DEPARTMENTAL REGULATION |
Number: 3170-001 |
|
SUBJECT: End User Workstation Standards |
DATE: December 12, 2007 |
|
OPI: Office of the Chief Information Officer |
||
1. PURPOSE
The objectives of the United States Department of Agriculture’s (USDA) End User Workstation Standards requirements are: (a) to ensure cyber security protection, (b) to increase effectiveness in acquiring and administering resources by promoting compatibility and interchangeability of workstation hardware and software, (c) to ensure that these standards are aligned with the enterprise architecture business goals and processes of USDA, and (d) to meet the policy requirements of OMB Circular A-130 and OMB policy memorandum M-07-11.
2. SPECIAL
INSTRUCTIONS/CANCELLATIONS
This regulation will remain in effect until superseded. Appendices are forthcoming.
3. BACKGROUND
The Clinger-Cohen Act of 1996 (40 U.S.C. (11101 et seq.)), as amended by the Information Technology Management Reform Act (ITMRA) and OMB Circular
A-130,
“Management of Federal Information Resources”, require Federal
agencies to build and maintain a Profile of Standards and Technical Reference
Model that supports IT investment management and development of enterprise
architecture. More recently,
the Office of Management and Budget issued policy memorandum M-07-11,
“Implementation of Commonly Accepted Security Configurations for Windows
Operating Systems,” which stated: “agencies with these operating
systems [Windows XP and
4. POLICY
This policy requires the agencies and offices under the administrative oversight of the Department of Agriculture to follow a set of standards regarding workstation computers. The Chief Information Officer of the USDA (CIO USDA) is required to establish standards to ensure the cyber security of the agencies’, Department, and Government-wide networks. These standards include hardware, operating systems, and applications.
The workstation standards are contained as appendices to this general policy. Each appendix is to be established within 90 days of the approval of this policy with comments from agencies, and reviewed quarterly in the first year of this policy. After the first year, a review of each of the appendices are to be conducted in the first month of the second quarter; reviewed for comment by the agencies for 30 days; and finalized prior to the end of the second quarter.
The USDA CIO is to ensure the following during the annual review:
a. support for the continuity of operations to the USDA programs;
b. focus areas and training maximizing the use of the standard workstation configuration;
c. centralized support of operating system and application patches to maintain the cyber security protection of over 130,000 workstations;
d. establishing an enterprise architecture standard;
e. meeting the workstation security requirements of the Office of Management and Budget;
f. achieving discounts by volume purchasing;
g. providing automated inventories through vendor information transfer;
h. supporting smartcard based security;
i. supporting the Department’s thin client, mobile technology, and teleworking policy;
j. ensuring consistency to provide users better Tier 1 helpdesk service;
k. creating a functional workstation that will assist our employees with their daily work requirements; and
l. minimize the expense of workstation rotation and replacement.
Agencies and offices of the United States Department of Agriculture shall procure computer workstation hardware and software consistent with the standards identified in the appendices of this regulation. Exceptions to these standards may be requested through specific procedures identified in Paragraph 7 of this regulation.
The following appendices provide the detailed selection specifications for conforming to the policy requirements of this regulation:
a. Appendix A, “End User Workstation Hardware Standards”
b. Appendix B, “End User Workstation Security Standards”
c. Appendix C, “End User Workstation Software Standards”
d. Appendix D, “End User Workstation Peripheral Standards”
e. Appendix E, “USDA Conservation and Green Standard Requirements for Workstations”
f. Appendix F, “USDA Standards for Acceptable Disposal of Batteries and Other Workstation Components”
g. Appendix G, “Other Workstation Standards”
5. BENEFITS
The benefits to the Department, agencies, and
users from the standardization of
workstations include better security for the Government’s
networks, better helpdesk support, increased inventory management capabilities,
support of USDA telework and mobile computing
technologies, adherence to OMB workstation security requirements, lower
operating costs, and volume based purchasing discounts.
USDA uses information technology (IT) to assist in achieving program objectives and reporting requirements. Consistency in USDA’s IT allows the development of safe, efficient and cost-effective methods for supporting programs and in planning for upgrades, migrations, staff training, and future technology installations. In addition, these standards promote cross-agency information sharing, increase interoperability, and improve Departmental communication and collaboration.
6. RESPONSIBILITIES
a. The USDA CIO is:
(1) The final, approving authority on the adoption of IT standards to ensure the security of Government networks, maximize the benefit of technology purchases, and minimize investment and operating expense.
(2) The final reviewer and approver of exceptions to the workstation standard requested by the agencies or staff offices.
b. The Office of the Chief Information Officer (OCIO) will:
(1) Develop basic policies and standards for the end-user workstation environment.
(2) Provide management and oversight activities related to workstation operating system configurations, to include but not limited to:
(a) Providing periodic updates to all operating system configurations to ensure systems security posture is maximized;
(b) Reviewing and monitoring compliance with established operating systems policy;
(c) Testing all configurations in a non-production environment to ensure compatibility with legacy applications;
(d) Supporting the agencies by testing operating system software;
(e) Creating a software update architecture that is able to receive and approve patches and updates from the Department of Homeland Security for deployment to the USDA enterprise;
(f) Creating and maintaining a security configuration guide for each operating system; and
(g) Reporting compliance and deviations to OMB.
(3) Establish enterprise-wide contracts for standard hardware and software.
(4) Establish and maintain the green policy, recycle policy, and energy conservation policy for computer workstations, in accordance with applicable Government-wide policies and standards.
c. Department agencies and staff offices will:
(1) Adopt the policies and standards for the end-user workstation environment by:
(a) Establishing procedures and controls to ensure the use of these standards;
(b) Ensuring effective communication between local systems administrators and OCIO; and
(c) Incorporating these standards in each agency’s and office’s capital planning and investment control process.
(2) Implement and maintain operating system and security configuration settings by:
(a) Scanning and providing periodic updates to all operating system configurations to ensure systems security posture is maximized;
(b) Documenting all deviations from these standard operating systems settings with a detailed rationale for the deviations, and requesting a waiver from the Cyber Security Division in OCIO;
(c) Providing corrective action plans for the timely remediation of issues not authorized as an approved deviation;
(d) Ensuring only qualified and trained personnel are granted elevated privileges;
(e) Ensuring that elevated privileged accounts are not mail or Internet enabled;
(f) Ensuring all custom or commercial off the shelf (COTS) applications are written to be run as “user”;
(g) Creating an authorized software list that includes all the software that can be used on these configurations; and
(h) Employing the use of the National Institute of Standards and Technology (NIST) Security Content Automation Protocol (S-CAP) tool to help evaluate providers and perform self evaluations.
