deviations: 9%; Implemented with deviations (agency baseline): 91%; Not implemented: 0. Agency: Commerce; Platform: Vista; Implemented without deviations: 23%; Implemented with deviations (agency baseline): 77%; Not implemented: 0. Agency: Defense; Platform: XP; Implemented without deviations: 0; Implemented with deviations (agency baseline): 96%; Not implemented: 4%. Agency: Defense; Platform: Vista; Implemented without deviations: 99%; Implemented with deviations (agency baseline): 0[A]; Not implemented: 1%. Agency: Education; Platform: XP; Implemented without deviations: 0; Implemented with deviations (agency baseline): 100%; Not implemented: 0. Agency: Education; Platform: Vista; Implemented without deviations: 0; Implemented with deviations (agency baseline): 100%; Not implemented: 0. Agency: Energy; Platform: XP; Implemented without deviations: Unknown; Implemented with deviations (agency baseline): 72%; Not implemented: Unknown. Agency: Energy; Platform: Vista; Implemented without deviations: Unknown; Implemented with deviations (agency baseline): 71%; Not implemented: Unknown. Agency: Environmental Protection Agency; Platform: XP; Implemented without deviations: Unknown; Implemented with deviations (agency baseline): Unknown; Not implemented: Unknown. Agency: Environmental Protection Agency; Platform: Vista; Implemented without deviations: Unknown; Implemented with deviations (agency baseline): Unknown; Not implemented: Unknown. Agency: General Services Administration; Platform: XP; Implemented without deviations: 0; Implemented with deviations (agency baseline): 84%; Not implemented: 16%. Agency: General Services Administration; Platform: Vista; Implemented without deviations: Not applicable; Implemented with deviations (agency baseline): Not applicable; Not implemented: Not applicable. Agency: Health and Human Services; Platform: XP; Implemented without deviations: 0; Implemented with deviations (agency baseline): 99%; Not implemented: 1%. Agency: Health and Human Services; Platform: Vista; Implemented without deviations: 0; Implemented with deviations (agency baseline): 94%; Not implemented: 6%. Agency: Homeland Security; Platform: XP; Implemented without deviations: 0; Implemented with deviations (agency baseline): 5%; Not implemented: 95%. Agency: Homeland Security; Platform: Vista; Implemented without deviations: 0; Implemented with deviations (agency baseline): 29%; Not implemented: 71%. Agency: Housing and Urban Development; Platform: XP; Implemented without deviations: 0; Implemented with deviations (agency baseline): 100%; Not implemented: 0. Agency: Housing and Urban Development; Platform: Vista; Implemented without deviations: Not applicable; Implemented with deviations (agency baseline): Not applicable; Not implemented: Not applicable. Agency: Interior; Platform: XP; Implemented without deviations: 1%; Implemented with deviations (agency baseline): 48%; Not implemented: 51%. Agency: Interior; Platform: Vista; Implemented without deviations: 69%; Implemented with deviations (agency baseline): 18%; Not implemented: 13%. Agency: Justice; Platform: XP; Implemented without deviations: 3%; Implemented with deviations (agency baseline): 96%; Not implemented: 1%. Agency: Justice; Platform: Vista; Implemented without deviations: 0; Implemented with deviations (agency baseline): 100%; Not implemented: 0. Agency: Labor; Platform: XP; Implemented without deviations: 0; Implemented with deviations (agency baseline): 100%; Not implemented: 0. Agency: Labor; Platform: Vista; Implemented without deviations: Not applicable; Implemented with deviations (agency baseline): Not applicable; Not implemented: Not applicable. Agency: National Aeronautics and Space Administration; Platform: XP; Implemented without deviations: Unknown; Implemented with deviations (agency baseline): 87%; Not implemented: Unknown. Agency: National Aeronautics and Space Administration; Platform: Vista; Implemented without deviations: Unknown; Implemented with deviations (agency baseline): 52%; Not implemented: Unknown. Agency: National Science Foundation; Platform: XP; Implemented without deviations: 0; Implemented with deviations (agency baseline): 100%; Not implemented: 0. Agency: National Science Foundation; Platform: Vista; Implemented without deviations: Not applicable; Implemented with deviations (agency baseline): Not applicable; Not implemented: Not applicable. Agency: Nuclear Regulatory Commission; Platform: XP; Implemented without deviations: 0; Implemented with deviations (agency baseline): 100%; Not implemented: 0. Agency: Nuclear Regulatory Commission; Platform: Vista; Implemented without deviations: Not applicable; Implemented with deviations (agency baseline): Not applicable; Not implemented: Not applicable. Agency: Office of Personnel Management; Platform: XP; Implemented without deviations: 1%; Implemented with deviations (agency baseline): 40%; Not implemented: 59%. Agency: Office of Personnel Management; Platform: Vista; Implemented without deviations: Not applicable; Implemented with deviations (agency baseline): Not applicable; Not implemented: Not applicable. Agency: Small Business Administration; Platform: XP; Implemented without deviations: 0; Implemented with deviations (agency baseline): 100%; Not implemented: 0. Agency: Small Business Administration; Platform: Vista; Implemented without deviations: Not applicable; Implemented with deviations (agency baseline): Not applicable; Not implemented: Not applicable. Agency: Social Security Administration; Platform: XP; Implemented without deviations: 0; Implemented with deviations (agency baseline): 100%; Not implemented: 0. Agency: Social Security Administration; Platform: Vista; Implemented without deviations: 0; Implemented with deviations (agency baseline): 100%; Not implemented: 0. Agency: State; Platform: XP; Implemented without deviations: 0; Implemented with deviations (agency baseline): 100%; Not implemented: 0. Agency: State; Platform: Vista; Implemented without deviations: 0; Implemented with deviations (agency baseline): 100%; Not implemented: 0. Agency: Transportation; Platform: XP; Implemented without deviations: 0; Implemented with deviations (agency baseline): 100; Not implemented: 0. Agency: Transportation; Platform: Vista; Implemented without deviations: Not applicable; Implemented with deviations (agency baseline): Not applicable; Not implemented: Not applicable. Agency: Treasury; Platform: XP; Implemented without deviations: 0; Implemented with deviations (agency baseline): 99%; Not implemented: 1%. Agency: Treasury; Platform: Vista; Implemented without deviations: 0; Implemented with deviations (agency baseline): 99%; Not implemented: 1%. Agency: U.S. Agency for International Development; Platform: XP; Implemented without deviations: 0; Implemented with deviations (agency baseline): 100%; Not implemented: 0. Agency: U.S. Agency for International Development; Platform: Vista; Implemented without deviations: Not applicable; Implemented with deviations (agency baseline): Not applicable; Not implemented: Not applicable. Agency: Veterans Affairs; Platform: XP; Implemented without deviations: Unknown; Implemented with deviations (agency baseline): Unknown; Not implemented: Unknown. Agency: Veterans Affairs; Platform: Vista; Implemented without deviations: Unknown; Implemented with deviations (agency baseline): Unknown; Not implemented: Unknown. Source: GAO analysis of data reported by agencies in GAO data collection instrument. Note: Percentages in the table have been rounded. Both the number of government-owned and contractor-owned workstations were included in agency totals if the number of contractor-owned workstations was not separated from the number of government-owned workstations that was provided by the agency. Agencies that did not have Vista workstations were listed as not applicable. An agency that was unable to provide sufficient data to determine the status of implementation was listed as unknown. [A] Agency reported having no deviations for the implementation of the settings on this operating system. [End of table] [End of section] Appendix III: Recommendations to Departments and Agencies: Agriculture: To improve the department's implementation of FDCC, we recommend that the Secretary of Agriculture take the following three actions: * complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion; * document deviations to FDCC and have them approved by a designated accrediting authority; and: * develop, document, and implement a policy to approve deviations by a designated accrediting authority. Commerce: To improve the department's implementation of FDCC, we recommend that the Secretary of Commerce take the following three actions: * ensure all components have acquired and deployed a NIST-validated SCAP tool to monitor compliance with FDCC; * ensure all components develop, document, and implement a policy to monitor FDCC compliance using a NIST-validated SCAP tool; and: * ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them. Defense: To improve the department's implementation of FDCC, we recommend that the Secretary of Defense take the following two actions: * complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion, and: * ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them. Energy: To improve the department's implementation of FDCC, we recommend that the Secretary of Energy take the following five actions: * complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion; * document deviations to FDCC and have them approved by a designated accrediting authority; * ensure all components that are required to implement FDCC have acquired and deployed a NIST-validated SCAP tool to monitor compliance with FDCC; * ensure all components that are required to implement FDCC develop, document, and implement a policy to monitor FDCC compliance using a NIST-validated SCAP tool; and: * ensure that language is included in contracts of those components that are required to implement FDCC to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them. Environmental Protection Agency: To improve the agency's implementation of FDCC, we recommend that the Administrator of the Environmental Protection Agency take the following two actions: * complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion, and: * develop, document, and implement a policy to approve deviations to FDCC by a designated accrediting authority. General Services Administration: To improve the agency's implementation of FDCC, we recommend that the Administrator of the General Services Administration take the following action: * complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion. Health and Human Services: To improve the department's implementation of FDCC, we recommend that the Secretary of Health and Human Services take the following three actions: * complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion; * develop, document, and implement a policy to monitor FDCC compliance using a NIST-validated SCAP tool; and: * ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them. Homeland Security: To improve the department's implementation of FDCC, we recommend that the Secretary of Homeland Security take the following four actions: * complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion; * develop, document, and implement a policy to approve deviations to FDCC by a designated accrediting authority; * develop, document, and implement a policy to monitor FDCC compliance using a NIST-validated SCAP tool; and: * ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them. Housing and Urban Development: To improve the department's implementation of FDCC, we recommend that the Secretary of Housing and Urban Development take the following three actions: * acquire and deploy a NIST-validated SCAP tool to monitor compliance with FDCC; * develop, document, and implement a policy to monitor FDCC compliance using a NIST-validated SCAP tool; and: * ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them. Interior: To improve the department's implementation of FDCC, we recommend that the Secretary of the Interior take the following three actions: * complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion; * ensure all components implement the department's existing policy to document deviations to FDCC and have those deviations approved by a designated accrediting authority; and: * ensure all components implement the department's existing policy to acquire and deploy a NIST-validated SCAP tool and monitor compliance with FDCC. Justice: To improve the department's implementation of FDCC, we recommend that the Attorney General take the following four actions: * complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion; * develop, document, and implement a policy to approve deviations to FDCC by a designated accrediting authority; * complete deployment of a NIST-validated SCAP tool to monitor FDCC compliance; and: * ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them. Labor: To improve the department's implementation of FDCC, we recommend that the Secretary of Labor take the following action: * complete efforts to ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them. National Aeronautics and Space Administration: To improve the agency's implementation of FDCC, we recommend that the Administrator of the National Aeronautics and Space Administration take the following action: * complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion. National Science Foundation: To improve the agency's implementation of FDCC, we recommend that the Director of the National Science Foundation take the following action: * complete deployment of a NIST-validated SCAP tool to monitor FDCC compliance. Nuclear Regulatory Commission: To improve the agency's implementation of FDCC, we recommend that the Chairman of the Nuclear Regulatory Commission take the following two actions: * develop, document, and implement a policy to approve deviations to FDCC by a designated accrediting authority, and: * ensure that all components include language in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them. Office of Personnel Management: To improve the agency's implementation of FDCC, we recommend that the Director of the Office of Personnel Management take the following three actions: * complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion; * document deviations to FDCC and have them approved by a designated accrediting authority; and: * ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them. Small Business Administration: To improve the agency's implementation of FDCC, we recommend that the Administrator of the Small Business Administration take the following two actions: * develop, document, and implement a policy to approve deviations to FDCC by a designated accrediting authority, and: * ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them. Social Security Administration: To improve the agency's implementation of FDCC, we recommend that the Commissioner of the Social Security Administration take the following four actions: * develop, document, and implement a policy to approve deviations to FDCC by a designated accrediting authority; * complete deployment of a NIST-validated SCAP tool to monitor compliance with FDCC; * develop, document, and implement a policy to monitor FDCC compliance using a NIST-validated SCAP tool; and: * ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them. Transportation: To improve the department's implementation of FDCC, we recommend that the Secretary of Transportation take the following two actions: * complete deployment of a NIST-validated SCAP tool to monitor compliance with FDCC, and: * ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them. Treasury: To improve the department's implementation of FDCC, we recommend that the Secretary of the Treasury take the following two actions: * complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion, and: * ensure that all components include language in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them. U.S. Agency for International Development: To improve the agency's implementation of FDCC, we recommend that the Administrator of the U.S. Agency for International Development take the following action: * ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them. Veterans Affairs: To improve the department's implementation of FDCC, we recommend that the Secretary of Veterans Affairs take the following four actions: * complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion; * acquire and deploy a NIST-validated SCAP tool to monitor compliance with FDCC; * develop, document, and implement a policy to monitor FDCC compliance using a NIST-validated SCAP tool; and: * ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them. [End of section] Appendix IV: Comments from the U.S. Department of Agriculture: United States Department of Agriculture: Office of the Chief Information Officer: 1400 Independence Avenue SW: Washington, DC 20250: To: Gregory Wilshusen: Director: Information Security Issues: Government Accountability Office: From: [Signed by] Christopher L. Smith: Chief Information Officer: Office of the Chief Information Officer: Subject: USDA Comments on Draft Report GA0-10-202: The United States Department of Agriculture (USDA) is pleased with the opportunity to review and comment on the draft GAO report Information Security: Agencies Need to Implement Federal Desktop Core Configuration Requirements (GA0-10-202). USDA agrees with and accepts the findings of the draft Report, as they pertain to USDA. The draft Report recommends that the Secretary of Agriculture take the following three actions: * complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion; * document deviations to FDCC and have them approved by a designated accrediting authority (DAA); and; * develop, document, and implement a policy to approve deviations by a designated accrediting authority. We support GAO's call for further clarification from OMB on the governmentwide standards for documenting deviations from the FDCC and would be pleased to work with OMB, NIST and other departments and agencies to further that end. [End of section] Appendix V: Comments from the Department of Commerce: Note: GAO comment supplementing those in the report text appear at the end of this appendix. The Secretary Of Commerce: Washington, D.C. 20230: February 18, 2010: Mr. Gregory C. Wilshusen: Director, Information Security Issues: Government Accountability Office: Washington, DC 20548: Dear Mr. Wilshusen: Thank you for the opportunity to review the General Accountability Office's (GAO) draft report, "Information Security: Agencies Need to Implement Federal Desktop Core Configuration Requirements" (GA0-10- 202). We concur that this report is a reasonable assessment of the current Federal Desktop Core Configuration (FDCC) situation among federal agencies. The Department of Commerce (Department) offers the following comments regarding the GAO's conclusions. * As noted in GA0-10-202, there remain some technically problematic FDCC settings for many agencies and, as such, there may be some scenarios where risk should be accepted. * FDCC applicability has been clarified by the National Telecommunications and Information Administration's guidance; however, it has not been officially issued in an updated memorandum from the Office of Management and Budget (OMB). * There is not clear guidance from OMB in regard to FDCC deviations and how these deviations are documented by federal agencies; the FDCC deviations are an operational necessity in some cases. * Collaboration on future secure configuration standards should involve a broader audience. * On page 11, the report states that FDCC provides a baseline level of Security; however, during meetings with GAO, the Department's National Institute of Standards and Technology has expressed that we do not consider FDCC to be a baseline. [See comment 1] We look forward to further communications with GAO regarding its conclusions. Sincerely, Signed by: Gary Locke: The following are GAO's comments on the Department of Commerce's letter dated February 18, 2010. GAO Comment: 1. In its March 2007 directives,[Footnote 44] OMB stated that an objective of FDCC was to provide a baseline level of security to agencies. We used OMB's characterization of FDCC for this report. [End of section] Appendix VI: Comments from the Department of Defense: Office Of The Assistant Secretary Of Defense: Networks And Information Integration: 6000 Defense Pentagon: Washington, D.C. 20301-6000: Gregory C. Wilshusen: Director, Information Security Issues: Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Mr. Wilshusen: This is the Department of Defense (DoD) response to the Government Accountability Office (GAO) draft report, GAO-10-202, "Information Security: Agencies Need to Implement Federal Desktop Core Configuration (FDCC) Requirements" dated January 20, 2010 (GAO Code 311014). I share the GAO conclusion that the FDCC initiative was an innovative approach by OMB to standardize and thereby strengthen information security at federal agencies. I appreciate the opportunity to provide the enclosed comments on the draft report. My staff and I are responsible for overseeing the implementation of the GAO report recommendations. My point of contact for questions regarding FDCC is Mr. John Hunter, (703) 602-9927. Sincerely, Signed by: Gary D. Guissanie: Acting Deputy Assistant Secretary of Defense (Cyber, Identity and Information Assurance): Enclosure: As stated: [End of letter] GAO Draft Report Dated January 20, 2010: GA0-10-202 (GAO Code 311014): "Information Security: Agencies Need To Implement Federal Desktop Core Configuration Requirements" Department Of Defense Comments To The GAO Recommendations: Recommendation 1: The GAO recommends that the Secretary of Defense complete implementation of the agency's Federal Desktop Core Configuration (FDCC) baseline, including establishing firm milestones for completion. (See pages 51-52/GAO Draft Report) DoD Response: Concur. The Department of Defense has made significant progress in implementing the FDCC baseline, and the Assistant Secretary of Defense (Networks and Information Integration) will work with the Components to establish firm milestones for completion. Recommendation 2: The GAO recommends that the Secretary of Defense ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them. (See pages 51- 52/GAO Draft Report) DoD Response: Concur. The Assistant Secretary of Defense (Networks and Information Integration) will work closely with the OSD staff and Components to ensure new acquisitions include FDCC settings. Additional Recommendation From Department Of Defense: Contract language should be included in the Federal Acquisition Regulation (FAR) "to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them." This would provide the appropriate coverage for a Federal-wide IT contract issue. Rationale: FDCC is a Federal Government-wide mandate not a Defense- specific acquisition requirement. [End of section] Appendix VII: Comments from the General Services Administration: U.S. General Services Administration: GSA Administrator: 1800 F Street, NW: Washington, DC 20405-0002: Telephone: (202) 501-0880: Fax: (202) 219-1243: [hyperlink, http://www.gsa.gov] February 22, 2010: The Honorable Gene L. Dodaro: Acting Comptroller General of the United States: U.S. Government Accountability Office: Washington, DC 20548: Dear Mr. Dodaro: The U.S. General Services Administration (GSA) appreciates the opportunity to review and comment on the draft report, "Information Security: Agencies Need to Implement Federal Desktop Core Configuration (FDCC) Requirements" (GAO-10-202). The U.S. Government Accountability Office (GAO) recommends that the GSA Administrator improve the agency's implementation of FDCC. We agree with the findings and recommendation and will take appropriate action. GSA will complete implementation of the agency's FOGG baseline, including establishing firm milestones for completion. If you have any additional questions or concerns, please do not hesitate to contact me. Staff inquiries may be directed to Ms. Kathleen Turco, Chief Financial Officer. She can be reached at (202) 501-1721. Sincerely, Signed by: Martha Johnson: Administrator: cc: Mr. Gregory C. Wilshusen: Director, Information Technology Security Issues: GAO: [End of section] Appendix VIII: Comments from the Department of Homeland Security: U.S. Department of Homeland Security: Washington, DC 20528: Memorandum For: Gregory C. Wilshusen: Director, Information Security Issues: Government Accountability Office: From: Richard A. Spires: Chief Information Officer: Subject: Comment to GAO Report #10-202 "Information Security: Agencies Need to Implement Federal Desktop Core Configuration Requirements" The Department of Homeland Security (OHS) Office of the Chief Information Officer (OCIO) has reviewed the findings of the Government Accountability Office (GAO) Report, 410-237 "Information Security: Agencies Need to Implement Federal Desktop Core Configuration Requirements," dated February 2010. The increase in security incidents and continuing weakness in security controls on information technology systems at federal agencies highlight the continuing need for improved information security. To standardize and strengthen agencies' security, the Office of Management and Budget (OMB), in collaboration with the National Institute of Standards and Technology (MST), launched the Federal Desktop Core Configuration (FDCC) initiative in 2007. GAO was asked to (1) identify the goals, objectives, and requirements of the initiative; (2) determine the status of actions federal agencies have taken, or plan to take, to implement the initiative; and (3) identify the benefits, challenges, and lessons learned in implementing this initiative. To accomplish this, GAO reviewed policies, plans, and other documents at the 24 major executive branch agencies; reviewed OMB and NISI guidance and documentation; and interviewed officials. GAO recommended that DHS take four actions to improve the Department's implementation of FDCC. OCIO's comments on the specific recommendations are as follows: Recommendation #1: Complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion. OCIO March 2010 Response: OCIO concurs. DHS developed a FDCC draft baseline which is currently under review by the designated accrediting authority. A copy of the FDCC draft baseline and the FDCC compliance milestone tracking status is enclosed for your reference. Recommendation #2: Develop, document, and implement a policy to approve deviations to FDCC by a designated accrediting authority. OCIO March 2010 Response: OCIO concurs. DHS has developed a process to approve deviations from the FDCC baseline, which is maintained and controlled by the DI-IS Infrastructure Change Control Board (ICCB). A copy of the draft "FDCC Baseline Update Process" is enclosed for your reference. Recommendation #3: Develop, document, and implement a policy to monitor FDCC compliance using a NIST-validated Security Content Automation Protocol (SCAP) tool. OCIO March 2010 Response: OCIO concurs. Each DHS Component has chosen a NIST-validated SCAP tool that best fits into its IT infrastructure. Below is a list of the SCAP tools used by each Component to monitor their FDCC compliance: * Customs and Border Protection uses Big Fix. * U.S. Citizenship and Immigration Services uses McAfee. * Federal Emergency Management Agency uses Tenable Nessus. * Federal Law Enforcement Training Center uses Tenable Nessus and McAfee. * DHS Headquarters uses Tenable Nessus and McAfee. * Immigration and Customs Enforcement uses Big Fix. * DHS Office of Inspector General uses Tenable Nessus. * Transportation Services Administration uses Secure Elements C5. * U.S. Coast Guard uses Secutor Prime. * U.S. Secret Service uses Threat Guard. Recommendation #4: Ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them. OCIO March 2010 Response: OCIO concurs with caveat. DHS already has regulations in place to ensure new acquisitions meet FDCC requirements. The Department of Homeland Security Acquisition Regulation (HSAR) of lune 2006 establishes uniform acquisition policies and procedures, which implement and supplement the Federal Acquisition Regulation (FAR). HSAR Section 3052.204-70 "Security requirements for unclassified information technology resources of the HSAR" states: Within 6 months after contract award, the contractor, hall submit written proof of IT Security accreditation to DHS for approval by the DHS Contracting Officer. Accreditation will proceed according to the criteria of the DHS Sensitive System Policy Publication, 4300A (Version 2.1, July 26, 2004) or any replacement publication, which the Contracting Officer will provide upon request. This accreditation will include a final security plan, risk assessment, security test and evaluation, and disaster recovery plan/continuity of operations plan. This accreditation, when accepted by the Contracting Officer, shall be incorporated into the contract as a compliance document. The contractor shall comply with the approved accreditation documentation. DHS Sensitive System Policy Publication 4300A, ID 3.7.e states: "Workstations shall be configured in accordance with DHS guidance on FDCC." Enclosures:: DHS FDCC baseline: DHS FDCC compliance milestone tracking status: DHS FDCC Baseline Update Process: MD 4300A "DHS Sensitive Systems Policy Directive 4300A:" 311014 Draft GAO #10-202 for Agency Comment, "Information Security: Agencies Need to Implement Federal Desktop Core Configuration Requirements" [End of section] Appendix IX: Comments from the Department of Housing and Urban Development: Note: GAO's comments supplementing those in the report's text appear at the end of this appendix. U.S. Department Of Housing And Urban Development: Office Of The Chief Information Officer: Washington, D.C. 20410-3000: February 17, 2010: Mr. Gregory C. Wilshusen: Director, Information Security Issues: U.S. Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Mr. Wilshusen: Thank you for the opportunity to comment on the Government Accountability Office (GAO) draft report entitled, Information Security: Agencies Need to Implement Federal Desktop Core Configuration Requirements (GA0-10-202). The Department of Housing and Urban Development reviewed the draft report and concurs with the following recommendations for Executive Actions: * acquire and deploy a NIST-validated SCAP tool to monitor compliance with FDCC; * develop, document, and implement a policy to monitor FDCC compliance using a NIST-validated SCAP tool. With respect to the above items, HUD anticipates a contract award in the 3rd quarter of Fiscal Year 2010, with implementation by September 30, 2010. However, HUD provides the following comments to address the remaining recommendations: * develop, document, and implement a policy to approve deviations to FDCC by a designated accrediting authority. [See comment 1] The Department has developed a FDCC Waiver Request Standard Operating Procedure (SOP). In response to a GAO request, the attached document was provided on December 15, 2009. * ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them. [See comment 2] Attached is a standard contract clause that the HUD Chief Procurement Officer issued in June 2007 for use in all IT contracts. HUD is in compliance with the above language requirement for new acquisitions. The Department remains committed to improving information security and reducing Information Technology operating costs, the major goals of the FDCC. More definitive information with timelines will be provided once the final report has been issued. If you have any questions or require additional information, please contact Jerry E. Williams, Chief Information Officer, at 202-708-0306. Sincerely, Signed by: [Illegible], for: Jerry E. Williams: Chief Information Officer: Enclosure: The following are GAO's comments on the Department of Housing and Urban Development's letter dated February 17, 2010. GAO Comments: 1. After reviewing additional documentation provided by department representatives, we agreed that the department had met the requirement and modified the column "have policy to approve deviations by designated authority" in table 4 from "no" to "yes." The recommendation to this finding was removed from the report. 