About QualysGuard FDCC
The QualysGuard® FDCC service is the first certified cloud based computing solution for FDCC compliance. FDCC and USGCB requires federal agencies to standardize the configuration of desktop computer systems to strengthen IT security. The QualysGuard® FDCC service allows federal agencies to scan and report compliance with the FDCC and USGCB requirements through a centralized, integrated solution leveraging the QualysGuard Software-as-a-Service (SaaS) architecture. The QualysGuard Scanner Appliances support FDCC and USGCB scanning for internal systems on a global scale.
The QualysGuard® FDCC service is validated by NISTas conforming to SCAP and its component standards. The QualysGuard® FDCC service supports the following SCAP content:
- Windows XP
- Windows XP Firewall
- Windows Vista
- Windows Vista Firewall
- Windows 7
- Windows 7 Firewall
- Internet Explorer 7
- Internet Explorer 8
In March 2007, the Office of Management and Budget (OMB) Memorandum M-07-11 announced the "Implementation of Commonly Accepted Security Configurations for Windows Operating Systems," directing agencies who have Windows XP deployed and/or plan to upgrade to the Windows Vista operating system to adopt the Federal Desktop Core Configuration (FDCC) security configurations. On June 20, 2008, the National Institute of Standards and Technology (NIST) published the updated FDCC Major Version 1.0 settings release. FDCC is comprised of settings that can be checked using the updated Security Content Automation Protocol (SCAP) content and SCAP-validated tools with FDCC Scanning capability as specified by NIST.
In May 2010, the Architecture and Infrastructure Committee of the CIO Council announced the United States Government Configuration Baseline (USGCB) settings for Windows 7 and Internet Explorer 8. The USGCB is a further clarification of the Federal Desktop Core Configuration (FDCC); specifically, the USGCB initiative falls within FDCC and comprises the configuration settings component of FDCC.
Both industry and government information technology providers must use SCAP-validated tools with FDCC Scanner capability to certify their products operate correctly with FDCC configurations and do not alter FDCC settings. Agencies will use SCAP tools to scan for both FDCC and USGCB configurations and configuration deviations approved by department or agency accrediting authority. Agencies must also use these tools when monitoring use of these configurations as part of FISMA continuous monitoring.
Standardize, Validate, and Certify Federal IT Security
Federal IT security groups are under constant pressure to standardize and certify their existing Windows XP and Windows Vista desktops with the FDCC requirements and Windows 7 with USGCB requirements. In addition, many agencies lack the resources to manage the FDCC and USGCB requirements.
Using QualysGuard® FDCC, an agency can reduce the number of resources required to validate and certify the Federal Desktop Core Configuration requirements. The QualysGuard FDCC service provides an efficient and automated workflow that allows Federal IT security professionals to:
- Import or upload FDCC and USGCB checklists using published SCAP content.
- Provide proof that the FDCC and USGCB requirements have been operationalized.
- Certify compliance with FDCC requirements.
The QualysGuard FDCC service extends the global scanning capabilities of QualysGuard Policy Compliance to collect SCAP content from assets within the enterprise to validate and certify the FDCC requirements.
Features of QualysGuard FDCC Service
FDCC Policy
Import FDCC and USGCB Checklists from Controls Library
QualysGuard maintains a "policy" library for FDCC and USGCB checklists. This library is constantly updated, as new checklists are added and updated by National Institutes of Standards and Technology (NIST). The QualysGuard FDCC service supports FDCC checklists for the following technologies:
- Windows XP
- Windows XP Firewall
- Windows Vista
- Windows Vista Firewall
- Windows 7
- Windows 7 Firewall
- Internet Explorer 7
- Internet Explorer 8
FDCC Policy
Create Custom FDCC and USGCB Checklists
The QualysGuard FDCC service allows users to create user-defined FDCC and USGCB checklists by uploading custom SCAP content file.
FDCC Scan
Automate Checklist Violations
QualysGuard's external and internal scanners safely and accurately measure compliance against the technical controls specified in your policies. Scans can be setup to run automatically, or on demand whenever new network devices are introduced or configurations are updated. Automated FDCC scanning uses the same QualysGuard infrastructure used for vulnerability and policy compliance scanning.
FDCC Scorecard
Measure and Document Compliance with Detailed Reports
Intuitive and easy-to-read reports provide detailed technical analysis of compliance, executive-level summaries, and certification reports. Customize your own reports, or use the following template based and interactive reports:
- Scorecard Report provides full compliance status with a specific FDCC and USGCB policy.
- Individual Host Report identifies the compliance status for a specific host.
- Rule Pass/Fail Report
Benefits of QualysGuard FDCC Service
- A Trusted Third Party that yields reliable data. Because all host compliance data and policies are securely stored by QualysGuard and not subject to manipulation, auditors trust the integrity and accuracy of the information and resulting QualysGuard reports.
- Deployment and Scalability is extremely important when diverse security and compliance teams are scattered across the globe. SaaS is best suited to support geographically dispersed teams that may be responsible for security and compliance for the entire enterprise or only one small part. Scheduled compliance scans can be run against specific parts of the enterprise at specific times, allowing for continuous scanning for security and compliance issues. SaaS removes scalability as a total cost of ownership (TCO).
- Agent-less solutions speed deployment and cost less to manage over time. Remediating configuration issues is not complicated by having to remediate problems with the software agents that collect configuration data. Hosts that have malfunctioning software agents cannot be considered in compliance reports.
- Subscription-based SaaS model allows the customer to control the security and compliance solution without the "sunk-costs" associated with purchasing, licensing and supporting software based products. The entire service is priced per host and there are no hidden costs. This is in stark contrast to solutions that comprise a management console, data collection agents, databases, add-on modules for compliance reporting and in some cases, a separate product that manages selective compliance policies. Simplified deployment, a reliable gold-standard of reporting, and overall lower TCO are primary benefits of the subscription-based SaaS approach.
- Role-based Access to data is critical to an organization made up of IT teams that all have some role to play in the security and compliance process. The roles played by all security and compliance teams—IT operations, security and vulnerability management, internal audit and configuration management—need to be supported.
