What is to be reported on 31 March 2008?
What are the operational environments/system roles?
What is the sample size?
What is the format of the report?
Why must we also submit the spreadsheet report? Aren’t the SCAP XCCDF reports sufficient?
What is the format of the SCAP XCCDF document?
How is the report generated and what tool should be used?
What is the format of the FDCC Reporting spreadsheet?
How should the XCCDF report documents and spreadsheet be submitted?
Who generates the report and who submits the report?
Who should receive the report?
How should I submit this report?
How do I receive my credentials for the NIST submission website?
Who will NIST contact at each Agency?
When can I expect to receive my logon credentials
What is the password to unlock the FDCC Reporting spreadsheet?
Who should I contact with questions related to FDCC reporting?
1. What is reported?
Computer counts, SCAP XCCDF reports, and FDCC deviations for each operational environment/system role present within the Agency.
2. What are the operational environments/system roles?
The possible operational environments are:
- Centrally Managed General Purpose Desktop - The desktop systems run end-user productivity applications
(e.g., email clients, word processors). The desktop systems are joined to a native Windows active directory
environment where the policy is managed through GPOs.
- Centrally Managed General Purpose Laptop - The laptop systems run end-user productivity applications
(e.g., email clients, word processors). The laptop systems are joined to a native Windows active directory
environment where the policy is managed through GPOs.
- Development System - The systems are used to perform development-related tasks.
- Special Use System - The systems perform a special task that does not fit into any of the above
categories (e.g., laboratory/research systems, kiosk systems, SCADA systems).
- Other - The systems cannot be grouped into any of the above categories. This includes desktops
and laptops that are not centrally managed. If this choice is selected, a detailed description must be
provided in the "Environment Description" column of the spreadsheet.
3. What is the sample size?
A single representative computer for each combination of environment/system role and FDCC operating system.
Each computer may have as many as 3 SCAP XCCDF reports, because SCAP Content was previously provided for Microsoft
Windows XP, Windows Vista, Windows XP Firewall, Windows Vista Firewall, and Internet Explorer 7.0. This means Agencies
could have anywhere from 0 to 30 SCAP XCCDF reports to submit, depending on the extent to which they have implemented the
operating systems, and in which environments/system roles they have implemented the operating systems.
For example, an Agency which has implemented Microsoft Windows XP but not Microsoft Windows Vista, has elected to use a
different desktop firewall than Microsoft Windows XP Firewall, and has implemented Microsoft Windows XP in four of the five
environments/roles would submit eight separate SCAP XCCDF reports for four different computers. The math is as follows: One FDCC
operating system (Windows XP), times 2 different SCAP Checklists (the Windows XP and Internet Explorer 7.0 checklists, Windows XP Firewall
checklist is excluded), times four different operating environments/roles, equals eight separate SCAP XCCDF Reports, representing four computers
(one computer in each of the four applicable operating environments/roles).
4. What is the format of the report?
There are two distinct portions of FDCC compliance reporting. The first portion is an SCAP XCCDF results document
for each environment/system role and FDCC operating system combination present within an Agency. The second portion
is a spreadsheet that provides a high level summary of every environment/system role present within the Agency. This
spreadsheet summarizes the data collected in the SCAP XCCDF report documents. Each environment/system role listed within
the spreadsheet must reference the corresponding SCAP XCCDF document.
5. Why must we also submit the spreadsheet report? Aren’t the SCAP XCCDF reports sufficient?
The spreadsheet tracks environment/system roles, computer counts, and intention with regard to resolving deviations.
SCAP XCCDF reports provide an artifact of the summary data and enable automated trending across Federal Agencies.
6. What is the format of the SCAP XCCDF document?
The specification describing the SCAP XCCDF reporting format can be found at
Agencies must submit an XCCDF report document for each operational environment/system role present within the Agency.
7. How is the report generated and what tool should be used?
The “how” varies with each assessment team and assessment tool being used. Per
OMB’s July 31st memo,
only SCAP Validated software with “FDCC Scanner” Capability may be used. There are several SCAP Validated tools
to choose from; a complete list of tools can be found at the SCAP Validated Tools page within NVD.
8. What is the format of the FDCC Reporting spreadsheet?
The FDCC Reporting spreadsheet can be found at http://nvd.nist.gov/fdcc/fdcc_reporting.cfm. Agencies should
only enter data into the “Results” tab of the workbook. All other tabs of the workbook are locked and are meant
to serve as a reference; the “Cover Sheet” tab provides a description of each tab in the workbook.
9. How should the XCCDF report documents and spreadsheet be submitted?
All XCCDF report documents and the spreadsheet must be submitted in a compressed ZIP file.
All files should be located in the root directory of the ZIP file; there should be no sub folders present within the ZIP file.
10. Who generates the report and who submits the report?
Who generates the report is entirely up to the agency. As per the February 1st data call,
the 27 score card agencies’ CIOs are required to report.
11. Who should receive the report?
NIST will receive all compliance reports.
12. How should I submit this report?
Agencies must submit their reporting bundle (i.e., spreadsheet and XCCDF documents) via a NIST-provided website.
In order to complete the website submission process, Agencies must navigate to the website and log in using
their NIST-provided credentials. Once authenticated, users must follow the instructions on the site to upload their reports.
13. How do I receive my credentials for the NIST submission website?
To confirm the authority of the submitting party, NIST will contact each agency with specific
instructions relating to the web submission process. As part of these instructions, NIST will
provide the agency with the credentials to gain access to the reporting website.
14. Who will NIST contact at each Agency?
Each Agency’s Office of CIO is asked to provide a single Agency FDCC Submitter.
That person’s name, phone number, and e-mail address should be sent to firstname.lastname@example.org
no later than 21 March 2008.
15. When can I expect to receive my logon credentials?
NIST will contact each Agency FDCC Submitter no later than 26 March 2008. Logon credentials will be provided at time of contact.
16. What is the password to unlock the FDCC Reporting spreadsheet?
The FDCC Reporting spreadsheet is locked to ensure that the formatting is not changed by Agency submitters.
The FDCC submission system performs validation on the spreadsheet so it is necessary to lock the formatting
in order for the system to read the reporting spreadsheet without errors. Results should only be entered
into the ‘Results’ tab of the workbook.
17. Who should I contact with questions related to FDCC reporting?
Please direct all technical questions to email@example.com
and other questions to firstname.lastname@example.org.
send comments if your questions
were not answered here.