2. After subsequent discussion with department representatives, they orally concurred with our recommendation. [End of section] Appendix X: Comments from the Department of the Interior: United States Department of the Interior: Office Of The Secretary: Washington, DC 20240: February 23, 2010: Mr. Gregory C. Wilshusen: Director, Information Security Issues: U.S. Government Accountability Office: 441 G Street, N.W. Washington, D.C. 20548: Dear Mr. Wilshusen: Thank you for providing the Department of the Interior the opportunity to review and comment on the draft Government Accountability Office Report entitled, "Information Security: Agencies Need to Implement Federal Desktop Core Configuration Requirements" (GA0-10-202). The Department concurs with the recommendations subject to the modifications suggested in the enclosure. We hope the technical comments and the additional information provided will assist you in preparing the final report. If you have any questions, or need additional information, please contact the Department's Chief Information Security Officer (CISO), Lawrence K. Ruffin, at (202) 208-5419 or Davene Barton at (202) 208-5438. Sincerely, Signed by: Rhea Suh: Assistant Secretary: Policy, Management and Budget: Enclosure: [End of section] Appendix XI: Comments from the Department of Labor: Note: GAO's comments supplementing those in the report's text appear at the end of this appendix. U.S. Department of Labor: Office of the Assistant Secretary for Administration and Management: Washington, D.C. 20210: February 12, 2010: Gregory C. Wilshusen: Director, Information Security Issues: Government Accountability Office: 441 G Street, N.W. Washington, DC 20548: Dear Mr. Wilshusen: This letter is provided in response to the draft report GA0-10-202, Agencies Need to Implement Federal Desktop Core Configuration Requirements, dated February 2010. We take seriously our responsibility to ensure the protection of our computer systems and information with which we are entrusted. Overall, the draft reports provide a fair depiction of the Department of Labor (DOL) efforts to meet the OMB's mandate for implementing the Federal Desktop Core Configuration (FDCC). However I ask that the GAO reconsider their assessment regarding the Department's implementation of a National Institute of Standards and Technology (NIST)-validated Security Content Automation Protocol (SCAP) tool and FDCC acquisition language. The areas in the draft report to reconsider include: * Page 26, Table 5: Through the deployment and use of ThreatGuard DOL has met the requirements for acquiring and utilizing a NISI-validated SCAP tool, thus the table should indicate a "Yes' response. DOL currently utilizes the tool to monitor all DOL agency FDCC baseline configurations and also conducts periodic scans of agency baselines configuration to ensure continuing compliance. [See comment 1] * Page 28, Table 6: All appropriate new contracts awarded since the issuance of the OMB mandate includes the required FDCC acquisition language as appropriate, thus the table should indicate partial implementation. This statement is further supported by the FY09 OIG FISMA assessment results. DOL acknowledges that challenges exist in updating legacy contracts issued prior to OMB mandate. Additionally, DOL has begun a comprehensive exercise to review and modify all appropriate legacy contracts to include the required FDCC language over the next 18 months. [See comment 2] * Page 55, Bullet 1: Recommends DOL complete deployment of a NIST- validated SCAP tool to monitor FDCC compliance. DOL has implemented a NIST-validated SCAP tool called ThreatGuard. The tool provides DOL adequate capabilities for monitoring its compliance with FDCC and other NIST issued SCAP content. DOL is planning to enhance its use of ThreatGuard and other DOL implemented NIST-validated SCAP tools to provide real-time monitoring of baseline configurations in Fiscal Year 2011. [See comment 3] * Page 55, Bullet 2: Recommends DOL ensure FDCC language is included in contracts. As mentioned above, all new contacts comply with the FDCC mandate. DOL plans to modify all legacy contracts to included the required FDCC language over the next 18 months. [See comment 4] Thank you again for the opportunity to comment on the draft report. If you have any questions or you require further discussion about our comments, please have your staff contact Mrs. Tonya Manning, DOL Chief Information Security Officer, at Manning.Tonya@dol.gov or 202-693-4431. Sincerely, Signed by: T. Michael Kerr: Assistant Secretary for Administration and Management: Chief Information Officer: The following are GAO's comments on the Department of Labor's letter dated February 12, 2010. GAO Comments: 1. After reviewing additional documentation provided, we agreed that the department had met the requirement and modified the column "NIST- validated SCAP tool acquired and deployed" in table 5 from "no" to "yes." 2. After reviewing additional documentation provided by department representatives, we agreed that the department had partially met the requirement and modified the column "language incorporated" in table 6 from "no" to "partially." 3. The recommendation to this finding was removed (see comment 1). 4. The recommendation to this finding was modified as appropriate (see comment 2). [End of section] Appendix XII: Comments from the National Aeronautics and Space Administration: National Aeronautics and Space Administration: Headquarters: Office of the Chief Information Officer: Washington, DC 20546-0001: February 19, 2010: Mr. Gregory C. Wilshusen: Director, Information Security Issues: United States Government Accountability Office: Washington, DC 20548: Dear Mr. Wilshusen: The National Aeronautics and Space Administration (NASA) appreciates the opportunity to review and comment on the draft report entitled, "Information Security: Agencies Need to Implement Federal Desktop Core Configuration Requirements" (GA0-10-202). In the draft report, GAO makes one recommendation relating to NASA's implementation of Federal Desktop Core Configuration (FDCC) requirements, specifically: Recommendation: To improve the agency's implementation of FDCC, we recommend that the Administrator of the National Aeronautics and Space Administration complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion. Response: NASA will establish firm milestones to complete an implementation of the agency's FDCC baseline while exercising caution not to disable unique mission orientated capabilities. IT security is a compromise between available capabilities and applicable controls. NASA set a goal for 85 percent of the agency systems within the defined FDCC software and system scope to comply with the original core configuration requirement. NASA believes general purpose office automation systems are more amenable to the use of the FDCC controls than systems which provide Agency mission-unique functions. Therefore, the 85 percent implementation baseline goal represents an operational reality and offers a reasonable balance between security configuration and operational necessities. NASA would like to note that future guidance and configurations must keep pace with industry updates in common operating systems and applications. The FDCC technical guidance and policy releases tend to lag behind software releases. In order to remain relevant and viable, FDCC technical and policy development must advance at the pace of Federal Agency procurements of new commercial software. Thank you for the opportunity to review the draft report. We look forward to your final report to Congress. If you have any questions or require additional information, please don't hesitate to contact the NASA Deputy CIO for IT Security, Jerry Davis at (202) 358-1401. Sincerely, Signed by: Linda Cureton: Chief Information Officer: [End of section] Appendix XIII: Comments from the Office of Personnel Management: Note: GAO's comments supplementing those in the report's text appear at the end of this appendix. UNITED STATES OFFICE OF PERSONNEL MANAGEMENT: Office of the Director: Washington, DC 20415: Memorandum For Gregory C. Wilshusen: Director: Government Accountability Office: From: [Signed by] Matthew E. Perry: Chief Information Officer: Subject: Government Accountability Office Audit Regarding Agencies Need to Implement Federal Desktop Core Configuration Requirements: This memorandum is in response to the GAO (Government Accountability Office) audit finding released in February of 2010, GA0-10-202 Federal Desktop Core Configuration (FDCC). This memorandum will address two areas; comments specific to the factual representations within the report, as well as a response to the recommendations section of the report. Comments specific to the report: 1. Page 24, Table 4 states that the Office of Personnel Management (OPM) did not provide deviations and had no policy to review deviations. This is incorrect. OPM provided Office of Management and Budget (OMB) the list of deviations for their data call on March 31 2008. OPM has updated its workstation configuration policy to require that deviations be documented and approved through our Change Control process. Both of these artifacts were provided to GAO during their engagement. 