Topics: Security

Are You SCAP Ready?

Posted by George Hulme, Jan 29, 2008 03:49 PM

In case you missed it, about a year ago the Office of Management and Budget issued policy memorandum M-07-11, aka the Implementation of Commonly Accepted Security Configurations for Windows Operating Systems. Essentially, this mandates that all federal agency systems must adhere to the Federal Desktop Core Configuration (FDCC) by February 2008. That's this Friday.

The goal is laudable; as these security configurations can go a long way to help CIOs and federal agency CISOs keep systems safer. But both the configuration and verification of this standard system implementation rely heavily on a rather obscure protocol known as SCAP, which is the Security Content Automation Protocol.

SCAP, basically, is a checklist that relies on a handful of open standards for naming software flaw conventions and configurations in applications and systems. So, if your scanner is SCAP compliant, you can more swiftly check to see if your agency systems are FDCC compliant.

That’s probably why, in another memo, the OMB mandated that federal CIOs must use SCAP-validated tools for FDCC software acceptance for all U.S. government systems.

And that's where trouble starts to enter this acronym paradise. This Friday, those federal agencies are supposed to submit to OMB a listing of all of their systems running XP and Vista, as well as how many are FDCC compliant (Though SCAP is not required for this deadline).

Here's the rub: as of today, no SCAP products have been validated. There’s just this Web page listing no validated SCAP tools. However, the National Institute of Standards and Technology has promised a list by this Friday.

There’s nothing like pushing a deadline.

In the long run, SCAP will no doubt will make it easier for agencies, vendors, and auditors to maintain more secure federal systems. A secure configuration that can be easily validated means fewer mistakes and easier enforcement of sound security practices.

For those agencies that don't want to wait until Friday to get started, here’s a list of scanners that purport to have SCAP capabilities.

« Old Scheduling Dog Shows DEMO A New Trick | Main | DEMO Update: Skyfire Debuts New Mobile Browser »

Tomorrow's CIO: Do you have what it takes?
Find out at the 2008 InformationWeek 500 Conference
Sept. 14-16, St. Regis Resort, Monarch Beach, Calif.

Sign up now for the weekly InformationWeek Blog Newsletter.

This is a public forum. United Business Media and its affiliates are not responsible for and do not control what is posted herein. United Business Media makes no warranties or guarantees concerning any advice dispensed by its staff members or readers.

Community standards in this comment area do not permit hate language, excessive profanity, or other patently offensive language. Please be aware that all information posted to this comment area becomes the property of United Business Media LLC and may be edited and republished in print or electronic format as outlined in United Business Media's Terms of Service.

Important Note: This comment area is NOT intended for commercial messages or solicitations of business.

Blog Categories
IT Olympics Cloud Computing Enterprise 2.0 Digital Life Google Over The Air Outsourcing CIOs Uncensored Startup City Information Management Content Management Green Computing Fritz Nelson's Instigator Political Tech	Analytics Interop Security Microsoft Apple Unvarnished Open Source Wolfe's Den David Berlind's Tech Radar Virtualization Storage Backup and Business Continuity Unified Communications Blog Homepage

InformationWeek

Business Innovation Powered By Technology

Are You SCAP Ready?