A GAO report conducted last month and made public this week revealed that several agencies have failed to fully meet their requirements as mandated by the FDCC. The Office Of Management and Budget, which launched the FDCC in collaboration with the National Institute of Standards and Technology in 2007, required federal agencies to submit an implementation plan, apply all of the settings, document any deviations, and acquire a specified NIST-validated tool for monitoring the implementations. They were also required to ensure that future IT acquisitions comply with both settings, and submit a status report.
According to the report, several agencies did not fully document deviations from the settings outlined by the Office of Management and Budget. Six agencies failed to acquire and use the NIST tool for monitoring FDCC compliance, and many agencies did not incorporate language into contracts ensuring that future information-technology acquisitions comply with the standard.
"While agencies have taken actions to implement these requirements, none of the agencies has fully implemented or configur[ed] settings on the applicable workstations," said the GAO. "Agencies face several ongoing challenges in fully complying with FDCC requirements, including retrofitting applications and systems in their existing environments to comply with the testings, assessing the risks associated with deviations, and monitoring workstations to ensure that the settings are applied and functioning properly."
The FDCC required that all federal agencies standardize the configuration of roughly 300 settings on Windows computers to harden them against hacking. All federal agencies were required to implement the FDCC settings by February 2008. The baseline included the use of a personal firewall, more frequent password changes, not saving Windows logons, and the removal of administrative privileges as a run-time parameter. The FDCC applied to both desktops and laptops, and specified that all wireless interfaces should be disabled.