Federal Desktop Core Configuration (FDCC)

The Federal Desktop Core Configuration (FDCC) is the standard that specifies security configuration settings that are required for U.S. Federal Government desktop systems. The FDCC is a mandate of the U.S. Office of Management and Budget (OMB). This standard is based heavily on Microsoft recommendations for the Windows XP and Vista operating systems, but it is extended by a consortium that includes the Department of Defense (DoD), the United States Air Force (USAF), and the Department of Homeland Security (DHS).

Most of the configuration settings in the standard refer to Windows security policies and Internet/Web security settings for user rights and policy settings. Currently, the FDCC standard only applies to the XP and Vista desktop operating systems. It will, however, apply to other operating systems (Linux, Macintosh, and so on) in the future.

Immediate Impact on Our Customers:

Effective 01 February 2008, all US federal agencies that use the XP or Vista desktop operating systems are required to adopt the Federal Desktop Core Configuration (FDCC) security settings.

Immediate Impact on SAS:

SAS acquisitions and renewal will require proof of FDCC compliance.

Key Criteria for FDCC Compliancy:

• Software applications must be fully functional and operate as intended on systems that use the FDCC.

• An application’s standard installation, operation, maintenance, update, or software patching does not alter its configuration settings from the approved FDCC settings.

• Applications use the Windows Installer Service for installation to the default directory for program files, and it should be able to install and uninstall applications silently.

• Applications that are designed for normal users must run in the standard user context without elevated system administration privileges.

Longer Range Impact on SAS

Many SAS customers in the U.S. Federal Government, particularly in the branches of the military, are actively instituting the FDCC requirements within their organizations.

According to our review of the FDCC requirements and SAS software’s architecture, SAS applications do not appear to require rights other than those that are assigned to standard users, which is a key requirement for FDCC compliance. Testing is underway to verify that this is the case.


The official public statement on SAS compliance with the FDCC requirement is available at the SAS US Government site (www.sas.com/govedu/fdcc-compliance.html).

A secure, PDF version of the SAS compliance statement is available via request, which should be sent to: FDCC.SAS@sas.com.