What is a DoD Secure Host Baseline?

The U.S. Department of Defense's Secure Host Baseline is a pre-configured and security hardened machine-ready image that contains an organization's common Operating System (OS) and application software. SHB images are developed with the latest relevant standards and policies which include a layered security architecture enabling the implementation of best practice mitigation strategies to counter cyber threats.

A SHB image can be generated for any OS and common application software used by an organization. The image can be deployed across an office's host systems to include desktops, laptops, servers, tablets, and mobile devices. This provides administrators with a common core operating picture that makes it easier to identify and isolate anomalies. An SHB simplifies the implimentation of robust security practices and technologies such as Application Whitelisting, Host Intrusion Prevention Systems (HIPS), Enhanced Experience Mitigation Toolkit (EMET), and other anti-exploitation capabilities. It also ensures that the security features of each host residing on a network are consistent with the organization's security policies and directives.

Advantages of Secure Host Baseline

In addition to reducing security risks, building an SHB image lowers the overall cost of managing a network. The development process takes advantage of economies of scale by leveraging the expertise of government and vendor communities to establish the baselines and coordinate testing and production. External issues such as licensing and distribution rights are also worked out at high levels by legal and policy staff to pave the way for deployment of SHB.

By providing common baselines and generating criteria for enterprise licensing initiatives, SHB also accelerates implementation of other efficiency strategies. Within the Department of Defense (DoD), some examples include Single Security Architecture (SSA), Security Automation, Secure Configuration Management (SCM), Continuous Monitoring (CM), and Enterprise Software Intiative (ESI).