Industries / Government

Product Compliance with the Federal Desktop Core Configuration (FDCC)

Effective Sept. 15, 2010, the US Government Configuration Baseline (USGCB) joined the Federal Desktop Core Configuration (FDCC) as the security configuration baseline for information technology products deployed across the federal agencies.

Evolving from the FDCC, the USGCB is designed to replace the FDCC and expands the baseline configuration guidelines to Windows 7, Windows 7 Firewall and Internet Explorer 8. Use of the FDCC checklists for Windows XP, Windows Vista, Windows XP Firewall, Windows Vista Firewall and Internet Explorer 7 remains in effect until the USGCB checklists are produced for those platforms.

The USGCB is designed to provide a single, standard, enterprisewide, managed environment for PC desktops and laptops running Windows 7.

As a vendor of desktop software products to the US Federal Government, SAS has evaluated SAS' applicable* desktop software products on the SAS® 9.1.3 SP4, SAS 9.2 and SAS 9.3 platforms for use with the Microsoft® Windows operating system (“Desktop Software”) for conformance to the FDCC/USGCB security configurations developed and issued by the National Institute of Standards and Technology (NIST) for Windows 7 and Windows XP VHDs.  NIST issues these configuration guidelines in response to US Office of Management and Budget Memorandum M-07-18 dated June 1, 2007, on the subject of Ensuring New Acquisitions Include Common Security Configurations.

Based on testing with a Security Content Automation Protocol (SCAP)-validated product, SAS verified that our Desktop Software operates in substantial conformance with SAS' current user documentation for such Desktop Software on desktop machines running Windows 7 and Windows XP operating systems (each a "Standardized FDCC/USGCB Desktop"), and runs on the Standardized FDCC/USGCB Desktop substantially in accordance with the FDCC/USGCB guidelines, provided that the Standardized FDCC/USGCB Desktop has been properly configured to implement the FDCC/USGCB guidelines. Our product-by-product testing continues to verify:

  • Customers' normal end users will not require elevated system administration privileges to run Desktop Software on a Standardized FDCC Desktop, where normal end users are indicated in SAS' current user documentation for such Desktop Software.
  • Standard installation, operation, maintenance, update and/or patching of such Desktop Software in accordance with SAS' current user documentation for such Desktop Software will not materially alter the Standard FDCC Desktop settings from the FDCC guidelines.

SAS has incorporated FDCC/USGCB validation testing into our due diligence process for products marketed to the US Federal Government. As NIST releases updated versions of the VHDs, SAS will incorporate the latest security checks into our validation testing.
For additional information, please contact fdcc.sas@sas.com.

 

*See Attachment A hereto for a list of SAS desktop software products that were not evaluated under FDCC Guidelines.

NOTICE: This information is provided by SAS Institute Inc. for information purposes only and may be changed by SAS at any time without notice. SAS makes no representations of warranties concerning this information. SAS' only warranty or other obligations to Customer with respect to a SAS product shall be as set forth in any applicable licensing documents. SAS and all other SAS Institute Inc. product and service names are registered trademarks or registered trademarks of SAS Institute Inc. in the USA and other countries. ® indicates USA registration. Other brand and product names are registered trademarks or trademarks of their respective companies.

12OCT2011

Attachment A

SAS opted not to test the following desktop software products either because the product is legacy software not offered on/for the SAS 9.2 or SAS 9.3 platforms, the product transparently provides functionality available to the desktop user, or the product is not used on federal desktops.

  • SAS® AppDev Studio™
  • SAS® Data Surveyor for Oracle Applications
  • SAS® Data Surveyor for PeopleSoft
  • Design Time Controls
  • SAS® Drug Development
  • Enterprise Reporter® software (Businessview)
  • SAS/ACCESS® Interface to BAAN
  • SAS/ACCESS® Interface to NCR's Teradata D
  • SAS/ACCESS® Interface to ODBC
  • SAS/ACCESS® Interface to Oracle Rdb
  • SAS/ACCESS® Interface to SAP BW
  • SAS/ACCESS® Interface to SYSTEM 2000
  • SAS/ACCESS® Interface to ADABAS
  • SAS/ACCESS® Interface to DATACOM/DB
  • SAS/ACCESS® Interface to DB2
  • SAS/ACCESS® Interface to CA IDMS™
  • SAS/ACCESS® Interface to IMS
  • SAS/ACCESS® Interface to INFORMIX
  • SAS/ACCESS® Interface to CA-Open INGRES
  • SAS/ACCESS® Interface to ORACLE
  • SAS/ACCESS® Interface to PC Files
  • SAS/ACCESS® Interface to R3
  • SAS/ACCESS® Interface to SYBASE
  • SAS/ACCESS® Interface to OLE DB
  • SAS/CALC®
  • SAS® Web OLAP Viewer for .NET (on SAS 9.1.3 SP4, not available on SAS 9.2/SAS 9.3)
  • SAS® Simulation Studio
  • Locale Setup Manager
  • SAS® Migration Utility
  • SAS® In-Database for Teradata
  • SAS® Online Doc® for the Web
  • SAS® Online Doc® for Windows
  • SAS® Risk Reporting Repository

12OCT2011