FDCC Compliance – What is the “Or Else”?

We are fast approaching another “line in the sand” date for FDCC Compliance, but there is much to be done before we reach a state of mass adoption.  On March 31, agencies are required to submit to NIST and OMB a technical report about the status of their implementations. But like many other deadlines in the FDCC timeline, this will pass with a large number of agencies either in progress or still squarely at the starting line with their FDCC initiatives.

The problem is certainly not a technical one, as there are many validated tools that can help with the process. Triumfant was one of the first vendors to be a NIST SCAP validated FDCC scanning tool, and we remain one of a very few tools that can deliver automated misconfiguration remediation according to NIST. Enforcing the FDCC policies is a relatively simple task for our solution, as these policies touch a very small percentage of the 200K+ attributes that we scan on a daily basis. The policies are not inherently complex nor do the policies pose a significant technical challenge to enforce. In fact, they represent common endpoint security policies that we often see in security configuration management.

But there is something lacking that seems a bit more obvious to me – the “or else”. As a father of two teenage boys, I can assure you that I have a firm grasp of the “or else” component of successful policy enforcement.  So just what is the “or else” for those agencies that miss the deadline? The answer, or lack of, maybe the real reason why many agencies will wave politely from the sideline as another deadline passes them by.