(3) Procure standard hardware and software from enterprise–wide contracts as they are made available.
(4) Request acquisition of hardware and software using the Acquisition Approval Request (AAR) process prior to any procurement. The AAR must identify whether or not the acquisition of hardware or software to be procured meets the USDA standards, the contracts to be used and must provide a detailed rationale if the product(s) being purchased does not meet the standard, regardless of whether the standard is a product or a specification(s).
7. EXCEPTION REQUEST
PROCESS
Some agencies may have special conditions or requirements that prevent full compliance with this regulation. Agencies may request a special exception by submitting written justification to the USDA CIO for review and decision. The justification must include the business reasons that show a different option is in the best interest of the agency and USDA for cyber security, technology development, and expense reduction. All requests must be signed by the Agency CIO.
The written exception request is to be in the form of a decision memorandum and is to include:
i. Indication of Request for Exception
ii. Name of submitting agency
iii. Name and contact information of submitting person
iv. Information technology description (hardware/software exception)
v. Justification to show good cause for the exception. The request should document the justifications for the exception and the impact of granting versus not granting the request.
vi. Cyber security management plan
vii. Technology development summary
viii. Technology refresh plan
ix. Cost justification
x. Signature of Agency CIO.
xi. Date of the request.
8. DEFINITIONS
a. Workstation. Desktop, laptop, or other computer used by the employee to complete their daily tasks.
b. Desktop Computer. A computer made for use on a desk in an office or home, and is distinguished from portable computers such as laptops or Personal Digital Assistants (PDA). Desktop computers are also known as microcomputers.
c. Laptop Computer. A small mobile computer, which usually weighs 2-18 pounds (1-6 kilograms), depending on size, materials, and other factors.
d. Thin Client.
Server-centric computing hardware in
which the application software, data, and CPU power resides on a network server
rather than on the client computer.
-End-
Appendix A
End User Workstation Hardware Standards
The policy for USDA hardware standards is designed to insure security of the workstation, minimize workstation expense, reduce environmental impact, and increase help desk response. The following are the hardware standards for USDA thin client, desktop, and laptop workstations. Agency Administrators and CIOs are instructed to review work requirements of the employees within their workforce and assign workstations to equal work requirements. The agencies are to purchase thin client workstations unless circumstances detail a work requirement for a more advanced desktop. Due to the risk of data loss and theft, laptops are to be used sparingly. Except in extenuating circumstances, employees are only to be allocated one workstation.
USDA has identified five workstation types, based on function:
Workstation Type |
End-User
Computing Platform |
Standard Office Workstation |
Base-Level Desktop Workstation |
Standard Office Workstation By 2010 |
Thin-Client Workstation |
Enhanced Office
Workstation |
Mid-Level Desktop Computer |
Specialized Office
Workstation |
High-end Desktop Computer |
Mobile Workstation |
Mid-Level Laptop Computer |
Specialized |
High-end Laptop Computer |
Ruggedized/Semi-Ruggedized |
Ruggedized/Semi-Ruggedized Mid-Level Laptop Computer |
The standard office workstation will be deployed to all USDA employees unless business requirements justify otherwise.
The end-user computing platform for the standard office workstation is a base-level workstation. The standard office workstation will be deployed to all USDA employees unless business requirements can justify otherwise. Justification for something other than a standard office workstation may include the following:
(1) The end user is required to conduct regular work-related travel and requires a mobile workstation to effectively perform job requirements.
(2) The end user is a Continuity of Operations (COOP) responder and requires a mobile workstation to ensure uninterrupted program operations.
(3) The end user performs job functions (heavy statistical analysis, intensive graphical, or large financial calculations) that requires a high degree of processing on the local desktop.
The following table contains the minimum hardware configuration requirements for the standard office workstation that is deployed to the user:
Processor: |
2.8 GHz; 800 MHz FSB; may
be a single or dual processor |
Memory: |
2 GB DDR2 533 MHz
upgradeable to 4 GB |
Ports: |
4 USB 2.0; 1 serial; 1
parallel; 1 external monitor; 2 PS/2; 10/100/1000 Ethernet |
Keyboards: |
USB Smartcard Keyboard or
USB Keyboard if Smartcard Reader is an external device |
Monitors: |
17 inch Flat Panel |
Hard Drives: |
80 GB |
Mouse: |
USB 2-Button Mouse |
Components external to the base-level device, such as monitors, keyboards, and speakers can be provisioned through reuse of existing inventory. Based on business need, additional internal and/or external devices, such as CD-ROM and DVD drives may be added to the configuration.
The “thin client” is a network computer that is designed to be especially small so that the bulk of the data processing occurs on a network server. For the most part, application software, data, and processing reside on this network server rather than on the end user workstation. Thin clients are not as vulnerable to security breaches, have a longer life cycle, use less power, and require less on-site maintenance support. In addition, the average cost of a thin client is less than $500, almost a third of the cost of the normal base workstation. Agencies are to build their capability to implement thin clients in lieu of base-level desktop computers whenever the end users are located in offices that have sufficient network bandwidth for reliable thin client operation. The thin-client workstation should be the default standard office workstation for all agencies by January 2010.
The thin client can support most administrative and business processing functions including office productivity applications such as e-mail, word processing, spreadsheets, Internet applications, and presentations. Additionally thin clients will support business applications where the user interface is browser or application streaming based.
The following table contains the minimum hardware configuration requirements for the standard office workstation by 2010 that is deployed to the user:
Processor: |
1 GHZ; Low Power
Consumption |
Memory: |
512 MB DDR SDRAM
upgradeable To 1 GB |
Flash Memory: |
256 MB Flash RAM
upgradeable To 1 GB Flash RAM |
Ports |
3 USB 2.0; 1 serial; 1 parallel;
1 external monitor (Dual monitor capable);; 10/100Ethernet |
Keyboards: |
Integrated Smartcard reader
or USB Keyboard if Smartcard Reader is an external device |
Monitors: |
17 inch Flat Panel |
Mouse: |
2-Button Mouse |
OS: |
No embedded operating
system (e.g., XPe) |
Components external to the thin client device, such as monitors, keyboards, and speakers can be provisioned through reuse of existing inventory. Based on business need, additional internal and/or external devices, such as CD-ROM and DVD drives may be added to the configuration.
The end-user computing platform for the enhanced office workstation is a typical mid-level desktop computer. The enhanced office workstation is deployed to the end-user only when the standard office workstation will not support the business functions being performed by the end-user.
This enhanced office workstation supports office productivity applications such as e-mail, word processing, spreadsheets, Internet applications, presentations, and viewing PDF documents and graphic images. Additional functionality includes: business program development, project management, statistical analysis, desktop publishing, multi-media development, and database processing.
The following table contains the minimum hardware configuration requirements for the enhanced office workstation that is deployed to the user:
Processor: |
3.4 GHz; 800 MHz FSB; dual processor |
Memory: |
2 GB DDR2 677 MHz
upgradeable to 4 GB |
Ports: |
USB 2.0; 1 serial; 1
parallel; 1 external monitor; 2 PS/2; 10/100/1000 Ethernet |
Keyboards: |
USB Smartcard Keyboard or
USB Keyboard if Smartcard Reader is an external device |
Monitors: |
17 inch Flat Panel |
Hard Drives: |
160 GB |
Mouse: |
USB 2-Button Mouse |
Components external to the enhanced office workstation, such as monitors, keyboards, and speakers can be provisioned through reuse of existing inventory. Based on business need, additional internal and/or external devices, such as CD-ROM and DVD drives may be added to the configuration.
The end-user computing platform for the specialized office workstation is a high-end desktop computer. A specialized office workstation may be deployed to the end-user only when standard office workstation or the enhanced office workstation will not support the business functions being performed.
The specialized office workstation is configured to support high-end applications and advanced graphics and modeling capabilities required by Geospatial Information System (GIS), software design and development, or engineering applications. This model is intended to be used by subject matter experts that demand the most processing power offered in a desktop computer.
The following table contains the minimum hardware configuration requirements for the specialized office workstation that is deployed to the user:
Processor: |
4 GHz; 1333 MHz FSB; dual
processor |
Memory: |
4 GB DDR2 667 MHz ECC
upgradeable to 8 GB |
Ports: |
4 USB 2.0; 1 serial; 1 parallel; 1 external monitor; 2 PS/2;
10/100/1000 Ethernet |
Keyboards: |
USB Smartcard Keyboard or USB Keyboard if Smartcard Reader is an
external device |
Monitors: |
20 inch Flat Panel |
Hard Drives: |
250 GB with capability to install multiple internal hard drives |
Mouse: |
USB 2-Button Mouse |
Components external to the specialized office workstation, such as monitors, keyboards, and speakers can be provisioned through reuse of existing inventory. Based on business need, additional internal and/or external devices, such as CD-ROM and DVD drives may be added to the configuration.
The end-user computing platform for the mobile workstation is a mid-level laptop computer. A mobile workstation may be deployed to the end-user only when the various office workstations will not support the business functions being performed due to regular work-related travel, field work, and/or continuity of operations.
The mobile workstation supports office productivity applications such as e-mail, word processing, spreadsheets, Internet applications, presentations, and viewing PDF documents and graphic images. Additional functionality may include: business program development, project management, statistical analysis, desktop publishing, multi-media development, and database processing.
The following table contains the minimum hardware configuration requirements for the mobile workstation that is deployed to the user:
Processor: |
1.83 GHz; 667 MHz FSB |
Memory: |
2 GB DDR2 533 MHz upgradeable to 4 GB |
Ports: |
4 USB 2.0; 1 serial; 1
parallel; 2 PS/2; 10/100/1000 Ethernet |
Keyboards: |
Internal Keyboard |
Monitors: |
14.1 inch WXGA display |
Hard Drives: |
80 GB |
Mouse: |
USB 2-Button Optical Mouse |
Other: |
Smartcard Reader |
Components external to the mobile workstation, such as monitors, keyboards, and speakers can be provisioned through reuse of existing inventory. Based on business need, additional internal and/or external devices, such as CD-ROM and DVD drives may be added to the configuration
The end-user computing platform for the specialized mobile workstation is a high-end laptop computer. A specialized mobile workstation may be deployed to the end-user only when the various office workstations will not support the business functions being performed due to regular work-related travel, field work, and/or continuity of operations.
The specialized mobile workstation is configured to support high-end applications and advanced graphics and modeling capabilities required by Geospatial Information System (GIS), software design and development, or engineering applications. This model is intended to be used by subject matter experts that demand the most processing power offered in a laptop computer.
The following table contains the minimum hardware configuration requirements for the specialized mobile workstation that is deployed to the user:
Processor: |
2.16 GHZ; 2MB L2 Cache;667 MHZ |
Memory: |
3 GB, DDR2 667 MHZ ; Upgradeable to 4 GB |
Ports: |
4 USB 2.0, DVI,
Docking/port replicator, integrated gigabit Ethernet w/wireless |
Keyboards: |
Enhanced Performance USB
Keyboard |
Monitors: |
15.0", Wide Screen
UXGA 1600x1200 |
Hard Drives: |
100 GB, 7200 RPM |
Mouse: |
USB 2 –button Optical
Wheel Mouse |
Other: |
UXGA 256mb ATI Mobility FireGL
v5200, smart card reader |
Components external to the specialized mobile workstation, such as monitors, keyboards, and speakers can be provisioned through reuse of existing inventory. Based on business need, additional internal and/or external devices, such as CD-ROM and DVD drives may be added to the configuration.
The ruggedized mobile workstation is a computer laptop that is constructed for travel, field use, and/or continuity of operations and can withstand extreme environmental conditions that most electronics could not tolerate. The semi-ruggedized mobile workstation is a computer laptop that is built for field use and costs less than a ruggedized laptop, but is not designed to withstand the same extreme conditions as a ruggedized laptop. Both models provide office automation and mobile productivity. Applications include: e-mail, word processing, spreadsheets, viewing PDF documents and graphic images, and specific field applications.
