White House issues deadlines to secure Windows

Federal agencies have until Feb 1, 2008 to implement a common secure configuration setting for all Windows XP and Vista systems based on standards from the National Institute of Standards and Technology (NIST) and other organizations.

But they have less time, until May 1, to provide details to the White House Office of Management and Budget on how they plan to do so. The deadlines were set by de facto federal CIO Karen Evans in a memorandum to agency CIOs Tuesday.

The standard security settings for XP and Vista Evans was referring to were developed by NIST, the Department of Homeland Security (DHS), Microsoft, and several other organizations. They describe certain basic configuration settings to secure the operating system against common classes of threats.

In her memo, Evans described the use of standard configurations as necessary for improving overall security and reliability at federal agencies.

“Common security configurations provide a baseline level of security, reduce risk from security threats and vulnerabilities, and save time and resources,” she said. “This allows agencies to improve system performance, decrease operating costs, and ensure public confidence in the confidentiality, integrity, and availability of government information.”

The memo directs agency CIOs to provide details on a variety of issues, including plans to test the security configurations in nonproduction environments to identify potential problems, implementing and automating enforcement of these settings, and restricting administration of these configurations to authorized personnel only. Agencies must also be able to install Microsoft patches from DHS when new vulnerabilities are disclosed, the memo said.

Evans also wants all agency IT acquisitions after June 30 to use a common secure configuration that application software vendors have certified their products will work with.

Such stipulations are vital to improving security in the federal government, said Alan Paller, director of research at the SANS Institute, a security training company. The U.S. Air Force has already adopted a similar program under which it is using a common security configuration for Windows XP, Paller said.

The advantages of such standardization are enormous, he said, because common, secure configurations can help slow the spread of malware and make patching more efficient.

It also forces application vendors to pay more attention to security. “It comes just in time to impact application developers building applications for Windows Vista,” he said. “No Vista application will be able to be sold to federal agencies if the application does not run on the secure version of Vista,” he said.

The same is also true of Windows XP applications.

“The really cool thing here is that the federal government is going to use its buying power to ask anyone who wants to sell an application to make sure that it works on a secure standard configuration,” he said. “It’s the first time they are using their buying power in such a massive pro-security way.”