The US federal government has launched a programme that will require federal agencies to insist on security standards from suppliers, a move that some argue will have a far-reaching impact on most large and medium-sized organisations buying PCs.
The government confirmed the move in a memo late last month and will roll the programme out in several stages during the course of this year. By 1 February of next year, all federal agencies will be required to use secure software configurations when they deploy Windows XP or Vista.
The scheme matters to the outside world because software suppliers who want to sell to the US government will have to certify that their equipment works on operating systems set up to work securely, said Alan Paller, director of research at the Sans Institute security research centre, in a recent memo.
Currently organisations never know if securely configuring Windows will break their applications. The new US government programme could make things simpler for IT managers by providing clearly understood standard security configurations that are backed up by the federal government's purchasing power, Paller said.
"It provides the incentive ($65bn/£33bn) in US government IT purchasing each year, and confidence (agreed upon configurations), to allow every software vendor to ensure and affirm the software they sell works on the secure configurations," he wrote. "That takes the pain out of secure configuration and rapid patching."
Paller said secure configurations could slow the spread of botnets, reduce patching delays and stop many attacks directly.
"This initiative will affect every medium and large buyer of computers running Windows software," Paller wrote.
Other industry observers have cautioned against considering secure configurations a panacea. Indeed, Microsoft's attempt to make Vista more secure by default has met with a rocky debut, with widespread criticisms of its implementation of User Account Control (UAC).
"These configurations were developed in collaboration with the National Institute of Standards and Technology (NIST), the Department of Homeland Security (DHS), the Defense Information Systems Agency (DISA), the National Security Agency (NSA), and Microsoft," wrote Karen Evans, administrator with the Office of E-Government and Information Technology, in the memo last month. "These same organisations recently established common security configurations for Microsoft Vista."
On 11 April federal chief information officers will be briefed by the Air Force, which has been piloting secure configurations. Later in the month the government will begin making securely configured images available.
The federal Office of Management and Budget (OMB) memo on the new programme is available from the White House's website.