Contract rules need IT security standards, official says

By Matthew Weigelt

| April 14, 2010

A defense official has recommended changing the Federal Acquisition Regulation to require contractors' IT products to meet minimum security standards.

In its report, GAO found agencies struggling to upgrade their computers to meet the basic security requirements in the FDCC initiative. According to the report, no agency required to meet the FDCC standards has fully done so. The initiative mandates including language in new contracts that requires companies' IT products comply with the FDCC's security standards.

A Defense Department official has recommended amending governmentwide acquisition rules to standardize security requirements for information technology purchases as agencies attempt to guard their computer systems against cyberattacks, according to a new report.

Gary Guissanie, DOD’s acting deputy assistant secretary for cyber, identity and information assurance, said contract language added to the Federal Acquisition Regulation (FAR) could ensure agencies’ new IT purchases include the settings specified in the Federal Desktop Core Configuration (FDCC), The FDCC is a White House initiative that gave agencies a minimum set of standards to protect their desktop and laptop computers from sophisticated hackers and other cyber threats.

New FAR language “would provide the appropriate coverage for a federal-wide IT contract issue,” Guissanie wrote to the Government Accountability Office regarding a report on the FDCC's accomplishments. The report was released April 12.

GAO officials said it was beyond their authority to say if new FAR rules are necessary or what they might entail. They did say DOD may want to pursue Guissanie’s recommendations with the Office of Management and Budget.

Regulators have not opened a case on the FDCC issue.