The following table contains the minimum hardware configuration requirements for the ruggedized mobile workstation that is deployed to the user:
Processor: |
1.83 GHz; 667 MHz FSB |
Memory: |
2 GB DDR2 533 MHz upgradeable to 4 GB |
Ports: |
4 USB 2.0; 1 serial; 1
parallel; 2 PS/2; 10/100/1000 Ethernet |
Keyboards: |
Internal Keyboard |
Monitors: |
12.1 XGA WVA Outdoor Viewable Display |
Hard Drives: |
80 GB |
Mouse: |
USB 2-Button Optical Mouse |
Other: |
Smartcard Reader |
Components external to the specialized mobile workstation, such as monitors, keyboards, and speakers can be provisioned through reuse of existing inventory. Based on business need, additional internal and/or external devices, such as CD-ROM and DVD drives may be added to the configuration.
The configuration requirements for each workstation will be updated on an annual basis so that it represents commercial available technology offerings available in the marketplace. Deployed workstations based on prior year configurations will remain in service until the minimum refreshment period is met or the hardware fails to operate.
The following table identifies the refreshment standard and maximum life for each workstation type:
Workstation Type |
Refreshment
Period |
Average
Annual Refreshment Rate Per Agency |
Maximum
Life |
Standard
Office Workstation |
4 Years |
20% |
5 Years |
Standard
Office Workstation By 2010 (Thin Client Workstation) |
5 Years |
20% |
5 Years |
Enhanced
Office Workstation |
4 Years |
25% |
5 Years |
Specialized
Office Workstation |
4 Years |
25% |
5 Years |
Mobile
Workstation |
3 Years |
33.33% |
5 Years |
Specialized
|
3 Years |
33.33% |
5 Years |
Ruggedized/Semi-Ruggedized
|
3 Years |
33.33% |
5 Years |
The OCIO will establish enterprise wide contracts for
purchasing of workstations and associated internal and external devices. Until such time that the contracts are
established and designated as the mandatory sources of supply, all workstation
purchases must be addressed through the Acquisition Approval Request (AAR)
process. In the event that the
request is for other than the standard or target office workstation, the
Each Agency and Staff Office will maintain basic itemized information on all workstations in order to track, manage and report on assets.
Appendix B
End User Workstation Security Standards
The purpose of this appendix is to establish the
requirements for implementing standards for the security of end-user workstations
used throughout the United States Department of Agriculture (USDA). This access
control policy guidance is designed to protect information systems and data
within the USDA.
Each agency, staff office, or shared service provider must establish and administer a user account management program for controlling access to USDA desktop computing assets. This program must include procedures to establish, activate, modify, review, disable, and remove user accounts. All user account administration for agency systems will be performed by appropriately trained and authorized system security personnel in accordance with technical direction provided by the agency Information Systems Security Program Manager (ISSPM), Department policy, and Federal regulations. All user accounts are required to be documented and made available for audit by the USDA Office of the Chief Information Officer or other authorized parties.
Authorizations to access and use USDA information technology (IT) resources will be granted by business owners responsible for those resources. Access will be based on official business "Need to Know" and limited to the "Least Privilege” access required to perform job functions. Active accounts will be reviewed at least quarterly, and account permissions will be reviewed at least annually. Any discrepancies between system users and their access shall be reconciled by requesting and processing appropriate changes in user accounts and their associated access permissions.
All types of access to USDA information systems that are allowed via external connections, such as Virtual Private Networks (VPN) or CITRIX, must be fully documented and authorized by the individual’s manager.
All methods of remote access to USDA information systems are subject to the following restrictions/controls:
· All remote accesses must be controlled and monitored through a limited number of managed access control points.
· Remote access must use a two-factor authentication mechanism where one of the factors is provided by a mechanism separate from the computer gaining access.
· All remote access sessions must be protected using Federal Information Processing Standards (FIPS) 140-2 compliant encryption.
· All remote access sessions must be protected by a "time-out" function requiring user re-authentication after 15 minutes or less of inactivity.
· Remote access activity must be recorded in logs and reviewed periodically.
· Remote access privileges must be authorized and restricted to users with an operational need for access.
· Remote access for privileged functions on an information system can be authorized only for compelling operational needs and the rationale for such access must be documented in the security plan for the information system.
· All methods of remote access must be fully documented in each agency's Overall Agency Security Plans.
Individuals who are to be granted access to USDA information systems must first undergo the Personal Identity Verification (PIV) process mandated by USDA policy and Homeland Security Presidential Directive 12 (HSPD-12). In addition, applications for appropriate background investigations for all individuals must be submitted and processed to a degree that meets the requirements for access.
Individuals must complete the paper-based or CD based (on a stand-alone system) Computer Security Awareness and Privacy Basics training prior to being granted access to any USDA information systems. All employees must meet the annual training requirements for computer security awareness and the protection of personally identifiable information (PII) to retain access.
Before a user account can be created or access permissions modified, a hardcopy or electronic user access request form must be completed. A hardcopy or electronic copy of each completed and processed form must be retained by the authorizing agency representative for each active user account. Each form should include at least the following:
· User first, middle, and last name.
· User ID(s).
· Description of the action requested.
· Description of the access(es) requested.
· List of information systems the individual is authorized to access and what role is authorized for each system.
· User’s signature verifying that the user has read, and will abide by, the system’s security rules and has completed all required security and privacy training.
· Verification of background investigation status (initiated, under adjudication, or completed).
· Authorizing manager’s signature.
· Authorizing application security administrator’s signature (if applicable).
· Processing agent’s signature (e.g. ISSPM or Information System Security Officer).
· Certification that Computer Security Awareness and Privacy Basics training has been completed.
USDA information systems shall be configured to ensure that users have only that access necessary to perform their job responsibilities.
Pending implementation of USDA’s LincPass environment, all USDA information systems must be configured to automatically ensure that all user accounts and their associated passwords adhere to the following USDA standards:
· Maximum lifetime for a password shall be 60 days for general users and privileged users (e.g. Security Administrators, programmers, auditors, engineers).
· Access by inactive users shall be suspended by the system within 30 days.
· User accounts shall be automatically locked out by the system after five consecutive unsuccessful logon attempts.
· Passwords must have a minimum of 12 alphanumeric and special characters (with complexity turned on), including at least one of each of the following: a number, an uppercase letter, and a lowercase letter; except for agency-documented and ACIO-CS approved exceptions where systems do not allow for compliance.
· Dictionary words cannot be used for passwords.
· System security software must enforce a password history for each user, disallowing reuse of the same password for at least 24 iterations.
· A minimum password age of one day must be enforced.
· Systems must obscure feedback of authentication information (e.g., display asterisks when a user enters a password).
· Passwords in storage and in transmission must be protected using FIPS 140-2 Security Requirements for Cryptographic Modules validated encryption.
Upon a change in assignment, job responsibilities, title, or location, an employee’s or contractor’s information system accesses must be reviewed and reconciled by immediately requesting and processing appropriate changes in their user accounts and their associated access permissions
When an employee or contractor is terminated, the employee’s manager must immediately notify the appropriate agency personnel of the user’s departure. All IDs and passwords or other means of accessing files or using computer resources by the individual must be disabled or removed within 24 hours of departure.
All USDA information systems must log access control related events. Reviews of these logs for identification of potentially suspicious activities should be conducted every 30 days or more frequently depending on the sensitivity of the system and its data. High impact systems should be configured to automatically notify responsible individuals when selected suspicious actions are logged.
Each agency must establish and implement procedures to ensure that a user’s sensitive residual data cannot be accessed by unauthorized users (see National Institute of Standards and Technology (NIST) Special Publication (SP) 800-88, Guide for Media Sanitization).
All USDA information systems must display an approved, system use notification message before granting system access informing potential users of the following:
This notification must remain on the screen until the user takes explicit actions to log onto the information system.
High impact USDA networks must restrict the number of concurrent sessions for any user to three or a lower value as determined by the system owner and agency ISSPM.
All USDA workstations must be configured to initiate a session lock after 15 minutes of inactivity. The session lock shall remain in effect until the user reestablishes access using appropriate identification and authentication procedures.
Portable and mobile devices used to access the USDA network must be authorized, documented, and monitored. All data on such devices must be encrypted using FIPS 140-2 validated encryption unless the data has been determined to be non-sensitive, in writing, by the system owner and validated by USDA’s Office of the Chief Information Officer (OCIO).
The USDA prohibits the use of personally owned information systems to directly access government systems for official U.S. Government business involving the processing, storage, or transmission of federal information. Personally owned information systems can be used to interface with government web interfaces designed to accommodate communication of specific information (e.g., Employee Personal Page and Outlook Web Access).
Exceptions to this policy will be considered only in terms of implementation time. Exceptions, that are approved, will be interim in nature and expire at the end of one year. Agencies shall submit all policy exception requests directly to the Office of the Chief Information Officer.
19.1 The
USDA CIO will:
The Federal Desktop Core Configuration (FDCC) compliance deadline is July 31, 2008. This standard applies to all end user workstations operating under Windows XP and Windows Vista operating systems.
Microsoft no longer supports Windows 95, Windows 98 or Windows 2000 operating systems and therefore these are not allowed on USDA networks. Although Linux and Mac OS are not covered under FDCC, these operating systems must still meet minimum USDA security standards. The Red Hat Linux Enterprise 4 and Mac OS security configuration guides are available at: http://www.ocionet.usda.gov/ocio/security/config_guides.html.
Microsoft Windows XP Professional Service Packs 2 is currently the target Windows operating system in USDA. When Microsoft announces that it will no longer support a particular Service Pack or operating system version, it must be removed from the USDA network 60 days prior to the end of service date. Although there are some instances of Microsoft Windows Vista Enterprise implemented in the USDA, this operating system is not considered a standard USDA Windows operating system at this time, and is not authorized for general end-user workstation deployment.
USDA technical security configurations are available at: http://www.ocionet.usda.gov/ocio/security/config_guides.html.
Windows XP Professional Service Packs 3 is the target standard. Service Pack 2 must be upgraded to Service Pack 3 as soon as possible. Service Pack 1 must be upgraded with the most current Service Pack or removed from the network.
All instances of Microsoft Windows XP Professional operating system software will conform to the configuration setting requirements set forth by the NIST Federal Desktop Core Configuration (FDCC). There will be no deviations from this core configuration.
Information about the FDCC is available at http://nvd.nist.gov/fdcc/index.cfm.
If Microsoft Windows Vista is deployed, then Microsoft Windows Vista Enterprise is the only version permitted on the USDA network. Current patches must be applied in accordance with section 21.0 below.
All instances of Microsoft Windows Vista operating system software will conform to the configuration setting requirements set forth by the NIST FDCC. There will be no deviations from this core configuration.
Information about the FDCC is available at http://nvd.nist.gov/fdcc/index.cfm.
Critical security patches are required to be applied immediately after testing but not more than seven days after release. Agencies and staff offices must scan operating system software monthly to ensure that software updates and non-critical patches are current and that all system vulnerabilities are remediated.
At a minimum anti-virus/anti-malware and whole disk encryption software shall be applied to all end user workstations. The enterprise-wide software approved by USDA should be used when possible. Use of other software products must comply with NIST standards and be reported to OCIO.
USDA, along with the rest of the Federal government, is beginning to implement Homeland Security Presidential Directive 12 (HSPD-12) to provide an interoperable identity card to employees and contractors who either access government computer systems or need to access government facilities that are protected with electronic access controls. USDA is going to leverage the HSPD-12 credential (also known as the USDA LincPass) to meet the two-factor authentication requirement.
The USDA LincPass environment will be implemented and deployed during FY 2008 and FY 2009. All employees and contractors who have been provisioned with a LincPass must use it to access USDA networks. By September 30, 2008, LincPass usage requirement will apply to all laptop access. By September 30, 2009, all workstations are required to use the USDA LincPass for access to USDA networks.
APPENDIX C
End-User Workstation
Software Standards
The following sections identify the software standards for USDA Desktops, Laptops, and Thin Clients.
The following table contains the current Windows operating system software standard:
Category |
Manufacturer |
Title |
Version |
Windows-Based
Workstations |
Microsoft |
Windows
XP Professional SP2 |
2002 |
Although there are some instances
of Microsoft Windows Vista Enterprise implemented in USDA, this Windows
operating system is not considered a current USDA standard Windows operating
system at this time, and is not authorized for general end-user workstation
deployment.
