I, Wyatt Starnes, do have an official position as a member of the National Institute of Standards (NIST) on the Visiting Committee for Advanced Technology (VCAT) and, further, I serve as the chairman of the IT subcommittee and work on strategic issues with regard to both NIST internally, as well as the constituencies that NIST supports worldwide.
Any comments in this blog related to IT in either a commercial or Government setting are mine and mine alone, and do not represent or imply any endorsement or opinion by NIST.
Ok, I am required to do that…
I tend to take a decided commercial market stance when I speak on various industry transitions. Shame on me. As many of you know, I have spent a fair bit of my career of late working on Federal IT market issues, needs and developments.
Recently there have been several major developments in Government as they relate to IT. On the agency side (an annual IT market of around $70B) the Office of Budget and Management (OMB) has been very active in appending requirements to the long standing Federal Information Security Management Act, or FISMA. In brief, this is the primary act that compels Federal Agencies to use best practice and IT controls to deploy, manage and report on agency-based IT usage. See: http://en.wikipedia.org/wiki/FISMA
OMB, in cooperation with several agencies including NIST, DoD, and DHS, recently completed the technical framework and put in place TWO supplemental requirements that will dramatically impact all Federal Agencies early next year. These are Memorandum M-07-11 and M-07-18.
M-07-11 covers the: “Implementation of Commonly Accepted Security Configurations for Windows Operating Systems,” and states: “agencies with these operating systems [Windows XP and VISTA] and/or plans to upgrade to these operating systems must adopt these standard security configurations by February 1, 2008.” See: http://www.whitehouse.gov/omb/memoranda/fy2007/m07-11.pdf
M-07-18 puts the teeth in the above memo by providing the recommended language for Agencies to use in solicitations to ensure new acquisitions include these common security configurations and information technology providers certify their products operate effectively using these configurations. See: http://www.whitehouse.gov/omb/memoranda/fy2007/m07-18.pdf
In short these represent some very good work in my opinion by the various agencies involved in their creation, and I applaud OMB for moving these into affect quickly. I must comment that these memorandums DO have some Microsoft benefit, and Microsoft has been very active in their creation, vetting and implementation behind the scenes, but I digress.
Fundamentally, these regulations are moving Federal IT to a new level of Security Configuration Automation Protocol (SCAP) and drive new baselines of pre-tested Federal Desktop Core Configurations (FDCC). As indicated by their very names, we are creating better standard configuration methods and conformance verification (IT Controls) along with pre-defined and vetted core configurations (Standard Reference Images). This is a notable and important IT transition, and a continued more toward the proactive, standardized and positive systems management and security model.
More later on some public–facing actions in the DoD space.