Skip to main content

Information Security: Agencies Need to Implement Federal Desktop Core Configuration Requirements

GAO-10-202 Published: Mar 12, 2010. Publicly Released: Apr 12, 2010.
Jump To:
Skip to Highlights

Highlights

The increase in security incidents and continuing weakness in security controls on information technology systems at federal agencies highlight the continuing need for improved information security. To standardize and strengthen agencies' security, the Office of Management and Budget (OMB), in collaboration with the National Institute of Standards and Technology (NIST), launched the Federal Desktop Core Configuration (FDCC) initiative in 2007. GAO was asked to (1) identify the goals, objectives, and requirements of the initiative; (2) determine the status of actions federal agencies have taken, or plan to take, to implement the initiative; and (3) identify the benefits, challenges, and lessons learned in implementing this initiative. To accomplish this, GAO reviewed policies, plans, and other documents at the 24 major executive branch agencies; reviewed OMB and NIST guidance and documentation; and interviewed officials.

The goals of FDCC are to improve information security and reduce overall information technology operating costs across the federal government by, among other things, providing a baseline level of security through the implementation of a set of standard configuration settings on government-owned desktop and laptop computers (i.e., workstations). To carry out the initiative, OMB required that executive branch agencies take several actions, including: (1) submit an implementation plan to OMB; (2) apply all configuration settings to all applicable workstations by February 2008; (3) document any deviations from the prescribed settings and have them approved by an accrediting authority; (4) acquire a specified NIST-validated tool for monitoring implementation of the settings; (5) ensure that future information technology acquisitions comply with the configuration settings; and (6) submit a status report to NIST. While agencies have taken actions to implement these requirements, none of the agencies has fully implemented all configuration settings on their applicable workstations. Specifically, most plans submitted to OMB did not address all key implementation activities; none of the agencies implemented all of the prescribed configuration settings on all applicable workstations, though several implemented agency-defined subsets of the settings; several agencies did not fully document their deviations from the settings or establish a process for approving them; six agencies did not acquire and make use of the required tool for monitoring FDCC compliance; many agencies did not incorporate language into contracts to ensure that future information technology acquisitions comply with FDCC; and many agencies did not describe plans for eliminating or mitigating their deviations in their compliance reports to NIST. Until agencies ensure that they are meeting these FDCC requirements, the effectiveness of the initiative will be limited. FDCC has the potential to increase agencies' information security by requiring stricter security settings on workstations than those that may have been previously in place and standardizing agencies' management of workstations, making it easier to manage changes such as applying updates or patches. In addition, a number of lessons can be learned from the management and implementation of the FDCC initiative which, if considered, could improve the implementation of future versions of FDCC or other configuration efforts. At the same time, agencies face several ongoing challenges in fully complying with FDCC requirements, including retrofitting applications and systems in their existing environments to comply with the settings, assessing the risks associated with deviations, and monitoring workstations to ensure that the settings are applied and functioning properly. As OMB moves forward with the initiative, understanding the lessons learned as well as the ongoing challenges agencies face will be essential in order to ensure the initiative is successful in ensuring public confidence in the confidentiality, integrity, and availability of government information.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Office of Management and Budget To improve implementation of FDCC at federal agencies, the Director of OMB should when announcing new FDCC versions, such as Windows 7, and changes to existing versions, include clear, realistic, and effectively communicated deadlines for completing implementation.
Closed – Implemented
In fiscal year 2012, we verified that the United States Government Configuration Baseline replaced the FDCC and now provides the baseline settings that Federal agencies are required to implement for security and environmental reasons. We also verified that OMB, as an alternative to our recommendation, required agencies to establish clear, realistic, and effectively communicated deadlines for completing implementation.
Office of Management and Budget To improve implementation of FDCC at federal agencies, the Director of OMB should clarify OMB policy regarding FDCC deviations to include: whether deviations can be permanent or should be mitigated in a timely manner; requirements for plans of actions and milestones for mitigating deviations, including resources necessary for doing so; guidance to use for assessing the risk of deviations across the agency; and how frequently and to whom deviations should be reported to assist in making decisions regarding future versions.
Closed – Implemented
In fiscal year 2012, we verified that the United States Government Configuration Baseline (USGCB) replaced the FDCC and now provides the baseline settings that Federal agencies are required to implement for security and environmental reasons. We also verified that OMB, as an alternative to our recommendation, assigned responsibility to the Federal CIO Council for issuing guidance related to the implementation of the USGCB.
