[LINK] $65bn for a Vista SOE!

Fri Mar 30 12:10:02 AEST 2007

Greetings All,

A change of pace with another round of exciting USA news..

http://www.theregister.co.uk/2007/03/22/us_common_security_config/

It looks like the USA is making a stand and dictating how and which
vendors can deal with them.

The old saying of "Put up or Shut up" comes to mind.

Shame that it has to be initiated around M$ Vista... and for what looks
like a $65bn SOE!

Another interesting point is the reference back to Common Criteria.

Isn't this why Common Criteria was initiated?

Regards,

Martin Collett | Strategic Technology Architect | Shared Information
Solutions 
P:    (07) 303 30142
M:   (0419) 554 558
E:    Martin.Collett at qld.gov.au <mailto:Martin.Collett at qld.gov.au>  

<snip> 

Feds mandate 'secure' Windows set-up

Changes in US government purchasing policies due to come into effect
this summer could have a huge effect on computer security, particularly
for Windows desktops.

A White House directive to federal chief information officers issued
this week calls for all new Windows PC acquisitions, beginning 30 June,
to use a common "secure configuration". Applications (such as
anti-virus, email etc) loaded onto systems remain flexible but what will
be specified in the registry settings and which services would be turned
on or off by default

Even more importantly, the directive calls for suppliers (integrators
and software vendors) to certify that the products they supply operate
effectively using these more secure configurations.

The federal government scheme builds on the "comply or don't connect"
program of the US Air Force. The principal targets are Windows XP and
Vista client systems but the same ideas might be applied in Unix and
Windows Servers environments over time. The schedule for introduction
gives application developers building applications for Windows Vista to
test against. The incentives for developers to get this right will be
huge.

"No Vista application will be able to be sold to federal agencies if the
application does not run on the secure version of Vista," explained Alan
Paller, director of research at The SANS Institute. "XP application
vendors will also be required to certify that their applications run on
the secure configuration of Windows XP.

Common, secure configurations reduce the effort required to patch
systems. Such configurations directly block certain modes of attack.
Improved security is likely to save money for application developers and
integrators because it reduces support costs in the long-run, Paller
told El Reg. "Organizations that have made the move report that it
actually saves money rather than costs money."

"The principal frustration has been you can't always patch systems
quickly because they might break applications. Software developers point
out that they can't test against every different configuration as user
might have. From summer developers will be able to make sure their
patches work on more securely configured systems, reducing the patching
headache and saving costs," he explained.

The purchasing power attached to the $65bn federal IT spending budget
means that suppliers will have no choice but to take notice. Paller said
the scheme is likely to be adopted by large organisations outside
government.

Kit purchased by governments needs to meet common criteria standards and
this will remain the case even after the new programme kicks off in the
summer. Paller said that common criteria is a measure of the design
documentation of products. "This, on the other hand, specifies that the
kit will be set up in the right way. The two approaches are
complementary but different," he added.

********************************* DISCLAIMER *********************************
The information contained in the above e-mail message or messages (which includes any attachments) is confidential and may be legally privileged.  It is intended only for the use of the person or entity to which it is addressed.  If you are not the addressee any form of disclosure, copying, modification, distribution or any action taken or omitted in reliance on the information is unauthorised.  Opinions contained in the message(s) do not necessarily reflect the opinions of the Queensland Government and its authorities.  If you received this communication in error, please notify the sender immediately and delete it from your computer system network.