CIO Council - Chief Information Officers Council - Beta

CIO Council Streamlines Configuration Baseline Process

May 6th, 2015

CIO Council

The Federal CIO Council has streamlined and reinvigorated a government-wide initiative to review and approve standard security and other configuration settings on IT products widely deployed across agencies. This process has been key in standardizing a shared approach to security and usability at agencies while also creating a more manageable desktop environment across the Federal Government.

The United States Government Configuration Baseline (USGCB) initiative provides a process for identifying and vetting across the Executive Branch, uniform configurations for commonly used operating systems and applications. Originally started in 2007, this process now runs through the Information Security and Identity Management Committee (ISIMC) of the Council and is conducted in partnership with NIST.

In just a few short months since ISIMC has taken over the governance of USGCB, it has updated configuration settings in current USGCB platforms (including Windows 7 and Windows Vista), reviewed a series of proposed settings, and prioritized a list of new baselines for existing platforms. These new baselines include Windows 8/8.1, IE 10, Windows Server 2012 (Domain Controller), Windows Server 2012 (Member Server), and Red Hat 6.

When new platforms are released (Windows 10, Mac OS, Red Hat 7, etc.), the Council will look to promote them to the front of the queue for USGCB baseline candidacy to keep pace with the evolving technology trends. Until such time, the ISIMC will focus on approving new USGCB baselines for existing platforms.

As the authorizing body for the baselines, ISIMC will collaborate with stakeholders on issues such as security automation, checklists, and the Security Content Automation Protocol (SCAP), as well as coordinate with other related government security initiatives, such as the Continuous Diagnostics and Mitigation program, to continue to improve the efficiency of this process while creating a more unified approach to security across the government.