Office of Management and Budget To improve implementation of FDCC at federal agencies, the Director of OMB should inform agencies of the various approaches for testing the settings and implementing the initiative in phases, which may aid successful implementation.
Closed – Implemented
In fiscal year 2012, we verified that the United States Government Configuration Baseline (USGCB) replaced the FDCC and now provides the baseline settings that Federal agencies are required to implement for security and environmental reasons. We also verified that OMB, as an alternative to our recommendation, informed agencies of the various approaches for testing the settings and implementing the initiative in phases, which may aid successful implementation through the USGCB technical Web site and the documentation found there.
Office of Management and Budget To improve implementation of FDCC at federal agencies, the Director of OMB should assess the efficacy of, and take steps to apply as appropriate, other lessons learned during the initial implementation of this initiative such as the need for (1) additional collaboration efforts, (2) independent testing, and (3) advance notice of requirements, to assist agencies in implementing this initiative.
Closed – Implemented
In fiscal year 2012, we verified that OMB, in response to our recommendation for applying lessons learned during implementation, institutionalized the process for developing baselines in the Federal government by developing and implementing a cooperative, sustainable process so that, through the Federal CIO Council, agencies determine their baselines, requirements, testing, and deadlines.
Office of Management and Budget To improve implementation of FDCC at federal agencies, the Director of OMB should provide guidance on using Security Content Automation Protocol (SCAP) tools to include information on the frequency and scope with which agencies should perform monitoring.
Closed – Implemented
In fiscal year 2012, we verified that OMB , in response to our recommendation, reported that National Institute of Standards and Technology Special Publication 800-117, Guide to Adopting and Using the Security Content Automation Protocol (SCAP), provides guidance on using SCAP tools to include information on the frequency and scope with which agencies should perform monitoring.
Office of Management and Budget To improve implementation of FDCC at federal agencies, the Director of OMB should develop performance measures and provide guidance to agencies for reporting the benefits of FDCC.
Closed – Implemented
In fiscal year 2012 we verified that OMB, in coordination with Department of Homeland Security, released updated performance measures for USGCB, formally FDCC. OMB and DHS released performance measures and the associated guidance which aid agencies in reporting the benefits of USGCB.
Department of Agriculture To improve the department's implementation of FDCC, the Secretary of Agriculture should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.
Closed – Not Implemented
USDA has not fully implemented FDCC/USGCB settings as of 2013. USDA expects to improve implementation percentages by the end of 2014 and to report deviations and compensating controls in operating environments where full implementation is not feasible.
Department of Agriculture To improve the department's implementation of FDCC, the Secretary of Agriculture should document deviations to FDCC and have them approved by a designated accrediting authority.
Closed – Implemented
In fiscal year 2011 we verified that USDA, in response to our recommendation, documented deviations to FDCC and have them approved by a designated accrediting authority.
Department of Agriculture To improve the department's implementation of FDCC, the Secretary of Agriculture should develop, document, and implement a policy to approve deviations by a designated accrediting authority.
Closed – Implemented
In fiscal year 2011 we verified that USDA, in response to our recommendation, developed, documented, and implemented a policy to approve deviations by a designated accrediting authority.
Department of Commerce To improve the department's implementation of FDCC, the Secretary of Commerce should ensure all components have acquired and deployed a NIST-validated SCAP tool to monitor compliance with FDCC.
Closed – Implemented
In fiscal year 2013 we verified that Commerce, in response to our recommendation, has issued guidance requiring all components to implement a NIST-validated security content automation protocol (SCAP) tool to monitor compliance with FDCC/USGCB settings. In addition, we verified that Commerce has ensured that all operating units are using a NIST-validated SCAP tool to monitor these settings.
Department of Commerce To improve the department's implementation of FDCC, the Secretary of Commerce should ensure all components develop, document, and implement a policy to monitor FDCC compliance using a NIST-validated SCAP tool.
Closed – Implemented
In fiscal year 2011 we verified that Commerce, in response to our recommendation, developed, documented and implemented a policy requiring the use of NIST-validated SCAP tools to monitor compliance with FDCC.
Department of Commerce To improve the department's implementation of FDCC, the Secretary of Commerce should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.
