It’s finally here. After years of discussions and recommendations, we now have a federal mandate to deploy secure configurations for Microsoft Windows Vista and Windows XP Operating Systems. A March 22, 2007 memo issued by the Executive Office of the President mandates deployment of secure operating systems for the federal government. An earlier memo on the same topic was sent by Karen Evans to Federal CIOs .According to Allan Paller from SANS, “this initiative matters because it provides the incentive ($65 billion in US government IT purchasing each year) and confidence (agreed upon configurations) to allow every software vendor to ensure and affirm the software they sell works on the secure configurations.” Plenty of people are already blogging about these implications. One thread can be found at Slashdot, but I thought I’d throw in my perspective here. NSA, NIST, SANS and others have been urging common secure configurations for software, including operating systems and applications, for years. There have even been many websites and training dedicated to this purpose. A Google search on “secure operating system websites” yields almost 3.7 million pages. Other large Internet-focused companies, such as Cisco, also offer secure solutions for government. For example, there is the Cisco “Secure Wireless Architectures for Federal Agencies.” There are plenty of other similar examples to point to, but I think the most important takeaway is to ensure that we are deploying secure configurations on all our infrastructure products. It never ceases to amaze me how vendors want to sell governments new products rather then secure the ones they’ve already sold us. While many of these products are needed, some new products might not even be required if their other products had shipped secure. Like Allan Paller, I think that this new mandate will have a significant impact on the overall security market. Everyone will now demand the secure configurations, including state and local government. Remember that over 60% of state IT spending comes from federal dollars, so states may be obliged to use the same configurations. Even if that isn’t the case, state and local governments should go in that direction anyway, since it makes sense and will be available. We now have a great opportunity. All government IT shops should now get that same wording in all new contracts. The Microsoft OS mandate is a good start, but we also need the secure configs with our other vendors – mandate or not. Related content opinion 3 security career lessons from 'Back to the Future' You don't need to be able to predict the future to have a successful security career, but you had darned well better be able to learn from the past. By Dan Lohrmann Jan 12, 2021 6 mins Careers Security interview Secrets of industry-hopping CSOs Who says you can't change industries? Veteran security leaders Mark Weatherford and Cheri McGuire teach you how it’s done. By Dan Lohrmann Mar 02, 2020 12 mins Careers Security opinion Why security pros are addicted to FUD and what you can do about it Despite professing anti-FUD rhetoric, cyber experts fan the flames, breathlessly sharing the details of the latest data breaches. It's a risky addiction that can lead to security apathy in enterprises. Here's how to harness it. By Dan Lohrmann Sep 06, 2018 7 mins Security opinion Bridging the smart cities security divide There are plenty of organizations that seem to be working on answers to secure smart cities, but in many ways it's like the early days of cloud computing with everyone building their own solutions. By Dan Lohrmann Feb 01, 2018 6 mins Internet of Things Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe