GSA Eyes Information Security Services Effort By Nick Wakeman
Staff Writer The General Services Administration is readying plans for an information security services contract that will feature multiple winners and be available to all government agencies, government and industry officials said. Part of a stepped-up effort to help agencies combat hacker attacks and viruses, the procurement is similar to a multiple-award Defense Department contract with a $1 billion ceiling made three years ago, officials said. GSA is likely to publish a request for information for the contract in the next 12 months, said Judith Spencer, director of the center for governmentwide security at GSA. It will cover services such as risk assessments, data recovery, training and systems engineering. Spencer declined to estimate the contract's value, but industry officials predicted it would be worth several hundred million dollars. "We are still researching [the contract]," she said. The Defense Information Services Agency's Information Security Technical Services contract could serve as a model for the GSA effort, industry officials said. Winning that contract in 1995 were Science Applications International Corp. of San Diego, Computer Sciences Corp. of El Segundo, Calif., and Merdan Group of Vienna, Va. So far, more than $143 million has been spent under that contract, according to DISA. "If you want an idea of how big the contract could be, you should just look at DISA's contract," said Roger Tjarks, division manager and assistant vice president for SAIC's information security services group. While total obligations will not reach the $1 billion ceiling by the time the contract runs out in 2000, demand for information security services is growing across the government, Tjarks said. In the first half of fiscal 1998, there were more than 400 incidents reported to the Federal Computer Incident Response Capability Center, known as FedCIRC, Spencer said. Such incidents can range from problems caused by operator error or the introduction of a virus to an outright hacker attack, Spencer said. In 1997, there were 240 reports, but it is unclear whether that is because such incidents are increasing or if the reporting is better. "We do know the problems are not going away," she said. The market research firm Input of Vienna, Va., estimates the federal market for information security will rise from $708 million in 1997 to $954 million in 2003. "It is definitely a growing market," said Brian Haney, director of research for Input. The growth is being fueled by agencies increasing their use of the Internet and intranets, which make systems more vulnerable to outside attack. Agencies also are implementing enterprisewide applications, which rely on the Internet to connect systems that are in different locations, Haney said. "One of the greatest issues facing the government is security," he said. "We think this is going to be a heightened market area for the next five years." Information security threats are very real, said Rusty Wall, program manager for CSC's Infosec Technical Services contract team. "We see everything from unskilled, unsophisticated individual attacks to very sophisticated, coordinated attempts," Wall said. Interest in information security services is reaching higher levels in the government agencies, Wall said. "The agencies are really working hard to stay ahead of the threats," he said. The GSA contract will complement work GSA is doing with Carnegie Mellon University's Computer Emergency Response Team Coordination Center, Spencer said. GSA and Carnegie Mellon in Pittsburgh are taking over management of FedCIRC, which has been a pilot program the last two years under the National Institute of Standards and Technology. FedCIRC collects and distributes information on hacker attacks and viruses. "It is like a first line of defense," Spencer said. Agencies report problems to FedCIRC, and FedCIRC then can tell the reporting agency if its problems are isolated or part of a wider attack. "FedCIRC helps them figure out what has happened to them," Spencer said. It also provides information on fixes, or "patches," to problems with programs and operating systems, she said. But FedCIRC does not provide the services to follow up or prevent an attack. "That is where the opportunity for industry comes in," she said. Even without a separate contract, contractors are offering information security services via GSA's information technology schedule, she said. Carnegie Mellon's Computer Emergency Response Team Coordination Center is a good choice for continuing FedCIRC because the center is already working with several federal agencies as well as the private sector on security issues, Tjarks said. "The key thing is the dissemination of data and keeping systems administrators cognizant of what are the latest vulnerabilities to systems," he said. Because Carnegie Mellon is not part of the government, sharing information with the private sector will be easier, Tjarks said. "There's a need to propagate information outside the government, because so much of the government's business is handled by the commercial sector," he said. A hacker attack on an industry such as banking or telephone companies could shut down government operations, he said. While civilian agencies have lagged the Pentagon when it comes to mounting a defense against hackers, civilian agencies are starting to recognize and address it, he said. | 