This standardized configuration is going to make patching much easier, says Alan Paller, director of research at the SANS Institute, a security research and training organization. Instead of testing every patch on perhaps hundreds of configurations, IT administrators can test it on just one. An NSA study showed that proper patching and configuration practices would eliminate more than 80% of agencies' vulnerabilities from weak configurations and missing patches, says Kreitner.
This spring, eight government agencies, including the Department of Defense, the Treasury, and the Nuclear Regulatory Agency, got failing grades on the annual computer security report cards by the House Committee for Oversight and Government Reform. The Department of Homeland Security got a D. The government's overall grade: C-. Paller says the directive could help government agencies improve those unacceptable grades.
The single Windows configuration should help when hiring a contractor to create custom applications, says Simon Szykman, CIO of the National Institute of Standards and Technology. In the past, when a third party developed an application in its own IT environment, there was no guarantee it would work optimally in the agency's secure desktop environment. Now an IT contractor working for any government agency will know the configuration to optimize for.
Microsoft worked with the Air Force to develop the configuration, though it continues to ship Windows XP and Vista in their normal default settings. Mark Belk, chief technology adviser with Microsoft's Federal Civilian Agencies division, says it offers a set of scripts to help agencies configure the software more quickly.
The move comes as agencies are deciding whether and how to adopt Vista. The Defense Department and armed services, all of which will use the FDCC, already have spent more than 5,000 hours developing a consensus standard desktop Vista configuration for all military services. NIST CIO Szykman plans to roll out Vista desktops, though the agency won't do so until all its Windows XP PCs first meet the new standard.
Government agencies aren't starting from the same position, says James Flyzik, who was Treasury Department CIO and deputy assistant secretary for information systems from 1997 to 2002. Those with good security practices have a shot at making the February deadline, says Flyzik, now president of consulting firm the Flyzik Group. The others are less likely.
Will the business world embrace a single Windows security configuration? Some do--Cigna, the health insurance company, has a single security standard that sets the minimum configuration for XP desktops company-wide, says chief information security officer Craig Shumard. It'll develop a similar one for Vista. But most companies don't, for the same reason that any homogenized environment is tough to stick to. As demands change, meeting a business need or performance level looks more important than sticking to a standard--what Mark Shavlik, CEO of Windows patch facilitator Shavlik Technologies, calls "security posture drift."
It's also difficult and costly to impose uniformity on an existing infrastructure. But in terms of testing, patching, software deployment, and reimaging, standardization can save money as well as boost security, if companies can get past the initial push. "There's chaos out there in enterprise land, with systems using all kinds of different, nonstandard configurations, and that has got to be tightened up," says Kreitner. "And the Air Force has proven that it can be done." Now the rest of the U.S. government will test whether an organization with millions of employees spread around the world can also make it work.