The U.S. federal government has launched a program that will require federal agencies to insist on security standards from suppliers, a move that some argue will have a far-reaching impact on most large and medium-sized organizations buying PCs.
The government confirmed the move in a memo late last month and will roll the program out in several stages during the course of this year. By Feb. 1 of next year, all federal agencies will be required to use secure software configurations when they deploy Windows XP or Vista.
The scheme matters to the outside world because software suppliers who want to sell to the U.S. government will have to certify that their equipment works on operating systems set up to work securely, said Alan Paller, director of research at the Sans Institute security research center, in a recent memo.
Currently organizations never know if securely configuring Windows will break their applications. The new U.S. government program could make things simpler for IT managers by providing clearly understood standard security configurations that are backed up by the federal government's purchasing power, Paller said.
"It provides the incentive (US$65 billion) in U.S. government IT purchasing each year) and confidence (agreed upon configurations) to allow every software vendor to ensure and affirm the software they sell works on the secure configurations," he wrote. "That takes the pain out of secure configuration and rapid patching."
Paller said secure configurations could slow the spread of botnets, reduce patching delays and stop many attacks directly.
"This initiative will affect every medium and large buyer of computers running Windows software," Paller wrote.
Other industry observers have cautioned against considering secure configurations a panacea. Indeed, Microsoft's attempt to make Vista more secure by default has met with a rocky debut, with widespread criticisms of its implementation of User Account Control (UAC).
UAC is designed to allow user accounts on Windows to run as non-administrators by default, but has introduced so many additional problems that some have said it is worse than useless.
"These configurations were developed in collaboration with the National Institute of Standards and Technology (NIST), the Department of Homeland Security (DHS), the Defense Information Systems Agency (DISA), the National Security Agency (NSA), and Microsoft," wrote Karen Evans, administrator with the Office of E-Government and Information Technology, in the memo last month. "These same organizations recently established common security configurations for Microsoft Vista."
On April 11 federal chief information officers will be briefed by the Air Force, which has been piloting secure configurations. Later in the month the government will begin making securely configured images available.
The federal Office of Management and Budget (OMB) memo on the new program is available from the White House's website.