Wednesday, March 21, 2007

Whitehouse Directive: All systems acquisitions must run on Hardened Configurations

I can't seem to find a link at either DHS or sites yet, but SANS released this information yesterday:

FLASH ANNOUNCEMENT: The White House just released (at 9 AM Tuesday, March 20) a directive to all Federal CIOs, requiring that all new IT system acquisitions, beginning June 30, 2007, use a common secure configuration and, even more importantly, requiring information technology providers (integrators and software vendors) to certify that the products they deliver operate effectively using these secure configurations. This initiative builds on the pioneering "comply or don't connect" program of the US Air Force; it applies to both XP and Vista, and comes just in time to impact application developers building applications for Windows Vista, but impacts XP applications as well. No VISTA application will be able to be sold to federal agencies if the application does not run on the secure version (SSLF) of Vista. XP application vendors will also be required to certify that their applications run on the secure configuration of Windows XP. The benefits of this move are enormous: common, secure configurations can help slow bot-net spreading, can radically reduce delays in patching, can stop many attacks directly, and organizations that have made the move report that it actually saves money rather than costs money.
The initiative leverages the $65 billion in federal IT spending to make systems safer for every user inside government but will quickly be adopted by organizations outside government. It makes security patching much more effective and IT user support much less expensive. It reflects heroic leadership in starting to fight back against cyber crime. Clay Johnson and Karen Evans in the White House both deserve kudos from everyone who cares about improving cyber security now.
Alan PS. SANS hasn't issued a FLASH announcement in more than two years. IOW this White House action matters.

This is hugely significant to the security industry. This means that any application that wants a hope in hell of selling their product to US Federal Agencies of any sort must certify that their software will run under the US Gov'ts secured platform configurations. While I believe June 30, 2007 is too short for many existing projects to possibly accomodate (some acquisitions will occur that don't fulfill this directive), this is a MASSIVE step in the right direction - sorry, I just can't emphasize enough how I feel on this topic :)

This will have a direct impact outside US Gov't as well, especially enterprises who typically use many of the same tools as government, and might (gasp!) finally allow Microsoft to have their default installations applied in a truely hardened mode - currently they still "tone down" some settings for compatiblity or end-user usability issues.

I whole-heartedly agree with Alan Paller" "Clay Johnson and Karen Evans...deserve kudos from everyone who caresw about improving cyber security now"

...Let the vendor-scramble begin... :)


Michael Ramm said...

Is there anywhere in cyberspace where the Hardened requirements are spelled out in detail? I would love to see how Hard these systems are going to be locked down.

Just found your blog from this story, and I look forward to looking through it (as a newcomer to Information Security).

rG0d (CISSP, GCIH, GEEK) said...

The "SSLF" configuration standards referred to in the SANS posting are for the "Specialist Security - Low Functionality" security templates produced by Microsoft for both XP and Vista. Links to both the "Windows XP Security Guide" and "Windows Vista Security Guide" can be found here:

I still haven't been able to find a link to the actual memo, which apparently came out of the Office of Management and Budget, but this SANS posting is confirmed by a few other news postings:

Based on these postings, it seems the scope is limited to Desktop/Laptop Operating Systems only (not server).

If anyone does find a link to the actual memo, I'd appreciate if you'd drop a comment, and I'll post it immediately.