Both industry and government IT providers must use SCAP validated tools with FDCC Scanner capability to certify their products operate correctly with FDCC configurations and do not alter FDCC settings, according to OMB memo M-08-22.
It said agencies will use SCAP tools to scan for both FDCC configurations and configuration deviations approved by department or agency accrediting authority.
Agencies must also use these tools when monitoring use of these configurations as part of FISMA continuous monitoring.
SCAP validated tools enable centralized authorship, quality assurance and publication of a definitive security configuration in the form of a SCAP Checklist.
Federal CIOs must ensure that government application providers self-assert currently supported versions of applications operate correctly on Federal Windows XP and Windows Vista computer systems configured with FDCC and do not change FDCC settings, according to the memo.
