• United States



Federal Mandate for Deploying Secure Windows Operating Systems

Mar 25, 20073 mins
Business ContinuityData and Information Security

  It’s finally here. After years of discussions and recommendations, we now have a federal mandate to deploy secure configurations for Microsoft Windows Vista and Windows XP Operating Systems.

A March 22, 2007 memo issued by the Executive Office of the President mandates deployment of secure operating systems for the federal government. An earlier memo on the same topic was sent by Karen Evans to Federal CIOs .

According to Allan Paller from SANS, “this initiative matters because it provides the incentive ($65 billion in US government IT purchasing each year) and confidence (agreed upon configurations) to allow every software vendor to ensure and affirm the software they sell works on the secure configurations.”

Plenty of people are already blogging about these implications. One thread can be found at Slashdot, but I thought I’d throw in my perspective here.

NSA, NIST, SANS  and others have been urging common secure configurations for software, including operating systems and applications, for years. There have even been many websites and training dedicated to this purpose. A Google search on “secure operating system websites” yields almost 3.7 million pages.  

Other large Internet-focused companies, such as Cisco, also offer secure solutions for government. For example, there is the  Cisco “Secure Wireless Architectures for Federal Agencies.”

There are plenty of other similar examples to point to, but I think the most important takeaway is to ensure that we are deploying secure configurations on all our infrastructure products. It never ceases to amaze me how vendors want to sell governments new products rather then secure the ones they’ve already sold us. While many of these products are needed, some new products might not even be required if their other products had shipped secure.

Like Allan Paller, I think that this new mandate will have a significant impact on the overall security market. Everyone will now demand the secure configurations, including state and local government. Remember that over 60% of state IT spending comes from federal dollars, so states may be obliged to use the same configurations. Even if that isn’t the case, state and local governments should go in that direction anyway, since it makes sense and will be available.

We now have a great opportunity. All government IT shops should now get that same wording in all new contracts.  The Microsoft OS mandate is a good start, but we also need the secure configs with our other vendors – mandate or not. 


Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist and author. During his distinguished career, Dan has served global organizations in the public and private sectors in a variety of executive leadership capacities, including enterprise-wide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan State Government. Dan was named: "CSO of the Year," "Public Official of the Year," and a Computerworld "Premier 100 IT Leader." Dan is the co-author of the Wiley book, “Cyber Mayday and the Day After: A Leader’s Guide to Preparing, Managing and Recovering From Inevitable Business Disruptions.” Dan Lohrmann joined Presidio in November 2021 as an advisory CISO supporting mainly public sector clients. He formerly served as the Chief Strategist and Chief Security Officer for Security Mentor, Inc. Dan started his career at the National Security Agency (NSA). He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US / UK military facility. Lohrmann is on the advisory board for four university information assurance (IA) programs, including Norwich University, University of Detroit Mercy (UDM), Valparaiso University and Walsh College. Earlier in his career he authored two books - Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD For You: The Guide to Bring Your Own Device to Work. Mr. Lohrmann holds a Master's Degree in Computer Science (CS) from Johns Hopkins University in Baltimore, Maryland, and a Bachelor's Degree in CS from Valparaiso University in Indiana.

More from this author