1. What is to be reported on 31 March 2008?
2. What are the operational environments/system roles?
3. What is the sample size?
4. What is the format of the report?
5. Why must we also submit the spreadsheet report? Aren’t the SCAP XCCDF reports sufficient?
6. What is the format of the SCAP XCCDF document?
7. How is the report generated and what tool should be used?
8. What is the format of the FDCC Reporting spreadsheet?
9. How should the XCCDF report documents and spreadsheet be submitted?
10. Who generates the report and who submits the report?
11. Who should receive the report?
12. How should I submit this report?
13. How do I receive my credentials for the NIST submission website?
14. Who will NIST contact at each Agency?
15. When can I expect to receive my logon credentials
16. What is the password to unlock the FDCC Reporting spreadsheet?
17. Who should I contact with questions related to FDCC reporting?

1. What is reported?

Computer counts, SCAP XCCDF reports, and FDCC deviations for each operational environment/system role present within the Agency.

2. What are the operational environments/system roles?

The possible operational environments are:

• Centrally Managed General Purpose Desktop - The desktop systems run end-user productivity applications (e.g., email clients, word processors). The desktop systems are joined to a native Windows active directory environment where the policy is managed through GPOs.
• Centrally Managed General Purpose Laptop - The laptop systems run end-user productivity applications (e.g., email clients, word processors). The laptop systems are joined to a native Windows active directory environment where the policy is managed through GPOs.
• Development System - The systems are used to perform development-related tasks.
• Special Use System - The systems perform a special task that does not fit into any of the above categories (e.g., laboratory/research systems, kiosk systems, SCADA systems).
• Other - The systems cannot be grouped into any of the above categories. This includes desktops and laptops that are not centrally managed. If this choice is selected, a detailed description must be provided in the "Environment Description" column of the spreadsheet.

3. What is the sample size?

A single representative computer for each combination of environment/system role and FDCC operating system. Each computer may have as many as 3 SCAP XCCDF reports, because SCAP Content was previously provided for Microsoft Windows XP, Windows Vista, Windows XP Firewall, Windows Vista Firewall, and Internet Explorer 7.0. This means Agencies could have anywhere from 0 to 30 SCAP XCCDF reports to submit, depending on the extent to which they have implemented the operating systems, and in which environments/system roles they have implemented the operating systems.

For example, an Agency which has implemented Microsoft Windows XP but not Microsoft Windows Vista, has elected to use a different desktop firewall than Microsoft Windows XP Firewall, and has implemented Microsoft Windows XP in four of the five environments/roles would submit eight separate SCAP XCCDF reports for four different computers. The math is as follows: One FDCC operating system (Windows XP), times 2 different SCAP Checklists (the Windows XP and Internet Explorer 7.0 checklists, Windows XP Firewall checklist is excluded), times four different operating environments/roles, equals eight separate SCAP XCCDF Reports, representing four computers (one computer in each of the four applicable operating environments/roles).

4. What is the format of the report?

There are two distinct portions of FDCC compliance reporting. The first portion is an SCAP XCCDF results document for each environment/system role and FDCC operating system combination present within an Agency. The second portion is a spreadsheet that provides a high level summary of every environment/system role present within the Agency. This spreadsheet summarizes the data collected in the SCAP XCCDF report documents. Each environment/system role listed within the spreadsheet must reference the corresponding SCAP XCCDF document.

5. Why must we also submit the spreadsheet report? Aren’t the SCAP XCCDF reports sufficient?

The spreadsheet tracks environment/system roles, computer counts, and intention with regard to resolving deviations. SCAP XCCDF reports provide an artifact of the summary data and enable automated trending across Federal Agencies.

6. What is the format of the SCAP XCCDF document?

The specification describing the SCAP XCCDF reporting format can be found at http://nvd.nist.gov/fdcc/fdcc_reporting.cfm. Agencies must submit an XCCDF report document for each operational environment/system role present within the Agency.

7. How is the report generated and what tool should be used?

The “how” varies with each assessment team and assessment tool being used. Per OMB’s July 31st memo, only SCAP Validated software with “FDCC Scanner” Capability may be used. There are several SCAP Validated tools to choose from; a complete list of tools can be found at the SCAP Validated Tools page within NVD.

8. What is the format of the FDCC Reporting spreadsheet?

The FDCC Reporting spreadsheet can be found at http://nvd.nist.gov/fdcc/fdcc_reporting.cfm. Agencies should only enter data into the “Results” tab of the workbook. All other tabs of the workbook are locked and are meant to serve as a reference; the “Cover Sheet” tab provides a description of each tab in the workbook.

9. How should the XCCDF report documents and spreadsheet be submitted?

All XCCDF report documents and the spreadsheet must be submitted in a compressed ZIP file. All files should be located in the root directory of the ZIP file; there should be no sub folders present within the ZIP file.

10. Who generates the report and who submits the report?

Who generates the report is entirely up to the agency. As per the February 1st data call, the 27 score card agencies’ CIOs are required to report.

11. Who should receive the report?

NIST will receive all compliance reports.

12. How should I submit this report?

Agencies must submit their reporting bundle (i.e., spreadsheet and XCCDF documents) via a NIST-provided website. In order to complete the website submission process, Agencies must navigate to the website and log in using their NIST-provided credentials. Once authenticated, users must follow the instructions on the site to upload their reports.

13. How do I receive my credentials for the NIST submission website?

To confirm the authority of the submitting party, NIST will contact each agency with specific instructions relating to the web submission process. As part of these instructions, NIST will provide the agency with the credentials to gain access to the reporting website.

14. Who will NIST contact at each Agency?

Each Agency’s Office of CIO is asked to provide a single Agency FDCC Submitter. That person’s name, phone number, and e-mail address should be sent to fdcc@nist.gov no later than 21 March 2008.

15. When can I expect to receive my logon credentials?

NIST will contact each Agency FDCC Submitter no later than 26 March 2008. Logon credentials will be provided at time of contact.

16. What is the password to unlock the FDCC Reporting spreadsheet?

The FDCC Reporting spreadsheet is locked to ensure that the formatting is not changed by Agency submitters. The FDCC submission system performs validation on the spreadsheet so it is necessary to lock the formatting in order for the system to read the reporting spreadsheet without errors. Results should only be entered into the ‘Results’ tab of the workbook.

17. Who should I contact with questions related to FDCC reporting?

Please direct all technical questions to fdcc@nist.gov and other questions to fisma@omb.eop.gov.

Please send comments if your questions were not answered here.

Top of Page