Closed – Implemented
In fiscal year 2011 we verified that Commerce, in response to our recommendation, ensured that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.
Department of Defense To improve the department's implementation of FDCC, the Secretary of Defense should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.
Closed – Not Implemented
According to the agency's inspector general FISMA report for fiscal year 2013, for Windows-based components, USGCB secure configuration settings are not fully implemented, and any deviations from USGCB baseline settings are not fully documented. Additionally, the inspector general reported that they did not identify any comprehensive audit reports in the Federal audit community that addressed the implementation of USGCB secure configuration settings.
Department of Defense To improve the department's implementation of FDCC, the Secretary of Defense should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.
Closed – Implemented
In fiscal year 2011 we verified that DOD, in response to our recommendation, ensured that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.
Department of Energy To improve the department's implementation of FDCC, the Secretary of Energy should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.
Closed – Implemented
In fiscal year 2014, we verified that Energy, in response to our recommendation, completed implementation of the agency's FDCC baseline, including establishing firm milestones for completion.
Department of Energy To improve the department's implementation of FDCC, the Secretary of Energy should ensure all components that are required to implement FDCC have acquired and deployed a NIST-validated SCAP tool to monitor compliance with FDCC.
Closed – Implemented
In fiscal year 2013, we verified that the Department of Energy, in response to our recommendation, ensured that all components that are required to implement FDCC have acquired and deployed a NIST-validated SCAP tool to monitor compliance with FDCC.
Department of Energy To improve the department's implementation of FDCC, the Secretary of Energy should ensure all components that are required to implement FDCC develop, document, and implement a policy to monitor FDCC compliance using a NIST-validated SCAP tool.
Closed – Implemented
In fiscal year 2013, we verified that the Department of Energy, in response to our recommendation, ensured all components that are required to implement FDCC developed, documented, and implemented a policy to monitor FDCC compliance using a NIST-validated SCAP tool.
Department of Energy To improve the department's implementation of FDCC, the Secretary of Energy should ensure that language is included in contracts of those components that are required to implement FDCC to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.
Closed – Implemented
In fiscal year 2013 we verified that DOE, in response to our recommendation, ensured that language is included in contracts of those components that are required to implement FDCC to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.
Environmental Protection Agency To improve the agency's implementation of FDCC, the Administrator of the Environmental Protection Agency should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.
Closed – Implemented
In fiscal year 2011 we verifed that the Environmental Protection Agency, in response to our recommendation, completed implementation of the agency's FDCC baseline.
Environmental Protection Agency To improve the agency's implementation of FDCC, the Administrator of the Environmental Protection Agency should develop, document, and implement a policy to approve deviations to FDCC by a designated accrediting authority.
Closed – Implemented
In fiscal year 2012 we verified that the Environmental Protection Agency, in response to our recommendation, developed, documented, and implemented a policy to approve deviations to FDCC by a designated accrediting authority.
General Services Administration To improve the agency's implementation of FDCC, the Administrator of the General Services Administration should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.
Closed – Implemented
In fiscal year 2012 we verified that the General Services Administration, in response to our recommendation, completed implementation of the agency's FDCC baseline.
Department of Health and Human Services To improve the department's implementation of FDCC, the Secretary of Health and Human Services should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.
Closed – Not Implemented
According to the agency's inspector general FISMA report for fiscal year 2013, for Windows-based components, USGCB secure configuration settings are not fully implemented, and any deviations from USGCB baseline settings are not fully documented.
Department of Health and Human Services To improve the department's implementation of FDCC, the Secretary of Health and Human Services should develop, document, and implement a policy to monitor FDCC compliance using a NIST-validated SCAP tool.
Closed – Implemented
In fiscal year 2014 we verified that HHS, in response to our recommendation, developed, documented, and implemented a policy to monitor FDCC compliance using a NIST-validated SCAP tool.
Department of Health and Human Services To improve the department's implementation of FDCC, the Secretary of Health and Human Services should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.
Closed – Implemented
In fiscal year 2014, we verified that HHS, in response to our recommendation, developed the Standard for Security Configurations Language for HHS Contracts and implemented Federal Acquisition Regulation language regarding Common Security Configuration and HHS information security requirements. In addition, the department released Security and Privacy Considerations to Guide IT Procurements in May 2012.