The following table contains the base commercial-off-the-shelf (COTS) applications and government-off-the-shelf (GOTS) utility software standards:
Category |
Manufacturer |
Product |
Oldest
Version Permissible |
Application Programming Interface |
Microsoft |
DirectX |
9.0c |
Application Programming Interface |
Microsoft |
Dot Net Framework |
2.0 |
Browser |
Microsoft |
Internet Explorer |
6.0.x SP2 |
Configuration Management |
Microsoft |
MS SMS Client |
2.50.4160.2000 |
Database Connectivity |
Microsoft |
Microsoft Data Access Components (MDAC) |
2.8 |
File Compression |
Corel |
WinZip |
11.0 |
Graphics Display |
Adobe |
Adobe Flash Player |
9.0.28 |
Graphics Display |
Adobe |
Adobe Shockwave |
10.1.4.20 |
Media Player |
Microsoft |
Media Player |
10 |
Media Player |
Apple |
QuickTime |
7.1.6 |
Media Player |
Real |
RealOne
Enterprise |
|
Office Productivity Suite |
Microsoft |
Office Professional |
2003* SP2 |
Email and Content Management
(i.e., Email, Calendar, etc.) |
Microsoft |
Outlook /CRM |
2003* SP3 |
PDF Viewer/Writer |
Adobe |
Acrobat Standard |
6.06 |
PDF Viewer/Writer |
Adobe |
Adobe Reader |
8.0 |
Security |
Various |
See
Appendix B |
n/a |
* FY2009 The Department allow the purchase and will begin the migration of MS Office Professional 2007.
Each Agency and Staff Office may add additional software, such as Microsoft Project, to the base standards when configuring their desktop and laptop software image to support their mission. Only those products that are needed by an agency to support the categorical function must be loaded. For example, not all workstations must have a copy of Adobe Acrobat Standard.
When implementing the (thin-client workstation, the application software for the most part would be installed on the server infrastructure.
The OCIO will establish enterprise wide contracts for
purchasing of workstation software associated with this appendix. In the event that the request is for
software with the same functionality as software identified in this appendix,
the agency is to request a deviation through the
Each Agency and Staff Office will maintain basic information, to include manufacturer name, software category, software title, software version, number of licenses, procurement source of software, and contract number, associated with all COTS workstation software, in order to track, manage and report on software licensing.
On an annual basis, each Agency and Staff Office will provide to the OCIO a listing of workstation software information for each software image in use within the organization for review and approval by the CIO. The date of the annual review along instructions on what information to provide and how to provide it will be announced through a CIO memorandum.
Appendix D
End User Workstation Peripheral and Miscellaneous Standards
The following sections identify the Peripheral standards for USDA Desktops, Laptops, and Thin Clients. Use cases are defined for each printer type to guide users to the most appropriate peripheral choice, and guidance on recommended minimum technical specifications are defined for each printer type to ensure the sound value of all acquisitions and to set baselines useful in later enterprise-wide purchase contracts.
USDA has identified nine workstation printer types:
Printer Type |
Platform |
Standard Network Printer |
Laser Printer |
Enhanced Network Printer |
Laser Printer |
Multi-purpose Network Printer |
Multi-function
Laser Printer |
Inkjet
Printer |
|
Standard
Portable Printer |
Inkjet
Printer |
Enhanced Desk-side Printer |
Laser Printer |
Multi-purpose Desk-side Printer |
Multi-function Inkjet Printer |
Small
Format Plotter |
Inkjet Plotter |
Large
Format Plotter |
Inkjet Plotter |
The standard network printer shall be deployed to USDA employees whenever feasible. Standard desk-side printers shall be deployed in those offices where employees do not have ready access to a central network printer or that are staffed by only a few employees with simple print requirements. The use of enhanced or multi-purpose printers should meet the use cases described for each printer type below. Generally, the ratio of total printers, to include both desk-side and network printers, to total employees and in-house contractor staff should be less than one to one.
The printer platform for the standard network printer is a mid-level laser printer. It provides high quality printer functionality to standard office workgroups in lieu of multiple desk-side printers. The standard network printer can support basic printing and publishing needs for quality, medium-volume black and white documents.
The following table contains guidance on minimum hardware specifications for a standard network printer:
Technology: |
Laser |
Function: |
B&W printer |
Memory: |
80 MB |
Print Quality: |
B&W 1200x1200 dpi |
Print Speed: |
Normal Quality: B&W 45 ppm |
Media Sizes: |
Letter, legal, statement, executive, envelopes (No
commercial sizes) |
Media Types: |
Paper (brochure, inkjet, photo, plain, bond), envelopes,
labels, cards (greeting, index), transparencies |
Duplex Printing: |
Standard |
Paper Input Capacity: |
500 sheets or more |
Monthly Duty Cycle |
Up to 100,000 pages |
Network Interface: |
10/100 Mbps |
The printer platform for the enhanced network printer is a mid-level or better laser printer that supports both black and white and color printing. Justifications for the purchase of the enhanced network printer are:
· Color printing is needed for business report generation or effective customer communications.
The following table contains guidance on minimum hardware specifications for an enhanced network printer:
Technology: |
Laser |
Function: |
B&W and Color printer |
Memory: |
160 MB |
Print Quality: |
B&W 600x600 dpi; Color 600x600 dpi |
Print Speed: |
Normal Quality: B&W 31 ppm; Color 31 ppm |
Media Sizes: |
Letter, legal, statement, executive, envelopes (No. 10, Monarch,
DL), 3 x 5 to 8.5 x 14 in. |
Media Types: |
Paper (brochure, photo, plain, bond), envelopes, labels,
cards (greeting, index), transparencies |
Duplex Printing: |
Standard |
Paper Input Capacity: |
500 sheets or more |
Monthly Duty Cycle |
Up to 100,000 pages |
Network Interface: |
10/100 Mbps |
The printer platform for the multi-purpose network printer is a mid-level, multi-function laser printer that multiple functions including printing, copying, color scanning, and faxing. The justification for the purchase of the multi-purpose network printer is:
· The printing, copying, scanning, and faxing functions are needed by the office and the multi-purpose network printer can meet these needs in a more cost-effective manner than the purchase of a separate printer, fax machine, and photocopier.
