The Federal Desktop Core Configuration (FDCC) is an Office of Management and Budget (OMB) mandated security configuration set applicable within United States Federal Government agencies. Private enterprises may also choose to utilize this established framework as a foundation for their own security configuration baselines. These FDCC guidelines were developed at the United States National Institute of Standards and Technology (NIST), based on collaborative work with the Department of Homeland Security (DHS), Defense Information Security Agency (DISA), National Security Agency (NSA), United States Air Force (USAF) and Microsoft.
The FDCC XML checklists detail security concerns identified by Common Vulnerability Enumeration (CVE), which may be resolved by patching, and those specified by Common Configuration Enumeration (CCE), which may be resolved by configuration setting. The FDCC specific configuration requirements are generally based on the "Principle of Least Privilege" restricting user and machine rights. In addition to the operating system coverage, the FDCC configuration standards extend to Windows Internet Explorer, Windows Firewall and Windows Defender. These specific applications, however, are not explicitly required. If these applications are not utilized, the guidance is that the FDCC settings be leveraged and equivalently extended to the alternative applications.
The FDCC v1.2.1.0 configuration guidance may be grouped into several categories, each addressing a different area of security. This whitepaper highlights these high level categories and a representative set of configuration items.
Oracle Research Library