Department of Homeland Security To improve the department's implementation of FDCC, the Secretary of Homeland Security complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.
Closed – Implemented
In fiscal year 2013, GAO verified that the Department of Homeland Security, in response to GAO's recommendation, has fully implemented secure configuration settings that meet Federal Desktop Core Configuration/ U.S. Government Configuration Baseline (USGCB) requirements on applicable workstations in all but one of its components. The remaining component is applying USGCB settings and is scheduled to be 85 to 90 percent compliant by January 2014.
Department of Homeland Security To improve the department's implementation of FDCC, the Secretary of Homeland Security should develop, document, and implement a policy to approve deviations to FDCC by a designated accrediting authority.
Closed – Implemented
In fiscal year 2011 we verified that the Department of Homeland Security, in response to our recommendation, developed, documented, and implemented a policy to approve deviations to FDCC by a designated accrediting authority.
Department of Homeland Security To improve the department's implementation of FDCC, the Secretary of Homeland Security should develop, document, and implement a policy to monitor FDCC compliance using a NIST-validated SCAP tool.
Closed – Implemented
In fiscal year 2012 we verified that the Department of Homeland Security, in response to our recommendation, developed, documented and implemented a policy to monitor FDCC using a NIST-validated SCAP tool.
Department of Homeland Security To improve the department's implementation of FDCC, the Secretary of Homeland Security should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.
Closed – Implemented
In fiscal year 2011 we verified that the Department of Homeland Security, in response to our recommendation, ensured that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.
Department of Housing and Urban Development To improve the department's implementation of FDCC, the Secretary of Housing and Urban Development should acquire and deploy a NIST-validated SCAP tool to monitor compliance with FDCC.
Closed – Implemented
In fiscal year 2011 we verified that HUD, in response to our recommendation, acquired and deployed a NIST-validated SCAP tool to monitor compliance with FDCC.
Department of Housing and Urban Development To improve the department's implementation of FDCC, the Secretary of Housing and Urban Development should develop, document, and implement a policy to monitor FDCC compliance using a NIST-validated SCAP tool.
Closed – Implemented
In fiscal year 2011 we verified that HUD, in response to our recommendation, developed, documented, and implemented a policy to monitor FDCC compliance using a NIST-validated SCAP tool.
Department of Housing and Urban Development To improve the department's implementation of FDCC, the Secretary of Housing and Urban Development should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.
Closed – Implemented
In fiscal year 2011 we verified that HUD, in response to our recommendation, ensured that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.
Department of the Interior To improve the department's implementation of FDCC, the Secretary of the Interior should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.
Closed – Implemented
In fiscal year 2013 we verified that the Department of Interior, in response to our recommendation, implemented 73% of the recommended settings for the Federal Desktop Core Configuration Baseline.
Department of the Interior To improve the department's implementation of FDCC, the Secretary of the Interior should ensure all components implement the department's existing policy to document deviations to FDCC and have those deviations approved by a designated accrediting authority.
Closed – Implemented
In fiscal year 2011 we verified that the Department of Interior, in response to our recommendation, ensured all Components implemented the department's existing policy to document deviations to FDCC and have those deviations approved by a designated accrediting authority.
Department of the Interior To improve the department's implementation of FDCC, the Secretary of the Interior should ensure all components implement the department's existing policy to acquire and deploy a NIST-validated SCAP tool and monitor compliance with FDCC.
Closed – Not Implemented
The Department of Interior effort to ensure all components implement the department's existing policy to acquire and deploy a NIST-validated SCAP tool and monitor compliance with FDCC is delayed due to lack of funding. Current target date of completion is 12-31-2014.
Department of Justice To improve the department's implementation of FDCC, the Attorney General should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.
Closed – Implemented
In fiscal year 2014, we verified that Justice, in response to our recommendation, implemented 74% of the recommended settings for the Federal Desktop Core Configuration Baseline.
Department of Justice To improve the department's implementation of FDCC, the Attorney General should develop, document, and implement a policy to approve deviations to FDCC by a designated accrediting authority.
Closed – Implemented
In fiscal year 2014 we verified that Justice, in response to our recommendation, developed, documented, and implemented a policy to approve deviations to FDCC by a designated accrediting authority.
Department of Justice To improve the department's implementation of FDCC, the Attorney General should complete deployment of a NIST-validated SCAP tool to monitor FDCC compliance.
