The Computer Security Division at NIST has established a new webpage to support the requirements of the OMB mandate related to the FDCC: http://csrc.nist.gov/fdcc/. While NIST is hosting this site the content there included valuable contributions from a variety of federal agencies as well as Microsoft. There’s a detailed FAQ that will answer many questions you are likely to have, and there is a link to the downloads page with detailed documentation, group policy objects that you can import into your own Active Directory domain for testing and deployment, evaluation copies of Windows Vista and Windows XP on Virtual PC virtual disk files that are pre-configured with the FDCC settings, and SCAP content. The Security Content Automation Protocol, or SCAP, is a collaborative effort between NIST, the NSA, and industry to develop standards for defining security configuration settings, vulnerabilities, patches, etc which can then be used to check for compliance or to enforce settings. NIST plans to update the FAQ periodically and publish additional resources as they become available.The OMB also issued a new memo on July 31st, m-07-20, but it isn’t available on their website yet. The memo announces the availability of the resources on NIST’s website and clarifies a few additional requirements.
This is a tremendous accomplishment, all of the federal agencies involved in this effort have demonstrated agility, flexibility, and a strong desire to collaborate. I think its amazing that they were able to come to agreement on the details and accomplish so much so quickly. Think about it: its just a little over 4 months since the original mandate was published and NIST has already made available the information and tools agencies need to meet it. Microsoft has been happy to assist in this broad effort and looks forward to continuing to support the US government in its efforts to strengthen the security of computer networks.