• QualysGuard Suite
• QualysGuard Suite
• Vulnerability Management
• Policy Compliance
• PCI Compliance
• Web Application Scanning
• Malware Detection
• GO SECURE
• Partner Solutions
  • QualysGuard MSP
  • Value Added Resellers (VARs)
  • QualysGuard Consultant
  • PCI On Demand

 

 

Enabling Federal Desktop Core Configuration in the Cloud

In March 2007, the Office of Management and Budget (OMB) Memorandum M-07-11 announced the "Implementation of Commonly Accepted Security Configurations for Windows Operating Systems," directing agencies who have Windows XP deployed and/or plan to upgrade to the Windows Vista operating system to adopt the Federal Desktop Core Configuration (FDCC) security configurations. On June 20, 2008, the National Institute of Standards and Technology (NIST) published the updated FDCC Major Version 1.0 settings release. FDCC is comprised of settings that can be checked using the updated Security Content Automation Protocol (SCAP) content and SCAP-validated tools with FDCC Scanning capability as specified by NIST.

Both industry and government information technology providers must use SCAP-validated tools with FDCC Scanner capability to certify their products operate correctly with FDCC configurations and do not alter FDCC settings. Agencies will use SCAP tools to scan for both FDCC configurations and configuration deviations approved by department or agency accrediting authority. Agencies must also use these tools when monitoring use of these configurations as part of FISMA continuous monitoring.

The QualysGuard® FDCC module is the first certified cloud based computing solution for FDCC compliance. FDCC requires federal agencies to standardize the configuration of desktop computer systems to strengthen IT security. The QualysGuard® FDCC module allows federal agencies to scan and report compliance with the FDCC requirements through a centralized, integrated solution leveraging the QualysGuard Software-as-a-Service (SaaS) architecture. The QualysGuard Scanner Appliances support FDCC scanning for internal systems on a global scale.

The QualysGuard® FDCC module is validated by NIST as conforming to SCAP and its component standards. The QualysGuard® FDCC Module supports the following SCAP content:

• Windows XP
• Windows XP Firewall
• Windows Vista
• Windows Vista Firewall
• Internet Explorer 7

Standardize, Validate, and Certify Federal IT Security

Federal IT security groups are under constant pressure to standardize and certify their existing Windows XP and Windows Vista desktops with the FDCC requirements. In addition, many agencies lack the resources to manage the FDCC requirements.

Using QualysGuard® FDCC, an agency can reduce the number of resources required to validate and certify the Federal Desktop Core Configuration requirements. The QualysGuard FDCC module provides an efficient and automated workflow that allows Federal IT security professionals to:

• Import or upload FDCC checklists using published SCAP content.
• Provide proof that the FDCC requirements have been operationalized.
• Certify compliance with FDCC requirements.

The QualysGuard FDCC module extends the global scanning capabilities of QualysGuard Policy Compliance to collect SCAP content from assets within the enterprise to validate and certify the FDCC requirements.

Features of QualysGuard Federal Desktop Core Configuration Module

Import FDCC Checklists from Controls Library

QualysGuard maintains a "policy" library for FDCC checklists. This library is constantly updated, as new checklists are added and updated by National Institutes of Standards and Technology (NIST). QualysGuard FDCC Module supports FDCC checklists for the following technologies:

• Windows XP
• Windows XP Firewall
• Windows Vista
• Windows Vista Firewall
• Internet Explorer 7

Create Custom FDCC Checklists

QualysGuard FDCC Module allows users to create user-defined FDCC checklists by uploading custom SCAP content file.

Automate Checklist Violations

QualysGuard's external and internal scanners safely and accurately measure compliance against the technical controls specified in your policies. Scans can be setup to run automatically, or on demand whenever new network devices are introduced or configurations are updated. Automated FDCC scanning uses the same QualysGuard infrastructure used for vulnerability and policy compliance scanning.

Measure and Document Compliance with Detailed Reports

Intuitive and easy-to-read reports provide detailed technical analysis of compliance, executive-level summaries, and certification reports. Customize your own reports, or use the following template based and interactive reports:

• Scorecard Report provides full compliance status with a specific FDCC policy.
• Individual Host Report identifies the compliance status for a specific host.
• Rule Pass/Fail Report identifies pass/fail status for a specific rule.

Benefits of QualysGuard Federal Desktop Core Configuration Module

• A Trusted Third Party that yields reliable data. Because all host compliance data and policies are securely stored by QualysGuard and not subject to manipulation, auditors trust the integrity and accuracy of the information and resulting QualysGuard reports.
• Deployment and Scalability is extremely important when diverse security and compliance teams are scattered across the globe. SaaS is best suited to support geographically dispersed teams that may be responsible for security and compliance for the entire enterprise or only one small part. Scheduled compliance scans can be run against specific parts of the enterprise at specific times, allowing for continuous scanning for security and compliance issues. SaaS removes scalability as a total cost of ownership (TCO)
• Agent-less solutions speed deployment and cost less to manage over time. Remediating configuration issues is not complicated by having to remediate problems with the software agents that collect configuration data. Hosts that have malfunctioning software agents cannot be considered in compliance reports.
• Subscription-based SaaS model allows the customer to control the security and compliance solution without the "sunk-costs" associated with purchasing, licensing and supporting software based products. The entire service is priced per host and there are no hidden costs. This is in stark contrast to solutions that comprise a management console, data collection agents, databases, add-on modules for compliance reporting and in some cases, a separate product that manages selective compliance policies. Simplified deployment, a reliable gold-standard of reporting, and overall lower TCO are primary benefits of the subscription-based SaaS approach.
• Role-based Access to data is critical to an organization made up of IT teams that all have some role to play in the security and compliance process. The roles played by all security and compliance teams—IT operations, security and vulnerability management, internal audit and configuration management—need to be supported.