Is FDCC applicable to special purpose (e.g., scientific, medical, process control, and experimental systems) computers?
The primary targets of FDCC are general-purpose systems such as managed desktops and laptops. Specialized computers used primarily for a scientific effort, such as running software and collecting data from a piece of scientific equipment, are exempt from the FDCC settings. However, such a system needs to be securely protected by other means. Such methods may include removing email and/or browser software, keeping the computer on a local “subnet” rather than on the main NIH network, or other controls to protect the computer and the NIH environment. In addition, ICs need to track the special purpose computers that are exempt from FDCC. A computer that is used by a scientist, but is primarily used for email access, web browsing, and non-scientific uses is included in the FDCC scope.
The primary targets of FDCC are general-purpose systems such as managed desktops and laptops. Embedded computers, process control systems, specialized scientific or experimental systems, and similar systems using Windows XP or Vista are out of the scope of FDCC. Of course, such systems still require appropriate protection and application of sound risk management principles. In general, for such systems agencies should examine the FDCC security configuration for applicability where feasible and appropriate.