Closed – Implemented
In fiscal year 2014 we verified that Justice, in response to our recommendation, completed deployment of a NIST-validated SCAP tool to monitor FDCC compliance.
Department of Justice To improve the department's implementation of FDCC, the Attorney General should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.
Closed – Implemented
In fiscal year 2014 we verified that Justice, in response to our recommendation, ensured that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.
Department of Labor To improve the department's implementation of FDCC, the Secretary of Labor should complete efforts to ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.
Closed – Implemented
In fiscal year 2011 we verified that the Department of Labor, in response to our recommendation, ensured that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.
National Aeronautics and Space Administration To improve the agency's implementation of FDCC, the Administrator of the National Aeronautics and Space Administration should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.
Closed – Not Implemented
According to the agency's inspector general FISMA report for fiscal year 2013, for Windows-based components, USGCB secure configuration settings are not fully implemented, and any deviations from USGCB baseline settings are not fully documented.
National Science Foundation To improve the agency's implementation of FDCC, the Director of the National Science Foundation should complete deployment of a NIST-validated SCAP tool to monitor FDCC compliance.
Closed – Implemented
In fiscal year 2012 we verified that the National Science Foundation, in response to our recommendation, completed deployment of a NIST-validated SCAP tool to monitor FDCC compliance.
Nuclear Regulatory Commission To improve the agency's implementation of FDCC, the Chairman of the Nuclear Regulatory Commission should develop, document, and implement a policy to approve deviations to FDCC by a designated accrediting authority.
Closed – Implemented
In fiscal year 2011 we verified that the Nuclear Regulatory Commission, in response to our recommendation, developed, documented, and implemented a policy to approve deviations to FDCC by a designated accrediting authority.
Nuclear Regulatory Commission To improve the agency's implementation of FDCC, the Chairman of the Nuclear Regulatory Commission should ensure that all components include language in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.
Closed – Implemented
In fiscal year 2011 we verifed that the Nuclear Regulatory Commission, in response to our recommendation, ensured that all components include language in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.
Office of Personnel Management To improve the agency's implementation of FDCC, the Director of the Office of Personnel Management should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.
Closed – Implemented
In fiscal year 2014 we verified that the Office of Personnel Management, in response to our recommendation, completed implementation of the agency's FDCC baseline.
Office of Personnel Management To improve the agency's implementation of FDCC, the Director of the Office of Personnel Management should document deviations to FDCC and have them approved by a designated accrediting authority.
Closed – Implemented
In fiscal year 2011 we verified that the Office of Personnel Management, in response to our recommendation, documented deviations to FDCC and have them approved by a designated accrediting authority.
Office of Personnel Management To improve the agency's implementation of FDCC, the Director of the Office of Personnel Management should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.
Closed – Implemented
In fiscal year 2011 we verified that the Office of Personnel Management, in response to our recommendation, ensured that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.
Small Business Administration To improve the agency's implementation of FDCC, the Administrator of the Small Business Administration should develop, document, and implement a policy to approve deviations to FDCC by a designated accrediting authority.
Closed – Not Implemented
The Small Business Administration is continuing efforts to update SBA SOP 90 47 3 to include the FDCC requirement but has not yet fully implemented our recommendation.
Small Business Administration To improve the agency's implementation of FDCC, the Administrator of the Small Business Administration should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.
Closed – Not Implemented
The Small Business Administration is working with its procurement office to include the required language into new acquisitions but has not fully implemented our recommendation.
Social Security Administration To improve the agency's implementation of FDCC, the Commissioner of the Social Security Administration should develop, document, and implement a policy to approve deviations to FDCC by a designated accrediting authority.
Closed – Implemented
In fiscal year 2011 we verified that the Social Security Administration, in response to our recommendation, developed, documented, and implemented a policy to approve deviations to FDCC by a designated accrediting authority.
Social Security Administration To improve the agency's implementation of FDCC, the Commissioner of the Social Security Administration should complete deployment of a NIST-validated SCAP tool to monitor compliance with FDCC.
Closed – Implemented
In fiscal year 2011 we verified that the Social Security Administration, in response to our recommendation, completed deployment of its NIST-validated SCAP tool to monitor compliance with FDCC.
