Gov Security Standards Spell Channel Opportunity
Earlier this year, the Office of Management and Budget (OMB) directed all agencies that run or plan to run Windows XP or Vista to adopt a security configuration developed by the National Institute of Standards and Technology (NIST), the Department of Defense (DoD) and the Department of Homeland Security (DHS) by February 2008. In June, OMB released a second memo that provided agencies with recommended language for use in bids for technology to ensure contractors incorporate the proper security configurations with procured systems.
According to the latest memo, solution providers are charged with certifying applications function correctly on systems using the Federal Desktop Core Configuration (FDCC) guidelines. Further, ongoing operation and maintenance should not alter the configuration settings, whether conducted by industry partners or administrators inside the agency.
"The mandate is a natural progression from the efforts of various agencies to implement more rigorous security as part of their acquisition processes," says Jim St.Clair, senior manager for global public sector at Grant Thornton LLP. The consultancy firm advises federal agencies on the steps needed to comply with the configuration standard. St. Clair says many could opt to pass that rather arduous task off to the private sector. "Agencies may expect that to be part of the acquisition, as a standard service done for the agency that doesn't have to then be repeated by multiple groups within."
The OMB's decision to drive a standard Windows security configuration across government came after careful review of a similar initiative in the Air Force, which kicked off in 2005 and involved more than 450,000 desktops. The effort was as much about efficiency as security, easing management across the IT environment and cutting costs, and impacted both the hardware as well as the software running on systems.
"The objective was not only to establish a standard configuration for hardware suppliers, but also address security for those that develop software for the Air force," says Kenneth Heitkamp, the Air Force's associate director for lifecycle management. "Because we had all these different configurations that we allowed program offices and industry suppliers to define, the Air Force had a diverse and complicated network of PCs that was difficult to manage and change for patches, updates and upgrades. And for developers, what did they develop to?"
In fact, issues relating to software will likely cause the biggest headaches for agencies, and create the biggest opportunity for the channel. Like the Air Force, all other federal agencies are now left to review the 400 settings in the operating system that are security related, and adjust them to comply with the standard. Among those adjustments will be to strip end users of local system administrator rights, which in turn will impact some applications ability to run. Also, applications will not be able to write data to protected portions of registries.
"Hackers can gain access by running executables," says Ken Page, FDCC program manager at Microsoft. "The FDCC won't allow that to happen, and instead requires an application to write to the general areas -- Temp and My Documents folders."
For those two reasons, the Air Force averaged 13 percent of applications broken when it went through the transition. "Microsoft has an application compatibility toolkit that can fix those [applications] in about 85 percent of cases, but some are just flat out broke," Page says. "[Agencies have] to fix code or remove them from the network."
Once agencies' systems are compliant, the task of ensuring all future deployments meet the standard spelled out in the OMB mandate will primarily fall on solution providers and vendors.
"System integrators act as the trusted advisers to federal agencies needing to deploy technology, [so they] have to understand the images," says Andrew Bove, chief technology officer at Secure Elements.
The company's audit and compliance software was used to develop an XML tool offered by NIST that automatically determines if tested systems are properly configured. "All new procurements for workstations and desktops need to be within these configurations, so the downstream channel partners need to be aware. Manufacturers have the responsibility to deliver a base configuration that can be measured by standard, and partners will have to adapt that to agencies real needs."
Chances are the federal government will implement similar security requirements as those attached to Windows to other environments. Apple, Sun and even Linux distributors are already setting the groundwork for meeting comparable guidelines with their own operating systems. And just as Internet Explorer and Microsoft Office were incorporated into the current mandate, other browsers, applications, server software and even development languages might eventually experience a lockdown.
"We'd love to see OMB release a similar minimum standard for Open Source Solaris and Linux, as well as AIX and HP-UX," says Bill Vass, president and COO of Sun Federal. "I wouldn't want them to legislate how we install or the features of the operating system, but the idea of a profile of what needs to be in place makes sense. Actually, this needs to go further -- there should be a [specified] way to install Java and .Net applications as well, and configurations for all of the browsers. That's really where malicious code comes in."
Driving security in its Enterprise Linux operating system, Red Hat is participating in efforts to create a common framework based around standards such as the Open Vulnerability and Assessment Language (OVAL), the Common Vulnerabilities and Exposures (CVE) and the eXtensible Configuration Checklist Description Format (XCCDF).
"We have been working on similar guidance with the federal agencies [that] gives the administrator a secure cookbook recipe for deploying standard daemons like DNS, email, or Web services," says Steve Grubb, security standards team lead at Red Hat. In the end, standard configurations ease the burden placed upon solution providers to ensure security in federal procurements, and allow for quicker fulfillment as less is left up for debate.
"Guidance documents, when publicly available, should be helpful for administrators both inside and outside the government," Grubb says. "Having a standard configuration allows vendors to create tools to automate the lockdown process, scan for abnormalities, and report a system's status."