1. Is FDCC applicable to special purpose (e.g., scientific, medical, process control, and experimental systems) computers?
2. Is FDCC applicable to Windows XP and Vista computers used as servers?
3. Does the FDCC baseline apply only to desktop systems?
4. Is FDCC applicable to contractor computers?
5. Does the password policy apply only to local accounts?
6. Is FDCC applicable to domain accounts (versus local)?
7. Does the password policy apply to Windows XP and Vista only or is it also applicable to all applications installed on the XP and Vista systems?
8. Must my administrator account be renamed to "Renamed_Admin"?
9. One of the FDCC settings does not allow the installation of unsigned device drivers. In order to be compliant, do we need to remove unsigned device drivers that are already installed on a general purpose computing devices?
10. FDCC settings prohibit wireless. Are there any conditions under which wireless is allowed? Airport? Hotel? We have implemented wireless within our enterprise. Do I really need to disable wireless? What if I am using a third-party wireless client?
11. Does the system need to have IE7 installed to be FDCC compliant?
12. How does FDCC relate to FISMA compliance and SP 800-53?
13. How do I report compliance and deviations? To whom do I report that information? Is there a specific reporting format?
14. Where can I find a centralized list of FDCC compliant applications?
15. Are there currently any SCAP-validated tools?
16. Is checking FDCC settings 100% automated through SCAP? Will manual assessment methods be required?
17. Will scans based on SCAP checklists produce results with 100% of all checks passing?
18. Must I use WinZip to reassemble the segmented VHD files? What if I don't have WinZip?
19. What is documentation version 1.0.1? Were there any changes to the FDCC settings in this documentation?
20. What versions and Service Pack levels of XP and Vista does FDCC apply to?
21. What tools are used to edit the XML SCAP data and GPOs?
22. FDCC settings prohibit escalated privileges from being granted to ordinary end-users. What is considered an escalated privilege?
23. Does the SCAP Content & GPOs for FDCC cover 100% of the FDCC settings? If not what is missing and why?
24. I am responsible for implementing FDCC in my organization. I have many questions and concerns. Who is the correct person for me to call?

1. Is FDCC applicable to special purpose (e.g., scientific, medical, process control, and experimental systems) computers?

The primary targets of FDCC are general-purpose systems such as managed desktops and laptops. Embedded computers, process control systems, specialized scientific or experimental systems, and similar systems using Windows XP or Vista are out of scope for FDCC. Of course, such systems still require appropriate protection and application of sound risk management principles. In general, such systems should still examine the FDCC security configuration for applicability where feasible and appropriate.

2. Is FDCC applicable to Windows XP and Vista computers used as servers?

No, Windows XP and Vista computers not categorized as desktops or laptops are out of scope for FDCC.

3. Does the FDCC baseline apply only to desktop systems?

FDCC applies to both desktops and laptops that are deployed and connected directly to the organization's network.

4. Is FDCC applicable to contractor computers?

Yes, Windows XP and Vista computers that are owned or operated by a contractor on behalf of or for the USG or are integrated into a Federal system are subject to FDCC.

5. Does the password policy apply only to local accounts?

No, the password policy applies to both local and domain accounts.

6. Is FDCC applicable to domain accounts (versus local)?

Yes, FDCC is applicable to any domain configurations that manifest themselves in local FDCC settings. For instance, password length managed at the domain level manifests itself at each desktop and laptop. Therefore, password length, whether managed via domain or locally, is subject to FDCC.

7. Does the password policy apply to Windows XP and Vista only or is it also applicable to all applications installed on the XP and Vista systems?

On a Windows XP or Vista system, any system components, applications, or utilities that use the XP or Vista authentication mechanism, in particular the user's Windows authentication token, should comply with the FDCC password policy. This will leave out third-party applications such as Web applications and client applications that use a separate security token for authentication.
For example, my Windows authentication token allows me to gain logical access to my desktop, email account, calendaring software, etc. It will comply with the FDCC password policy. I use a distinct authentication token to run a Web application to connect to a travel management system, an enterprise application, or a Federal employee benefits or retirement system. In these cases, my authentication token will comply with the policy instituted on the specific server and services that I am trying to use.

8. Must my administrator account be renamed to "Renamed_Admin"?

No, alternate names are fine. In fact, we suggest you discard "Renamed_Admin" and use something unique.

9. One of the FDCC settings does not allow the installation of unsigned device drivers. In order to be compliant, do we need to remove unsigned device drivers that are already installed on a general purpose computing devices?

Strictly speaking, yes, you need to remove unsigned device drivers to be compliant on general purpose computing devices. That said, it is understood that certain unsigned device drivers may be critical to business/mission IT. Any unsigned device drivers that are critical to your operation must be annotated as business/mission critical deviations.

10. FDCC settings prohibit wireless. Are there any conditions under which wireless is allowed? Airport? Hotel? We have implemented wireless within our enterprise. Do I really need to disable wireless? What if I am using a third-party wireless client?

The FDCC wireless setting specifies that all wireless interfaces should be disabled. The intention of the recommendation is not to prevent or prohibit wireless use, but to reduce the exposure of wireless-equipped devices accidentally connecting to insecure (e.g., unencrypted) and unauthorized wireless access points and end-users purposefully connecting to insecure and unauthorized wireless access points. Wireless configuration for authorized enterprise wireless networks should be documented and reflected in the organization's FDCC deviation report.
Third-party wireless clients still utilize the wireless interface of the Windows XP or Vista operating system. Therefore, they are subject to the logic above.

11. Does the system need to have IE7 installed to be FDCC compliant?

Internet Explorer 7.0 is a built-in component of the Windows XP and Vista operating systems. For this reason, it needs to be installed and configured according to FDCC settings for all Windows XP and Vista computers. Organizations may use other browsers and if they do, they should use the inherent security features those browsers provide.

12. How does FDCC relate to FISMA compliance and SP 800-53?

In addition to the FDCC reporting associated with the February 2008 deadline, FDCC will be reported through the Configuration Management controls of FISMA. As a compliance tool, SCAP-validated tools can process the mapping contained with the SCAP data files provided by NIST between FDCC settings and FISMA SP 800-53 security controls. This mapping enables automated compliance reporting on select SP 800-53 security controls.

13. How do I report compliance and deviations? To whom do I report that information? Is there a specific reporting format?

OMB policy recognizes that agencies may determine that settings in the FDCC are not practical. In the March 20th memorandum to Chief Information Officers, OMB instructed agencies to provide documentation to NIST of any deviations from the FDCC and the rationale for doing so. Report FDCC compliance through your organization's CIO hierarchy. An agency or department CIO must report compliance for that organization. Compliance is expressed in a roll-up numbers of compliant versus non-compliant computers. For non-compliant computers, CIOs must provide a representative sample of SCAP-based (XCCDF version 1.1.4) assessment reports. The FDCC XML reporting format is located at http://nvd.nist.gov/scap/content/fdcc-reporting_20080127.zip. Additional guidance will be forthcoming. This information should be sent to OMB at fisma@omb.eop.gov with a carbon copy to NIST at fdcc@nist.gov by March 31, 2008. NIST will perform trend analysis on all Federal data and present findings to OMB.

14. Where can I find a centralized list of FDCC compliant applications?

IT product vendors are actively testing their applications for compliance with the FDCC baseline, and information on compliance will be made available at the vendors' sites. Agencies are welcome to share FDCC compliance testing information with the understanding that each individual CIO is responsible for fulfilling the requirements in OMB Memorandum M-07-18.

15. Are there currently any SCAP-validated tools?

A list of SCAP validated tools is available at http://nvd.nist.gov/scapproducts.cfm

16. Is checking FDCC settings 100% automated through SCAP? Will manual assessment methods be required?

SCAP automates the assessment process for nearly all of the FDCC settings. NIST is actively working to extend the coverage of the automated tests. However, manual methods will be needed to verify a very small subset of the FDCC settings. Automated versus manual tests are annotated in the FDCC settings documentation at http://nvd.nist.gov/fdcc/download_fdcc.cfm.

17. Will scans based on SCAP checklists produce results with 100% of all checks passing?

At present, there are a number of discrepancies with the existing SCAP content. NIST is actively working to improve the accuracy of the tests as represented in the SCAP data stream, and the updated content will be released in December. Please refer to the NIST FDCC download page for the FDCC SCAP results.

18. Must I use WinZip to reassemble the segmented VHD files? What if I don't have WinZip?

To enable more manageable download of the multi-gigabyte virtual images, NIST elected to provide WinZip segmented files. To the best of our knowledge, these files can only be re-assembled with WinZip. Agency/department representatives who prefer a non-segmented virtual machine image can write to fdcc@nist.gov with their affiliation and a shipping address. Once affiliation is confirmed, a non-segmented virtual machine image will be shipped on a DVD to your attention.

19. What is documentation version 1.0.1? Were there any changes to the FDCC settings in this documentation?

The settings document version 1.0.1 contains two settings that were in the version 1.0 virtual machine image and Group Policy Objects, but were not annotated in the version 1.0 documentation. Those two settings have been added. This does not represent a change to FDCC, just an omission in the original settings document. Also, the version 1.0.1 documentation contains additional information such as the description field and registry keys. For additional update information, please refer to the change history tab included in the documentation.

20. What versions and Service Pack levels of XP and Vista does FDCC apply to?

It is the intention for the FDCC to apply to Windows XP Professional and Vista Enterprise, Business, and Ultimate with the most current service pack or security patches.

21. What tools are used to edit the XML SCAP data and GPOs?

XML Notepad 2007 and gpedit.msc, respectively. Other open-source or commercial XML editors can be used to edit the SCAP content.

22. FDCC settings prohibit escalated privileges from being granted to ordinary end-users. What is considered an escalated privilege?

Any privilege that is not a default user right in XP or Vista is considered under the FDCC as an escalated privilege. The security inherent in FDCC relies partly on the fact that typical users are only assigned standard user rights. Assigning any additional rights to typical users or user groups circumvents this layer of security by allowing users to run with escalated privileges. Assigning "Administrative" or "Power User" roles are two examples of escalating the privileges of the user.

23. Does the SCAP Content & GPOs for FDCC cover 100% of the FDCC settings? If not what is missing and why?

No, there are a small number of settings that cannot be automated at this time. These settings are listed below:

Settings not checked by SCAP content:

• Vista Firewall
• IPv6 Block of Protocols 41
• IPv6 Block of UDP 3544
• Windows XP
• Network access: Allow anonymous SID-Name translation
• Windows Vista
• Network access: Allow anonymous SID-Name translation

24. I am responsible for implementing FDCC in my organization. I have many questions and concerns. Who is the correct person for me to call?

Please review the FDCC FAQs and send your inquiries to fdcc@nist.gov.

Please send comments if your questions were not answered here.

Top of Page