The following table contains guidance on minimum hardware specifications for a multi-purpose network printer:
Technology: |
Laser |
Function: |
B&W printing, copying, color scanning, and faxing |
Memory: |
256 MB |
Print Quality: |
B&W 1200x1200 dpi |
Print Speed: |
Normal Quality: B&W 45 ppm |
Media Sizes: |
Letter, legal, statement, executive, envelopes (No
commercial sizes) |
Media Types: |
Paper (plain, bond), envelopes, labels, cards (greeting,
index), transparencies |
Duplex Printing: |
Standard |
Paper Input Capacity: |
150 sheets or more |
Monthly Duty Cycle |
Up to 30,000 pages |
Network Interface: |
10/100 Mbps |
The printer platform for the standard desk-side printer is a mid-level ink jet printer. This printer can support basic printing needs for both black and white and color documents. The standard desk-side printer will be deployed to USDA employees when the use of a network printer is not feasible. Justifications for using a standard desk-side printer are:
· A network printer is not readily available and its use would negatively impact end user productivity;
· The end user must print sensitive or confidential documents that may be compromised if printed on a network printer; and/or
· The end-user is in a small office where the use of the standard desk-side printer meets their printing needs more economically than the standard network printer.
The following table contains guidance on minimum hardware specifications for a standard desk-side printer:
Inkjet |
|
Function: |
B&W and Color printer |
Memory: |
32 MB |
Print Quality: |
B&W 1200x1200 dpi; Color 4800x1200
dpi |
Print Speed: |
Normal Quality: B&W 16 ppm; Color 16 ppm |
Media Sizes: |
Letter, legal,
statement, executive, envelopes (No. 10, Monarch, DL), cards (3 x 5 in, 4 x 6
in, 5 x 7 in, 5 x 8 in, 4 x 10 in, 4 x 11 in, 4 x 12 in, 8 x 10 in) |
Media Types: |
Paper (brochure,
inkjet, photo, plain, bond), envelopes, labels, cards (greeting, index),
transparencies |
Duplex Printing: |
Standard |
Paper Input Capacity: |
80 sheets or more |
Monthly Duty Cycle |
Up to 1,000 pages |
The printer platform for the standard portable is a mid-level inkjet printer. This printer can support basic printing needs for both black and white and color documents. This printer is distinguished from the standard desk-side printer primarily by unit size and weight. The portable printer will be deployed to USDA employees who work primarily in the field, being mobile and/or working in non-office environments where larger printers are not practical, and the use of a network printer is not feasible. Justifications for using a standard desk-side printer are:
· Neither a standard desk-side printer nor a network printer is readily available, and the use of either would negatively impact end user productivity;
· The end user must print sensitive or confidential documents in an urgent timeframe, and cannot defer printing until they return to a USDA site with pre-installed printers;
· The end-user is in a small office or temporary office space where the permanent deployment of the standard desk-side printer is impractical; and/or
· The end user travels regularly as part of their assigned duties.
The following table contains guidance on minimum hardware specifications for a standard portable printer:
Technology: |
Inkjet |
Function: |
B&W and Color printer |
Memory: |
32 MB |
Print Quality: |
B&W 1200x1200 dpi; Color 4800x1200 dpi |
Print Speed: |
Normal Quality: B&W 16 ppm; Color 16 ppm |
Media Sizes: |
Letter, legal, statement, executive, envelopes (No. 10, Monarch,
DL), cards (3 x 5 in, 4 x 6 in, 5 x 7 in, 5 x 8 in, 4 x 10 in, 4 x 11 in, 4 x
12 in, 8 x 10 in) |
Media Types: |
Paper (brochure, inkjet, photo, plain, bond), envelopes,
labels, cards (greeting, index), transparencies |
Duplex Printing: |
Optional |
Paper Input Capacity: |
30 sheets or more |
Monthly Duty Cycle |
Up to 500 pages |
Weight: |
Less than 12 pounds |
Power Supply: |
AC, DC Optional (battery and/or auto adapter) |
The printer platform for the enhanced desk-side printer is a mid-level black and white laser printer. Justifications for using an enhanced desk-side printer are:
· The end user(s) meets the justifications for the use of the standard desk-side printer, but needs to print laser-quality documents, large documents, and/or high volumes of documents.
The following table contains guidance on minimum hardware specifications for an enhanced desk-side printer:
Technology: |
Laser |
Function: |
B&W printer |
Memory: |
80 MB |
Print Quality: |
B&W 1200x1200 dpi |
Print Speed: |
Normal Quality: B&W 35 ppm |
Media Sizes: |
Letter, legal, statement, executive, envelopes (No. 10,
Monarch, DL), cards (3 x 5 in, 4 x 6 in, 5 x 7 in, 5 x 8 in, 4 x 10 in, 4 x 11
in, 4 x 12 in, 8 x 10 in) |
Media Types: |
Paper (brochure, inkjet, photo, plain, bond), envelopes,
labels, cards (greeting, index), transparencies |
Duplex Printing: |
Standard |
Paper Input Capacity: |
500 sheets or more |
Monthly Duty Cycle |
Up to 100,000 pages |
The printer platform for the multi-purpose desk-side printer is a mid-level multi-function inkjet printer. Justifications for using an enhanced desk-side printer are:
· The end user(s) meets the justifications for the use of the standard desk-side printer, but is located in a small field office and needs the multi-purpose desk-side printer to support multiple functions including black and white or color printing, copying, scanning, and faxing.
The following table contains guidance on minimum hardware specifications for a multi-purpose desk-side printer:
Technology: |
Inkjet |
Function: |
B&W or Color printing, copying, scanning, and faxing, |
Memory: |
64 MB |
Print Quality: |
B&W 1200x1200 dpi; Color 4800x1200 dpi |
Print Speed: |
Normal Quality: B&W 8.5 ppm; Color 5.3 ppm |
Media Sizes: |
Letter, legal, statement, executive, envelopes (No. 10,
Monarch, DL), cards (3 x 5 in, 4 x 6 in, 5 x 7 in, 5 x 8 in, 4 x 10 in, 4 x
11 in, 4 x 12 in, 8 x 10 in) |
Media Types: |
Paper (brochure, inkjet, photo, plain, bond), envelopes,
labels, cards (greeting, index), transparencies |
Duplex Printing: |
Standard |
Paper Input Capacity: |
100 sheets or more |
Monthly Duty Cycle |
Up to 50,000 pages |
The small format plotter is usually connected to the office network in order to facilitate workgroup resource sharing. It provides high quality plotter functionality to standard office workgroups for small to medium size plotter output. This plotter uses either roll feed paper or individual sheets.
