Federal agencies have until 1 February 2008 to implement a common secure configuration setting for all Windows XP and Vista systems, which must be based on standards from the National Institute of Standards and Technology (Nist) and other organisations.
But they have less time, until 1 May, to provide details to the White House Office of Management and Budget on how they plan to do so. The deadlines were set by de-facto federal CIO Karen Evans in a memorandum to agency CIOs.
The standard security settings for XP and Vista Evans was referring to were developed by Nist, the Department of Homeland Security (DHS), Microsoft and several other organisations. They basically describe certain basic configuration settings to secure the operating system against common classes of threats.
In her memo, Evans described the use of standard configurations as necessary for improving overall security and reliability at federal agencies.
"Common security configurations provide a baseline level of security, reduce risk from security threats and vulnerabilities, and save time and resources," she said. "This allows agencies to improve system performance, decrease operating costs and ensure public confidence in the confidentiality, integrity and availability of government information."
The memo directs agency CIOs to provide details on a variety of issues, including plans to test the security configurations in non-production environments to identify potential problems, implementing and automating enforcement of these settings and restricting administration of these configurations to authorised personnel only. Agencies must also be able to install Microsoft patches from DHS when new vulnerabilities are disclosed, the memo said.
Evans also wants all agency IT acquisitions after 30 June to use a common secure configuration that application software vendors have certified their products will work with.
Such stipulations are vital to improving security in the federal government, said Alan Paller director of research at the SANS Institute, a security training company. The US Air Force has already adopted a similar programme under which it is using a common security configuration for Windows XP, Paller said.
The advantages of such standardisation are enormous, he said, because common, secure configurations can help slow spread of malware and make patching more efficient.
It also forces application vendors to pay more attention to security. "It comes just in time to impact application developers building applications for Windows Vista," he said. "No Vista application will be able to be sold to federal agencies if the application does not run on the secure version of Vista," he said.
The same is also true of Windows XP applications.
"The really cool thing here is that the federal government is going to use its buying power to ask anyone who want to sell an application to make sure that it works on a secure standard configuration," he said. "It's the first time they are using their buying power in such a massive pro-security way."