OMB Mandates Standardized Windows Images
It looks good on paper, and it is just what US-CERT has been pushing for- each Federal Civilian Agency, such as the FAA, DOT, HUD and others will each have to settle on a standard Windows configuration for their organization. Then they will have to give that configuration to US-CERT within DHS so US-CERT will be able to do patch management and testing before authorizing that systems are ready for patching. And I’m sure those patches will come from a secure site within DHS.
From GovExec here:
In an attempt to improve the government’s information security, the Office of Management and Budget on Tuesday gave agencies until May to plan how they will implement a standard security configuration for Microsoft computer operating systems.
In a memorandum to agency chief information officers and their deputies, Karen Evans, OMB’s administrator of e-government and information technology, said agencies must implement the standard security setting for all computers running Microsoft Windows XP and Vista no later than Feb. 1, 2008.
By April 20, OMB and the Homeland Security Department will establish a way for IT providers to obtain software images based on these configurations for test and development purposes.
By June 30, all new information technology acquisitions must reflect the configurations, and companies providing agencies with IT products must certify that their products operate effectively under the setup. When new Windows XP or Vista vulnerabilities are identified, agencies must be able to install Microsoft patches from DHS.
The standard configuration for XP and Vista operating systems was developed by the National Institute of Standards and Technology, DHS, the Defense Information Systems Agency, the National Security Agency and Microsoft.
Evans cited the Air Force’s use of a common security configuration for its Windows XP computers as a model for the effort.
Alan Paller, director of research at the SANS Institute, a nonprofit cybersecurity research organization in Bethesda, Md., said a standard configuration will reduce delays in installing patches and will help stop cyber attacks from spreading.
The DoD currently operates under a similar model as well, and it allows for the vast IT enterprise to be able to keep patches surprisingly current, as well as keeping CIO’s abreast of the latest vulnerabilities and threats to the network. The question remains as to whether or not US-CERT will be able to perform this similar duty with as much success as the DoD’s DISA.
