USGCB stands for “United States Government Compliance Baseline”. The USGCB is a Federal government-wide initiative that provides guidance to agencies on what should be done to improve and maintain an effective configuration settings focusing primarily on security. The USGCB baseline evolved from the Federal Desktop Core Configuration mandate, to create security configuration baselines for Information Technology products widely deployed across the federal agencies.
The federal agencies are only allowed to deploy and implement software solutions which are USGCB compliant. Therefore organizations trying to sell their software solutions to federal agencies must ensure that their solution has been tested and verified on USGCB Compliant environment.
So how can an organization ensure that their product is ready for federal agency environment?
The environment must be prepared to the agreed standards and settings, and then validated using an approved compliance scanning tool: for example- CIS-CAT, which run set of pre-defined tests and provides a report indicating USGCB compliance level of said environment.
CIS-CAT stands for Center for Internet Security-Configuration Assessment Tool. CIS-CAT is a Security Content Automation Protocol (SCAP) tool, approved by NIST (National Institute of Standards and Technology). This tool can be run independently on a target machine or against group of target machines to determine the compliance level of the target environment.
At 1E we have outlined a high level approach to prove the USGCB compliance for 1E products should the need arise. The approach involves following steps:
- Run the approved compliance scanning tool on the USGCB compliant environment and ensure that the reported scanning results are 100%.
- Install the product under test, on USGCB compliant environment.
- Re-run approved compliance scanning tool to confirm, that none of the pre-defined security settings has been altered/manipulated by the installed software.
- Perform the product testing.
- Before the testing is officially closed on specific environment, re-run the approved compliance tool to prove that USGCB compliance is still valid and 100%.
- The test reports/artefacts’ generated at every stage must be stored for audit purposes.
This would prove that the tested 1E product works as expected in the compliant environment and none of the USGCB recommended security settings were altered/manipulated during the process of installation or testing.
This approach is simple, but the execution may be far more complex. Getting a product to work as expected in a USGCB environment may need special configurations (and possible limitations) to be identified and documented, and may even result in subsequent product changes being required, which of course would complicate things.
