Feds racing to lock down Windows XP, Vista PCs

NIST releasing "SCAP" list for Microsoft desktop security assessment as compliance deadline nears

Federal agencies required to ensure security of their Windows XP and Vista PCs by the end of February are about to get a much anticipated list of validated assessment tools.

The National Institute of Standards and Technology's (NIST) first list of tools based on the Security Content Automated Protocol (SCAP) will enable federal agencies to configure, assess, monitor and report that their Microsoft XP and Vista desktop systems adhere to the "Federal Desktop Core Configuration" standard. The FDCC requires agencies running the Microsoft software to configure desktop settings according to specific security guidelines, limiting users' abilities to change their desktops.

Vendors with secure-configuration management products had already been moving to support the SCAP standard, but the federal government last year decided to require validated SCAP tools by having NIST establish a testing regimen. This set off a race against the clock to get a product-testing program in place.

"Usually it takes at least 1½ years to set up a technical validation program, but I was given six months so we're moving quickly," says Peter Mell, NIST SCAP program manager. NIST now has about a dozen labs accredited to do SCAP product testing, and an anticipated half dozen or so SCAP-based products are expected to be on the list published on the NIST Web site later this month.

The SCAP tools are required under the guidelines set by the U.S. Office of Management and Budget to ensure XP or Vista desktops are configured according to the government's security requirements. "There are hundreds of configuration settings provided by the FDCC," says Mell, adding that he believes that XP and Vista probably represent the most prevalent desktop operating systems in the government today.

Several vendors of security configuration management products are adding support for SCAP and have submitted products to NIST-accredited labs for review. One vendor, BigFix, Thursday announced its Security Configuration Management software, based on its Discovery 7 platform, will be available next week with a SCAP module for about $5 to $10 per seat. Another vendor, Lumension, also announced product support for SCAP this week.


Learn more about this topic

SCAP mandate kicking in for federal government


PatchLink born again as Lumension


NIST invites closer interaction with vendors on computer vulnerabilities


View Comments
You Might Like
Join the discussion
Be the first to comment on this article. Our Commenting Policies