Social Security Administration To improve the agency's implementation of FDCC, the Commissioner of the Social Security Administration should develop, document, and implement a policy to monitor FDCC compliance using a NIST-validated SCAP tool.
Closed – Implemented
In fiscal year 2011 we verified that the Social Security Administration, in response to our recommendation, developed, documented, and implemented a policy to monitor FDCC compliance using a NIST-validated SCAP tool.
Social Security Administration To improve the agency's implementation of FDCC, the Commissioner of the Social Security Administration should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.
Closed – Implemented
In fiscal year 2013 we verified that the Social Security Administration, in response to our recommendation, ensured that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.
Department of Transportation To improve the department's implementation of FDCC, the Secretary of Transportation should complete deployment of a NIST-validated SCAP tool to monitor compliance with FDCC.
Closed – Implemented
In fiscal year 2013 we verified that the Department of Transportation, in response to our recommendation, completed deployment of a NIST-validated SCAP tool to monitor compliance with FDCC.
Department of Transportation To improve the department's implementation of FDCC, the Secretary of Transportation should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.
Closed – Implemented
In fiscal year 2013 we verified that the Department of Transportation, in response to GAO's recommendation, ensured that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.
Department of the Treasury To improve the department's implementation of FDCC, the Secretary of the Treasury should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.
Closed – Implemented
In fiscal year 2011 we verifed that the Department of Treasury, in response to our recommendation, completed implementation of the agency's FDCC baseline.
Department of the Treasury To improve the department's implementation of FDCC, the Secretary of the Treasury should ensure that all components include language in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.
Closed – Implemented
In fiscal year 2011 we verified that the Department of Treasury, in response to our recommendation, ensured that all components include language in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.
U.S. Agency for International Development To improve the agency's implementation of FDCC, the Administrator of the U.S. Agency for International Development should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.
Closed – Implemented
In fiscal year 2011 we verified that the U.S. Agency for International Development, in response to our recommendation, ensured that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.
Department of Veterans Affairs To improve the department's implementation of FDCC, the Secretary of Veterans Affairs should complete implementation of the agency's FDCC baseline, including establishing firm milestones for completion.
Closed – Implemented
In fiscal year 2013 we verified that VA, in response to our recommendation, has substantially implemented FDCC settings or, as appropriate, U.S. Government Configuration Baseline (USGCB) settings. USGCB is the initiative that replaced FDCC.
Department of Veterans Affairs To improve the department's implementation of FDCC, the Secretary of Veterans Affairs should acquire and deploy a NIST-validated SCAP tool to monitor compliance with FDCC.
Closed – Implemented
In fiscal year 2011 we verified that Veterans Affairs, in response to our recommendation, acquired and deployed a NIST-validated SCAP tool to monitor VA's compliance with FDCC configurations.
Department of Veterans Affairs To improve the department's implementation of FDCC, the Secretary of Veterans Affairs should develop, document, and implement a policy to monitor FDCC compliance using a NIST-validated SCAP tool.
Closed – Implemented
In fiscal year 2013 we verified that Veterans Affairs, in response to our recommendation, developed, documented, and implemented a policy to monitor FDCC compliance using a NIST-validated SCAP tool.
Department of Veterans Affairs To improve the department's implementation of FDCC, the Secretary of Veterans Affairs should ensure that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.
Closed – Implemented
In fiscal year 2011 we verified that Veterans Affairs, in response to our recommendation, ensured that language is included in contracts to ensure new acquisitions include FDCC settings and products of information technology providers operate effectively using them.
Department of Energy To improve the department's implementation of FDCC, the Secretary of Energy should document deviations to FDCC and have them approved by a designated accrediting authority.
Closed – Implemented
In fiscal year 2013 we verified that the Department of Energy, in response to our recommendation, has documented deviations to FDCC settings and has ensured that these deviations were approved by a designated approving authority.

Full Report

GAO Contacts

Gregory C. Wilshusen
Director
Information Technology and Cybersecurity

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Topics

Computer securityComputer security incidentsComputersConfiguration controlExecutive agenciesFederal agenciesGovernment informationInformation securityInformation security managementInformation security regulationsInformation technologyInternal controlsLessons learnedMonitoringNoncomplianceRequirements definitionRisk assessmentStandardsDocumentationSafeguardsComplianceOperations and maintenance costsProgram goals or objectivesProgram implementation