2. Page 43-44, "GAO recommends that OMB, among other things, issue explicit guidance on assessing the risks of deviations and monitoring compliance with FDCC. GAO also recommends that agencies take steps to fully implement FDCC requirements." For FDCC to be successful, the guidance should come with funding. 3. Page 3, The initiative mandated that Federal agencies implement standardized configuration settings on workstations with Windows XP or Vista operating systems. FDCC needs to be updated to include Windows7. Response to the GAO Audit Recommendations: Finding. "complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion;" Response: OPM has completed several significant milestones for OPM's FDCC compliance including integrating FDCC compliance into the new image creation process for PCs deployed after March 2008. This ensures that all new PCs adhere to OPM standards for FDCC compliance. OPM has not established a timeline for testing and evaluating images that were deployed prior to the FDCC adoption in March of 2008. OPM has a FY 2010 project defined to coordinate the testing of FDCC settings with OPM legacy images and test all legacy COTS and custom developed applications for interoperability. Due to the complexity of this initiative, we anticipate that this project will be completed in 2011. Finding: "document deviations to FDCC and have them approved by a designated accrediting authority;" [See comment 1] Response: OPM has been documenting deviations for all FDCC settings since 2008. All images along with the deviations presently go through the OPM Change Control Board (CCB) for approval and documentation. This CCB process is in line with the accreditation boundary of the LAN/WAN general support system which includes image security controls and is monitored as part of OPM's continuous monitoring processes. Finding: "develop, document, and implement a policy to approve deviations to FDCC by a designated accrediting authority;" [See comment 2] Response: OPM has updated and provided GAO the OPM Workstation Hardening Policy which details the FDCC requirements as well as the requirements to monitor and manage deviations within our change control processes. Finding: "ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them." Response: In practice, the FDCC language has been inserted into major IT initiatives ongoing at OPM, however, standard language has not been universally adopted within all contracts. The CIO's office will work to make the language standard in all new contracts and identify the best means to address contract modifications for existing contracts. In summary, OPM has addressed many of the FDCC compliance requirements and all laptop computers and images deployed after March 2008 adhere to the FDCC security settings. Additional projects are underway to address legacy images to ensure uniform compliance. The following are GAO's comments on the Office of Personnel Management's letter dated March 2, 2010. GAO Comments: 1. After subsequent discussion with agency representatives, they orally concurred with our recommendation. 2. After reviewing additional documentation provided by agency representatives, we agreed that the agency had met the requirement and modified the column "have policy to approve deviations by designated authority" in table 4 from "no" to "yes." The recommendation to this finding was removed from the report. [End of section] Appendix XIV: Comments from the Social Security Administration: Social Security Administration: The Commissioner: Baltimore, Md 21235-0001: March 2, 2010: Mr. Gregory Wilshusen: Director, Information Security Issues: U.S. Government Accountability Office: 441 G Street, NW: Washington, D.C. 20548: Dear Mr. Wilshusen: Thank you for the opportunity to review and comment on the Government Accountability Office (GAO) draft report, "Information Security: Agencies Need to Implement Federal Desktop Core Configuration Requirements" (GAO-10-202). Attached is our response to the report. If you have any questions, please contact me or have your staff contact Candace Skumik, Director, Audit Management and Liaison Staff at (410) 965-4636. Sincerely, Signed by: Michael J. Astrue: Enclosure: Comments On The Government Accountability Office (GAO) Draft Report, "Information Security: Agencies Need To Implement Federal Desktop Core Configuration (FDCC) Requirements" (GAO-10-202): Recommendation 1: Develop, document, and implement a policy to approve deviations to FDCC by a designated accrediting authority. Comment: We agree. We already have a formal systems security policy that we used to approve deviations to FDCC. Our policy and process for managing security configurations is contained in our Information Systems Security Handbook, Chapter 17. We will review this policy to ensure that it adequately documents the review and approval of FDCC deviations. As an agency that manages more than 100,000 Windows systems, we take the implementation of the FDCC settings very seriously. We continually look for ways to reduce our exposure to cybersecurity threats and protect our network and systems. Since the announcement of Commonly Accepted Security Configurations for Windows Operating Systems in 2007, we have successfully met all FDCC milestones. We have procured a validated Security Content Automation Protocol (SCAP) product, tested our Windows configuration settings using the SCAP product, and provided justification for SCAP deviations. Many of the SCAP deviations we found are the result of more stringent agency settings that exceed the FDCC standard. Our Office of Systems maintains approved security configurations for Windows-based systems that incorporate FDCC settings to securely accomplish our mission. We conduct regular security assessments to review our approved security configurations. Recommendation 2: Complete deployment of a NIST-validated SCAP tool to monitor compliance with FDCC. Comment: We agree. We are currently testing McAfee's National Institute of Standards and Technology (NIST)-validated Security Content Automation Protocol (SCAP) tool and anticipate deployment by the end of April 2010. Recommendation 3: Develop, document, and implement a policy to monitor FDCC compliance using a NIST-validated SCAP tool. Comment: We agree. We will finalize our policy to monitor FDCC compliance as we approach completion of NIST-validated SCAP tool testing. Recommendation 4: Ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them. Comment: We agree. We will include language in our contracts to ensure that new acquisitions include FDCC settings and that information technology products can operate effectively using the settings, where appropriate. [End of section] Appendix XV: Comments from the Department of the Treasury: DEPARTMENT OF THE TREASURY: WASHINGTON, D.C. 20220: February 12, 2010: Mr. Gregory C. Wilshusen: Director, information Security Issues: U.S. Government Accountability Office: 410 G Street, NW: Washington, DC 20548: Thank you for your draft report on "Information Security: Agencies Need to Implement Federal Desktop Core Configuration Requirements." In demonstrating our commitment to the Federal Desktop Core Configuration (FDCC) initiative, Treasury has implemented he 674 FDCC settings on the Department's 130,000 personal computers and laptops. The Department appreciates GAO's recommendations to complete the implementation of our FDCC baseline and to incorporate contract language to ensure new acquisitions include FDCC settings and products of IT providers operate effectively when using them. Responding to these recommendations, the Department has developed language for new acquisition contracts and anticipates completing implementation in Fiscal Year 2010 for one remaining bureau. Additionally, the Department has now completed implementation of its baseline with 100% of its personal computers and laptops being FDCC compliant. With these accomplishments, Treasury will receive the maximum protection and benefit from FDCC guidelines. Thank you for your important efforts during this review. Please do not hesitate to contact me at 202-622-1200 should you have any questions. Sincerely, Signed by: Michael D. Duffy: Deputy Assistant Secretary for Information Systems and Chief Information Officer: [End of section] Appendix XVI: Comments from the U.S. Agency for International Development: U.S. Agency tor International Development: 1300 Pennsylvania Avenue, NW: Washington, DC 20523: February 18, 2010: Mr. Thomas Melito: Director: International Affairs and Trade: U.S. Government Accountability Office: 441 G Street, N.W. Washington, D.C. 20548: Dear Mr. Melito: am pleased to provide the U.S. Agency for International Development's (USAID) formal response on the draft GAO report entitled, "Information Security Agencies Need to implement Federal Desktop Core Configuration Requirements" (GAO-10-202). The enclosed USAID comments are provided for incorporation with this letter as an appendix to the final report. Thank you for the opportunity to respond to the GAO draft report and for the courtesies extended by your staff in the conduct of this audit review. Sincerely, Signed by: Drew W. Luten: Senior Deputy Assistant Administrator: Bureau of Management: Enclosure: a/s: USAID COMMENTS ON GAO Draft Report No. (GAO-10-202): GAO Recommendation 1: To improve the agency's implementation of FDCC, we recommend that the Administrator of the Agency for International Development take the following action: * Ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them. USAID Management Response: USAID concurs with the recommendation. [End of section] Appendix XVII: Comments from the Department of Veterans Affairs: Department of Veterans Affairs: Office of the Secretary: March 8, 2010: Mr. Gregory C. Wilshusen: Director: Information Security Issues: 441 G Street, NW: Washington, DC 20548: Dear Mr. Wilshusen: The Department of Veterans Affairs (VA) has reviewed the Government Accountability Office's (GAO) draft report, Information Security: Agencies Need to Implement Federal Desktop Core Configuration Requirements (GAO-10202). VA agrees with GAO's conclusions and concurs with GAO's four recommendations to the Department. The enclosure provides specific details on VA's actions to GAO's recommendations. VA appreciates the opportunity to comment on your draft report. Sincerely, Signed by: John R. Gingrich: Chief of Staff: Enclosure: Department of Veterans Affairs (VA) Comment to Government Accountability Office (GAO Draft Report Information Security: Agencies Need to Implement Federal Desktop Core Configuration Requirements (GAO- 10-202): GAO recommendation: To improve the departments implementation of FDCC, we recommend that the Secretary of Veterans Affairs take the following four actions: Recommendation 1: Complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion. VA Comments: Concur. The target date for completion of all FDCC baseline settings is September 30, 2010. A project plan, complete with milestones, has been established to monitor FDCC compliance. GAO Recommendation 2: Acquire and deploy a NIST-validated SCAP tool to monitor compliance with FDCC. VA Comments: Concur. The VA owns three SCAP tools; however, due to challenges involved in deploying each, none have been implemented to date. VA plans to overcome these challenges and complete implementation by September 30, 2010. GAO Recommendation 3: Develop, document, and implement a policy to monitor FDCC compliance using a NEST-validated SCAP tool. VA Comments: Concur. A project plan has been established to monitor FDCC compliance. The target date for issuance of a draft policy and handbook (procedures) is September 2010. GAO Recommendation 4: Ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them. VA Comments: Concur. Draft VA Handbook 6500.6, Contract Security (currently in final review by VA Records Management) provides the following language that can be added to contracts, as appropriate, regarding FDCC. The highlighted revisions address future versions of browsers and operating systems. Information System Design And Development: Information systems that are designed or developed for, or on behalf of VA at non-VA facilities shall comply with all VA directives developed in accordance with FISMA, HIPAA, MST, and related VA security and privacy control requirements for Federal information systems. This includes standards for the protection of electronic PHI, outlined in 45 C.F.R Part 164, Subpart C, information and system security categorization level designations in accordance with FIPS 199 and FIPS 200 with implementation of all baseline security controls commensurate with the FIPS 199 system security categorization (reference Appendix D of VA Handbook 6500, VA Information Security Program). During the development cycle a Privacy Impact Assessment (PIA) must be completed, provided to the COTR, and approved by the VA Privacy Service in accordance with Directive 6507, VA Privacy Impact Assessment. The contractor/subcontractor shall certify to the COTR that applications are fully functional and operate correctly as intended on systems using the VA Federal Desktop Core Configuration (FDCC) once approved, and the common security configuration guidelines provided by N1ST or the VA. This includes Internet Explorer 7 configured to operate on Windows XP, and Vista (inProtected Mode on Vista). The standard installation, operation, maintenance, updating, and patching of software shall not alter the configuration settings for the VA approved and FDCC configuration. Information technology staff must also use the Windows Installer Service for installation to the default "program files" directory and silently install and uninstall. [End of section] Appendix XVIII: GAO Contact and Staff Acknowledgments: GAO Contact: Gregory C. Wilshusen, (202) 512-6244 or wilshuseng@gao.gov: Staff Acknowledgments: In addition to the individual named above, Jeffrey Knott (Assistant Director), John Bainbridge, William Cook, Kami Corbett, Neil Doherty, Michele Fejfar, Nancy Glover, Valerie Hopkins, Lee McCracken, Zsaroq Powe, Carl Ramirez, and Shawn Ward made key contributions to this report. [End of section] Footnotes: [1] Most recently, GAO, High-risk Series: An Update, [hyperlink, http://www.gao.gov/products/GAO-09-271] (Washington, D.C.: January 2009). [2] The 24 major departments and agencies are the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Justice, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, National Science Foundation, Nuclear Regulatory Commission, Office of Personnel Management, Small Business Administration, Social Security Administration, and U.S. Agency for International Development. [3] 31 U.S.C. § 901. [4] GAO, Information Security: Agencies Make Progress in Implementation of Requirements, but Significant Weaknesses Persist, [hyperlink, http://www.gao.gov/products/GAO-09-701T] (Washington, D.C.: May 19, 2009). [5] Statement of the Director of National Intelligence before the Senate Select Committee on Intelligence, Annual Threat Assessment of the Intelligence Community for the Senate Select Committee on Intelligence (Washington, D.C.: Feb. 12, 2009). [6] GAO, Information Security: Agencies Continue to Report Progress, but Need to Mitigate Persistent Weaknesses, [hyperlink, http://www.gao.gov/products/GAO-09-546] (Washington, D.C.: July17, 2009). [7] GAO, Information Security: NASA Needs to Remedy Vulnerabilities in Key Networks, [hyperlink, http://www.gao.gov/products/GAO-10-4] (Washington, D.C.: Oct.15, 2009). [8] GAO, Information Security: Further Actions Needed to Address Risks to Bank Secrecy Act Data, [hyperlink, http://www.gao.gov/products/GAO-09-195] (Washington, D.C.: Jan. 30, 2009). [9] GAO, Information Security: Actions Needed to Better Protect Los Alamos National Laboratory's Unclassified Computer Network, [hyperlink, http://www.gao.gov/products/GAO-08-1001] (Washington, D.C.: Sept. 9, 2008). [10] GAO, Information Security: Homeland Security Needs to Immediately Address Significant Weaknesses in Systems Supporting the US-VISIT Program, [hyperlink, http://www.gao.gov/products/GAO-07-870] (Washington, D.C.: Jul. 13, 2007). [11] Enacted as title III of the E-Government Act of 2002, Pub. L. No. 107-347, 116 Stat. 2899, 2946 (Dec. 17, 2002). [12] According to agency-reported data, approximately 3.7 million workstations in use at the 24 federal agencies use either Windows XP or Windows Vista as the operating system. [13] OMB Memorandum for Chief Information Officers, Managing Security Risk By Using Common Security Configurations (Washington, D.C.: Mar. 20, 2007); OMB, Memorandum for the Heads of Departments and Agencies: Implementation of Commonly Accepted Security Configurations for Windows Operating Systems, M-07-11 (Washington, D.C.: Mar. 22, 2007). [14] A group policy object is a collection of group policy settings that is used as part of Microsoft's Active Directory service. The service enables an administrator to define and make changes to various security and policy settings for groups of users and computers. [15] A virtual hard disk holds a virtual machine or computer, which uses software to emulate a computer with a complete hardware system, on another computer. Virtual hard disks can be used to validate the effectiveness of the security configurations and test for compatibility issues with legacy applications in a simulated environment rather than on actual workstations. [16] SCAP was developed by NIST in collaboration with the Departments of Defense and Homeland Security and Mitre Corp to provide a standardized approach to maintaining the security of enterprise systems. With the announcement of FDCC, SCAP was utilized to check the configuration settings on workstations. The FDCC SCAP content is hosted on the National Checklist Program Web site. The National Vulnerability database is also being expanded to host the SCAP component standards. See also NIST, Guide to Adopting and Using the Security Content Automation Protocol (SCAP) (Draft), Special Publication 800-117 (Gaithersburg, MD: May 2009). [17] Under the NIST National Voluntary Laboratory Accreditation Program, NIST accredits independent laboratories to perform specific tests outlined in the SCAP Validation Program Derived Test Requirements document on SCAP tools seeking validation. NIST determines whether to validate a SCAP tool based on the test results provided by the laboratory. Laboratories are accredited based on requirements defined in NIST Handbook 150 and NIST Handbook 150-17. [18] OMB Memorandum for Chief Information Officers, March 20, 2007; OMB, M-07-11 (Mar. 22, 2007). [19] OMB Memorandum for Chief Information Officers, March 20, 2007. [20] A deviation occurs when the parameter for a particular setting is different from the approved or official parameter for the setting. A deviation can have more or less stringent parameters from that of the approved parameter. [21] OMB, M-07-11 (Mar. 22, 2007). [22] NIST frequently asked questions posted on NIST's FDCC Web site, January 28, 2008; OMB Memorandum for Chief Information Officers, Guidance on the Federal Desktop Core Configuration (FDCC), M-08-22 (Washington, D.C.: Aug. 11, 2008). [23] Federal Information Processing Standards are standards to be used by federal organizations that are developed and published by NIST as part of its mandates under 40 U.S.C. § 11331 and 15 U.S.C. § 278g-3, as amended by FISMA. [24] Encryption is used to provide basic data confidentiality and integrity for data by transforming plain text into cipher text using a special value known as a key and a mathematical process known as an algorithm. A cryptographic hash function computes (or hashes) a fixed- length message digest from an arbitrary-length message. A message digest may be considered as an "electronic fingerprint" of the original message. Signing with a digital signature is used to detect unauthorized modifications to data and to authenticate the identity of the signer. [25] A log is a record of the events occurring within an organization's systems and networks. Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Shutting down the system if it is unable to log a security event helps to ensure that an administrator will review the log and correct the problem in order to recover the system for the user. [26] OMB Memorandum for Chief Information Officers, March 20, 2007. [27] NIST Frequently Asked Questions posted on NIST's FDCC Web site, March 4, 2008; Chief Information Officers Council e-mail to chief information officers on behalf of OMB, March 24, 2008. [28] OMB, M-08-22 (Aug. 11, 2008). [29] A department or agency accrediting authority is a senior management official or executive with the authority to formally accept responsibility for operating an information system at an acceptable level of risk to agency operations, agency assets, or individuals. [30] OMB Memorandum to Chief Information Officers, Establishment of Windows XP and VISTA Virtual Machine and Procedures for Adopting the Federal Desktop Core Configurations (Washington, D.C.: July 31, 2007). [31] OMB, M-08-22 (Aug. 11, 2008). [32] OMB Memorandum for Chief Information Officers and Chief Acquisition Officers, Ensuring New Acquisitions Include Common Security Configurations, M-07-18 (Washington, D.C.: June 1, 2007). In February 2008, the Federal Acquisition Regulation was revised to require agencies to use common security configurations, as appropriate. See 48 C.F.R. § 39.101(d) (73 FR 10967, 10968, Feb. 28, 2008). [33] Plans of action and milestones, also known as remedial action plans, can help agencies identify and assess security weaknesses in information systems such as deviations in system configurations, and set priorities and monitor progress in correcting them. [34] NIST Frequently Asked Questions posted on NIST's FDCC Web site, March 4, 2008; Chief Information Officers Council e-mail to chief information officers on behalf of OMB, March 24, 2008. [35] OMB, Memorandum for Heads of Executive Departments and Agencies, FY 2008 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, M-08-21 (Washington, D.C.: July 14, 2008). [36] OMB Memorandum for Heads of Executive Departments and Agencies, FY 2009 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, M-09-29 (Washington, D.C.: Aug. 20, 2009). [37] These 5 agencies were the Departments of Education, Energy, and Transportation; the Small Business Administration; and the Social Security Administration. [38] Agency implementation of FDCC may also not include implementation of Windows Firewall or Internet Explorer 7 settings if these applications are not being used by the agency. [39] Encryption algorithms are mathematical processes used to transform plain text into cipher text for the purposes of encryption. [40] The Chief Information Officers Council established an FDCC Change Control Board in June 2009 to make recommendations to OMB and NIST for changes to the FDCC settings. The board has established a yearly process during which it solicits suggestions for modifications to the settings from federal agencies, reviews the suggestions, and provides recommendations to NIST by July 1 of each year. The board plans to make its first recommendations on settings in July 2010. [41] The General Services Administration, under the direction of OMB, established the Policy Utilization Assessment Program in order to (1) conduct a series of implementation diagnostics to determine the extent and effectiveness of agency implementation and utilization of OMB information technology policies throughout the federal government; (2) establish an assessment methodology and best practices for use by individual agencies in improving policy implementation; and (3) document lessons learned and governmentwide trends to assist OMB in improving future information technology policy development efforts. [42] Office of the Inspector General, U.S. Department of the Interior, Evaluation of Information Technology System Configuration, ISD-EV-MOA- 0003-2009 (Washington, D.C.: Sept. 23, 2009). [43] GAO, Information Security: Concerted Effort Needed to Improve Federal Performance Measures, [hyperlink, http://www.gao.gov/products/GAO-09-617] (Washington, D.C.: Sept. 14, 2009). [44] OMB Memorandum for Chief Information Officers, March 20, 2007; OMB, M-07-11 (Mar. 22, 2007). [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: