Take a sneak peek at the new NIST.gov and let us know what you think!
(Please note: some content may not be complete on the beta site.).

View the beta site
NIST logo
Bookmark and Share

Federal Desktop Core Configuration (FDCC)


The Federal Desktop Core Configuration (FDCC) is an OMB-mandated security configuration. The FDCC currently exists for Microsoft Windows Vista and XP operating system software. While not addressed specifically as the "Federal Desktop Core Configuration," the FDCC was originally called for in a 22 March 2007 memorandum from OMB to all Federal agencies and department heads and a corresponding memorandum from OMB to all Federal agency and department Chief Information Officers (CIO). NIST provides support to the FDCC initiative through the creation and maintenance of machine-readable FDCC content, the hosting of Microsoft created virtual images for testing, and general support through email and web sites set up for agency use.


Cyber security issues have received significant attention over the last several years as the amount of valuable and sensitive data that is available online continues to increase. Configuration management has always been a key component of any IT security policy and the Federal Desktop Core Configuration (FDCC) seeks to leverage this by creating a standard to which all Windows XP and Vista desktop systems must comply. Doing so eliminates a wide range of potential attacks by disabling unneeded services, applying patches in a timely manner, establishing strong access controls, and many other important configuration options available within the operating system.

The Windows Vista FDCC is based on DoD customization of the Microsoft Security Guides for both Windows Vista and Internet Explorer 7.0. Microsoft's Vista Security Guide was produced through a collaborative effort with DISA, NSA, and NIST. The guide reflects the consensus recommended settings from DISA, NSA, and NIST for the Windows Vista platform. The Windows XP FDCC is based on the DoD customization of the SSLF recommendations in Microsoft's Security Guide for Internet Explorer 7.0. To learn more about the FDCC, visit http://fdcc.nist.gov.

To help facilitate adoption, the Security Content Automation Protocol (SCAP) was chosen by OMB as the means by which FDCC policy is expressed and distributed as machine-readable content. OMB Memorandum 08-22 mandates the use of SCAP tools to assess and continuously monitor FDCC compliance based on this machine-readable representation of the policy. SCAP existed prior to the introduction of the FDCC and is being implemented widely across a variety of use cases. To learn more, visit http://scap.nist.gov.

End Date:


Lead Organizational Unit:



Steve Quinn

John Banghart

Related Programs and Projects:

Supporting Publications:
DRAFT NIST Special Publication 800-70 Revision 1National Checklist Program for IT Products--Guidelines for Checklist Users and Developers

DRAFT NIST IR 7511 Revision 1, Security Content Automation Protocol (SCAP) Version 1.0 Validation Program Test Requirements

For more information regarding the:

Security Content Automation Protocol (SCAP) -  http://scap.nist.gov 

National Checklist Program (NCP) -

SCAP Validation Program -


Stephen Quinn
(301) 975-6967

100 Bureau Drive
M/S 8930
Gaithersburg, MD  20899-8930