Friday, March 23, 2007

Whitehouse Directive 2

SANS just posted more info - there are now links to these documents which didn't exist up to yesterday (I've been checking daily).

The White House posted a second memo last night, confirming its mandate that all federal agencies must use secure configurations if they choose to deploy systems that run Windows Vista or XP. The latest memo was signed by the top executive in US government management, Deputy Director of OMB, Clay Johnson and is posted at the White House site, . The original (March 20) memo from Karen Evans to Federal CIOs is now posted at .

This initiative matters because it provides the incentive ($65 billion in US government IT purchasing each year) and confidence (agreed upon
configurations) to allow every software vendor to ensure and affirm the software they sell works on the secure configurations. That takes the pain out of secure configuration and rapid patching.

On April 11, federal CIOs and their senior staff will be briefed by the Air Force and OMB and NSA seniors on how to take advantage of the new mandate, and the lessons learned in the Air Force pilot implementation involving 575,000 computers. We will ask permission to make the essence of those briefings available to the entire security community, because this initiative will affect every medium and large buyer of computers running Windows software.

Also, the "SSLF" configuration standards referred to in the original SANS posting are for the "Specialist Security - Low Functionality" security templates produced by Microsoft for both XP and Vista.

Links to both the "Windows XP Security Guide" and "Windows Vista Security Guide" can be found here:

No comments: