Skip over global navigation links

Federal Desktop Core Configuration (FDCC)

1.      What is the Federal Desktop Core Configuration (FDCC) and why do I have to comply?

The FDCC, an OMB (U.S. Office of Management and Budget) mandate, requires that all Federal Agencies standardize the configuration of approximately 300 settings on each of their Windows XP and Vista Computer. The reason for this standardization is to strengthen Federal IT security by reducing opportunities for hackers to access and exploit government computer systems.

2.      What is the timeframe for FDCC implementation?

All Federal Agencies, including NIH, are required to implement the FDCC settings by February 4, 2008.  In preparation for this deadline, the NIH IT community has been working together to test the settings and assess their impact.  Since so much time was spent on testing the XP settings, the deadline for implementing the Vista settings is being delayed by at least 2 months. 

3.     Who is affected by these changes?

FDCC currently applies to all government-furnished Windows XP desktop and laptop computers, including those that use VPN to access the NIH network remotely.   

  • FDCC does not apply to Windows computers embedded or attached to scientific devices and biomedical equipment as long as they are not used for e-mail, general Internet browsing, or other administrative functions.
  • While FDCC does not currently apply to Macintosh and Linux computers; these systems are under review for future inclusion.
  • If you use your personal desktop or laptop with VPN to connect to NIH from home, these settings will not be applied to your machine.
  • FDCC does not apply to servers.

4.     To comply with the FDCC, are Federal organizations required to use the Microsoft Windows Firewall?

No. The FDCC baseline recommends the use of a personal firewall and includes the Microsoft Windows Firewall settings, because it is enabled with the operating system installation. However, Federal organizations are free to use other desktop firewall software instead of the Microsoft Windows Firewall.

5.     Are Microsoft Defender and/or other Malware scanning software included in the FDCC settings?

No.  The FDCC does not mandate the configuration of Windows Defender.  Currently, there is no configuration guidance for this product other than the default settings provided by Microsoft. 

6.     What are the immediate impacts of FDCC?

      • Password changes will be more frequent.  Instead of every 90 days, your password will have to be changed every 60 days.
      • Your login will not be saved when you log on. You will need to fill in the login and the password each time you log on to your computer.
      • Administrative privileges will be taken away which means you will not be able to download new applications (see the answer to Question 14 below for more information).  Unless you obtain a waiver to have these privileges, you will need to open a ticket with the NIH Help Desk and have them work with your local IT support to make changes to your computer or install software.
      • Some applications may not work properly because they require administrative access to the operating system and application directories and registry keys. For example, there is a known problem with Visual Studio Suite accessing files that only an administrator can access.  It has also been reported that in some cases Remedy is unable to access the user preferences, which are stored in the user’s profile which requires administrator access.

7.       What websites have you found that do not work with FDCC settings as implemented now?

There are no known websites that do not work with FDCC settings as currently implemented. Please notify the NIH Help Desk if you encounter problems.

8.       Does the FDCC include power management specific settings?

The FDCC does not make any specific recommendation about the power management settings.

9.         Is FDCC applicable to special purpose (e.g., scientific, medical, process control, and experimental systems) computers?

The primary targets of FDCC are general-purpose systems such as managed desktops and laptops.  

Specialized computers used primarily for a scientific effort, such as running software and collecting data from a piece of scientific equipment, are exempt from the FDCC settings. 

However, such a system needs to be securely protected by other means.  Such methods may include removing email and/or browser software, keeping the computer on a local “subnet” rather than on the main NIH network, or other controls to protect the computer and the NIH environment. In addition, ICs need to track the special purpose computers that are exempt from FDCC.

A computer that is used by a scientist, but is primarily used for email access, web browsing, and non-scientific uses is included in the FDCC scope. 

10.      Does the FDCC apply only to desktop systems?

FDCC applies to both desktops and laptops that are deployed and connected directly to the organization's network.

11.      Is FDCC applicable to contractor computers?

Yes, Windows XP and Vista computers that are owned or operated by a contractor on behalf of or for the United States Government, or are integrated into a Federal system are subject to FDCC.

12.      FDCC settings prohibit wireless connection. Are there any conditions under which wireless is allowed? Airport? Hotel? We have implemented wireless within our enterprise. Do I really need to disable wireless? What if I am using a third-party wireless client?

FDCC wireless setting specifies that all wireless interfaces should be disabled.  HHS rejected this setting and NIH desktops and laptops are allowed to run wireless as long as they follow NIH wireless policies.  More information is available at http://irm.cit.nih.gov/security/sec_policy.html and http://www.cit.nih.gov/ProductsAndServices/Networking/WirelessLANServices/.

13. Is a waiver possible for the FDCC implementation?

Since HHS has worked extensively with NIH to tailor the NIH FDCC configuration, any waivers would need to be very strongly supported and documented, based on testing, to include a justification on why FDCC is not possible due to technical limitations and conflict with mission requirements.

Waivers must be supported by the IC ISSO and require the approved of the NIH and HHS CISO. See the NIH Information Security web site at http://irm.cit.nih.gov/security/FDCC_Waivers.doc for more complete information.

14.     How will FDCC be implemented at NIH?

      • With the direct support of the NIH Office of the Chief Information Officer (OCIO) and the Center for Information Technology (CIT), each NIH Institute and Center (IC) is implementing and supporting FDCC to meet their individual needs. 
      • Information on how and when your IC will implement FDCC is forthcoming from your local IT support.  Each IC will be following a different schedule. The general procedures they will follow are provided below.
        • For newly acquired computers, your local IT support will ensure that the FDCC settings are implemented as soon as the computers are added to the network.
        • For existing computers, your local IT support will provide you with a schedule for when the computers will be electronically reconfigured with the settings.
        • For administrative privileges, once your waiver is approved, your local IT support will provide you with an additional administrative account. You will have two accounts: an admin account and a user account. Your admin account would be used for making system changes, installing software, and running applications that require it. Your user account would be used for email, accessing the internet and applications.
          • An administrative account can only be used to administer your machine.  You must right click or log out and log back in as a standard user for day to day operation, i.e., accessing email, the Internet and applications.

15.      What happens when I have been approved to have an administrator’s account?

Once approved, you will have 2 accounts - your regular User account for accessing email, applications, and the Internet; and a secondary admin account (aaUser) to perform any other functions.

FDCC prevents the downloading and installing of unmanaged, insecure or unknown software packages. By using your aaUser admin account, you can access software from a central store. For example, CIT offers software through the iSDP and our engineer/desktop team maintains CIT specific software on the CITAPPS file server. See the NIH Information Security web site at http://irm.cit.nih.gov/security/FDCC_Waivers.doc for more complete information concerning the use of admin accounts.

16.      Will I still be able to use FTP?

You will still be able to use FTP to transfer files to and from external sites but your desktop cannot be connected to by FTP clients (i.e. your desktop cannot be an FTP server).

17.      Does the FDCC mandate mean NIH will have a “standard” desktop?

No.  All desktops will meet a certain security standard as defined by the FDCC.

18.      Will the FDCC settings be centrally “pushed” to all desktops?

No. Each IC’s IT support group will need to carefully coordinate the implementation of the new configuration settings to minimize the impact to the IC mission and the IT support organization. Each IC will have its own schedule for implementation of the new configuration settings.

19.       Can I still download information from the Internet?

Yes, but if you download software, or an application, you will not be able to install it without an administrator account.

20.      One of the FDCC settings does not allow the installation of unsigned device drivers. In order to be compliant, do we need to remove unsigned device drivers that are already installed on general purpose computing devices?

HHS has adopted the setting to “Warn but Allow” the installation of unsigned drivers.

21.     Are Windows XP and VISTA laptops that are not in the AD Domain, (only have a local account for the user), part of the FDCC requirement?  If so, what is the plan in keeping these windows computers updated with any changes in the FDCC standard?

FDCC applies to ALL computers running Windows XP and Vista. Scientific Devices are the only machines that are not a target for FDCC. Deployment to non-domain machines will have to be managed by the ICs via local security policies.

22.      Will FDCC disable all file sharing between FDCC compliant workstations?

No.  There is no problem with shares being used this way as long as they are not “open” shares.

23.       Will it be possible for people in different labs, or at different sites, to add data to a common database, or access the data in a common database?

Yes

Will I need a separate, exempt computer to hold such a database?

 No

24.      Will it be possible from home, to use my VPN account to access the documents on my office computer, read them, modify them, and put them back?

Yes

25.      How do we do routine, central backups of our computers? Without file-sharing, isn't this impossible? Will we be restricted to backups that are written onto directly-connected hard media such as DVDs, which are low-capacity, time-consuming, wasteful, and inconvenient as backup media and simply are not done routinely?

Your current backup routines should not be affected.

26.  Most of the IC's have core facilities (imaging, microarray, sequencing, etc) that store data on a server, and many of those servers run XP.  Will these machines require a waiver?

No, servers will not require a waiver. See Question 3 for additional information.

27.      FDCC does not apply to non-NIH computers that connect to the network over VPN. I also understand that any machine that logs into the NIH domain will automatically have the FDCC settings applied to it, even if the login is via VPN. How will FDCC affect the non-NIH machine?

If you are running a government owned and operated PC at your home, and connect to the network via VPN, you will get the settings.

If you are running you personally owned machine from home and connect to the network via VPN, you will not get the settings.  Your personal PC will not receive the settings unless it is joined to the NIH Domain in Active Directory; there are very few people who do this. Adding a home non-NIH machine to the Domain would have to be by request and is not automatic.

28.      During testing, the FDCC settings make it impossible to connect to the internet through at least some Internet providers. Won’t this is a problem for non-NIH-owned computers and also a problem for NIH laptops that are taken off-site to conferences so investigators can maintain contact with their labs?

On January 16, 2008 NIH received approval to change the setting that caused this issue and it was implemented immediately.

29.      Are the FDCC settings reversible?

A machine can be removed from the group policy that implements FDCC to allow for troubleshooting. 


30.      Does this apply to Active Directory (AD) accounts only?

           Yes, only to AD accounts.

31.      What's the proper configuration of the Windows XP personal firewall to allow for configuration scanning by the NIH Incident Response Team (NIH IRT)?

As part of this program, OMB also requires verification of compliance with FDCC requirements using Security Content Automation Protocol (SCAP) scanning tools.  NIH and HHS are in the process of acquiring SCAP technology which will allow IC’s to check their configurations as well as to provide reports to HHS and to the HHS Office of the Inspector General (OIG) upon request.  Due to Windows XP firewall limitations, the capability to allow authorized scanning tools to audit systems for vulnerabilities is not feasible in light of FDCC. Scanning for vulnerabilities using traditional methods will be supplemented with the IRT’s capability to conduct Configuration scans of desktop and laptops using SCAP tools. The addition of these configuration audits along with the use of the Windows firewall will offset the risk of not using the traditional vulnerability scanning methods for workstations and laptops. Public-facing servers are not bound by FDCC and therefore traditional methods of vulnerability scanning will not be affected.

FDCC Firewall Configuration to support NIH IRT compliance scanning:
The File and Print Sharing and Server services must be enabled.
With the Window firewall enabled, the following ports must be enabled:
TCP 139 
TCP 445
UDP 137
UDP 138

This document is at http://irm.cit.nih.gov/security/FDCC_Waivers.doc

32.       If you are allowed to have an “aa” account or a “dev” account  can your computer be taken out of the FDCC implementation group?

An “aa” and “dev” account are accounts with elevated privileges that were added due to a waiver submission. ( What’s the difference between accounts?)
Having the “aa” account does not allow the system to be taken out of the FDCC compliance group.  The question is not yet settled for “dev” accounts as we are still working on that issue.  For current FDCC waiver information, go here:  http://irm.cit.nih.gov/security/FDCC_Waivers.doc

33.      Who is responsible for granting and tracking waivers for local administrative accounts?

NIH has submitted a waiver to HHS to handle FDCC administrative account waivers as described here:  http://irm.cit.nih.gov/security/FDCC_Waivers.doc  The approval and tracking of the FDCC Administrative account waivers is performed at the IC ISSO level and should not be sent to HHS SecureOne.  They should be tracked by the ISSO so that if there is a data call from HHS or the IG, the ISSO can show that the waivers were approved and authorized by the IC in a manner than can be justified.  The use of the "aaUSER" account and the tracking of the FDCC Admin. training are intended to help document and facilitate any possible requests for justification.

34.      How can we get more information and assistance?

Your IC IT leadership can assist you with specific questions.

As always, you are also welcome to contact the NIH Help Desk with any questions or requests for assistance: 

http://ithelpdesk.nih.gov
301-496-4357
866-319-4357 (toll free)
301-496-8294 (TTY)

(Revised 3/26/08)

Up to Top

This page last reviewed: September 12, 2008