The following table contains guidance on minimum hardware specifications for a small format plotter:
Technology: |
Inkjet |
Function: |
Color plotter |
Memory: |
64 MB |
Plotter Quality: |
Color 2400 x 2400 dpi |
Media Sizes: |
Letter, legal, statement, executive, envelopes, 3 x 5 to
18 x 14 in. or Roll feed paper up to 24 in. with automatic paper cutter |
Paper Input Capacity: |
Up to 70 sheets (tray) |
The large format plotter is usually connected to the office network in order to facilitate workgroup resource sharing. It provides high quality plotter functionality to standard office workgroups for medium to large size plotter output. This plotter uses either roll feed paper or individual sheets.
The following table contains guidance on minimum hardware specifications for a large format plotter:
Technology: |
Inkjet |
Function: |
Color plotter |
Memory: |
256 MB |
Plotter Quality: |
Color 2400 x 21200 dpi |
Media Sizes: |
Letter, legal, statement, executive single sheets or Maximum roll feed paper 44 in. x 300 ft. with automatic
paper cutter |
The OCIO will establish enterprise wide contracts for purchasing of desk-side and network printers. Until such time that the contracts are established and designated as the mandatory sources of supply, agencies should use existing acquisition approval procedures when purchasing printers.
The minimum hardware specifications for each workstation printer will be updated on an annual basis to represent available commercial technology in the marketplace. Deployed workstation printers based on prior year configurations will remain in service until the minimum refreshment period is met or the hardware fails to operate.
The following table identifies the refreshment standard for each printer type:
Printer Type |
Minimum
Refreshment Period |
Average
Annual Refreshment Rate Per Agency |
Standard Network Printer |
5 Years |
20% |
Enhanced Network Printer |
5 Years |
20% |
Multi-purpose Network Printer |
3-5 Years |
33% |
Standard Desk-side Printer |
At hardware failure outside of warranty period |
Not applicable |
Standard Portable Printer |
At hardware failure outside of warranty period |
Not applicable |
Enhanced
Desk-side Printer |
At hardware failure outside of warranty period |
Not applicable |
Multi-purpose
Desk-side Printer |
At hardware failure outside of warranty period |
Not applicable |
Small Format Plotter |
5 Years |
20% |
Large Format Plotter |
5 Years |
20% |
Appendix E
End User Workstation Conservation and Green Standards
1.0 End
User Workstation Conservation and Green Standards
1.1 USDA
Electronics Stewardship Plan (ESP)
The USDA Electronics Stewardship Plan (ESP) implements sound environmental practices for acquisition, operations and maintenance, and end-of-life disposal of electronic products. Executive Order 13423, "Strengthening Federal Environmental,
Energy, and Transportation Management," requires that all Executive Agencies accomplish the following: acquire Electronic Product Environmental Assessment Tool
(EPEAT)-registered electronics for 95% of purchases where the EPEAT standard is available; enable the Energy Star features on 100% of computers and monitors; establish and implement policies to extend the useful life of electronics; and use environmentally sound procedures for the disposition of electronics that have reached the end of their useful lives. This appendix will highlight the minimum compliance requirements.
The complete USDA Electronics Stewardship Plan (ESP) is available at:
http://greening.usda.gov/elect_steward.htm.
1.1.1 Acquisition
USDA’s goal is to purchase 95 percent of its electronic products as Electronic Product Environmental Assessment Tool (EPEAT) -registered, for products that have EPEAT standards. EPEAT is an application that helps purchasers identify electronic products based on their environmental attributes. The EPEAT Product Registry lists electronic products according to three tiers of environmental performance: Bronze, Silver and Gold. USDA requires the purchase of Bronze-level products as a baseline, but encourages agencies and staff offices to procure EPEAT Silver-rated electronic products or higher if available. USDA will factor and consider EPEAT recommendations when making workstation acquisitions. All considerations being equal, the EPEAT-rated product will be purchased.
Information on EPEAT can be found at http://www.epeat.net/. Currently, EPEAT has registered only
desktop computers, monitors, and laptops, under Standard IEEE 1680-2006 (
1.1.2 Operations
and Maintenance
USDA’s goal will be to reduce its energy usage by enabling the Energy Star~ feature on 100% of computers and monitors, or to the maximum degree based on agency mission needs.
1.1.2.1 Windows XP
and
To improve workstation energy consumption, USDA required the following minimum energy saving settings for workstations, both desktops and laptops, except for those systems and computers that are exempt for mission-critical or security reasons:
· "Turn off monitor" set to 15 minutes or less (Monitor Power Management)
· "System Standby" ("Sleep") set to 30 minutes or less (Computer Power
Management)
Automatic ‘push’ of operating system and application software updates and patches will be affected when system goes into "system standby" or "sleep mode." The software updates and patches will be deferred until the next time the workstation is operational or "awake." If the deferred update or patch is implemented during working hours, then depending on the size and nature of the deferred update or patch, the workstation may not be as responsive as normal. Once the deferred updates are installed, the workstation may need to be restarted, after which system responsiveness should resume to normal. Each support operation must validate that required updates and patches were successfully implemented.
Power management settings for Windows Vista are default settings, and do not require a special configuration. For Windows XP these settings must be adjusted if not already set.
Agencies and Staff Offices will take the appropriate steps to ensure these setting are preserved. Preferably the user should not be granted administration rights to the Power Management settings. In the event that users have administration rights to these settings, the IT support organization must have the capability to remotely: (1) detect when Power Management settings do not comply with the standard and (2) change the Power Management settings to comply with the standard.
1.1.3 End-of-Life
Management
USDA will continue to follow the Federal Management Regulation (FMR) and the Agriculture Property Management Regulation (AGPMR) for the donation, sale, and recycling of electronic equipment no longer needed by the Federal Government.
To manage electronics which have reached their useful end of life in an environmentally sound manner USDA will:
The FMR and AGPMR can be found at http://www.usda.gov/da/property/part10236.pdf.
2.0 Print
Conservation and Green Standards
Because paper production consumes 10 times the energy of the printing process, actions that decrease the volume of paper printed will significantly reduce environmental impact.
To reduce energy and paper consumption, users are encouraged to: