FDCC - Information for IT Administrators

Introduction

The FDCC, an OMB (U.S. Office of Management and Budget) mandate, requires that all Federal Agencies standardize the configuration of approximately 300 settings on each of their Windows XP and Vista Computer. The reason for this standardization is to strengthen Federal IT security by reducing opportunities for hackers to access and exploit government computer systems.

All Government-furnished Windows-based computers (whether operated by Government or contractor staff) are affected by this mandate.

Resources

There are a few main resources outside of NCI-F with pertinent information on the FDCC; however, keep in mind that the NCI-Frederick and NCI information is likely to be the most applicable to the NCI-Frederick effort when viewing other sites.

• Help with Applying Setttings: Contact Ross Smith, X-1676
  Ross is familiar with applying Group Policy in a variety of environments and will work with you for your particular area.

• New - Record FDCC Application
  Local Administrators can record application of the FDCC Settings within their program area.

• NIH/CIT FDCC FAQ Website
  Contains general information focused on the end-user communities within NIH.

• NIH/CIT FDCC Wiki
  NIH's FDCC Wiki for IT and Technical Personnel.

• NIST FDCC Website
  Homepage of the FDCC effort - note: HHS has declined to implement certain aspects of the FDCC at this time.

Questions and Answers

Are all Windows computers included in the mandate?

All Windows XP and Windows Vista desktop or laptops computers are candidates for the application of FDCC settings. That includes "Dual-boot" configurartions, Virtual Machines, and 64-bit veriosns of Windows XP and Vista. Older versions of Windows, Windows "Servers", Macintosh OS, and Linux systems are not being considered at this time. Computers that directly control scientific equipment are also eligible for a partial exemption.

Does this mean everyone will have a "Standard" Desktop?

No, the FDCC is not a "standard" desktop, it's is a collection of approximately 300 security settings. Some programs and web sites have been identified that don't work within the FDCC settings - the most comprehensive list is at the NIH/CIT FDCC Wiki.

OK, I'm going to need a waiver for a local admin account.

Currently, the waiver process is still "evolving" but there will likely be several "classes" of waivers:

• A waiver for an individual to have a local administrator account for their computer. An example of this may be a programmer would needs to have elevated access to their own desktop.

• A waiver for an individual to have a local administrator account for a local group of computers. An example of this may be a local IT administrator in a lab or program area who manages a small group of computers. The administrator account would only be valid for a defined set of systems.

• A waiver for a person that supports the entire enterprise (such as system/network administrators in C&SS or the ABCC).

You will also need to complete a training course related to the elevated level of access you may be granted.

I have some specific technical questions - who can I contact?

Jim Racheff (C&SS) is the Chair of the NCI-Frederick FDCC Subcommitee; staff from both the C&SS Microcomputer & Communications Support Group (X-5115) and the ABCC LAN Office (X-5555) also sit on the committee and can be contacted with technical questions.

NCI-Frederick