Contract rules need IT security standards, official says

A defense official recommends changing the Federal Acquisition Regulation to require contractors' IT products meet minimum security standards.

A Defense Department official has recommended amending governmentwide acquisition rules to standardize security requirements for information technology purchases as agencies attempt to guard their computer systems against cyberattacks, according to a new report.

Gary Guissanie, DOD’s acting deputy assistant secretary for cyber, identity and information assurance, said contract language added to the Federal Acquisition Regulation (FAR) could ensure agencies’ new IT purchases include the settings specified in the Federal Desktop Core Configuration (FDCC), The FDCC is a White House initiative that gave agencies a minimum set of standards to protect their desktop and laptop computers from sophisticated hackers and other cyber threats.

New FAR language “would provide the appropriate coverage for a federal-wide IT contract issue,” Guissanie wrote to the Government Accountability Office regarding a report on the FDCC's accomplishments. The report was released April 12.

GAO officials said it was beyond their authority to say if new FAR rules are necessary or what they might entail. They did say DOD may want to pursue Guissanie’s recommendations with the Office of Management and Budget.

Regulators have not opened a case on the FDCC issue.

Related stories:

Agencies struggle with securing computers, GAO reports

DOD policy targets weak link in information security 

Cybergeddon: Information security as a global concern 

In its report, GAO found agencies struggling to upgrade their computers to meet the basic security requirements in the FDCC initiative. According to the report, no agency required to meet the FDCC standards has fully done so. The initiative mandates including language in new contracts that requires companies' IT products comply with the FDCC's security standards.

GAO reported eight agencies have incorporated language into their contracts and 13 have not, based on agency inspector general reports on other IT security requirements from fiscal 2009.

Responding to GAO, a few agency officials said they have added the contracting language to their new contracts. The Homeland Security, Housing and Urban Development and Labor departments include the clause about FDCC compliance. Other agencies, such as the Office of Personnel Management, and the Treasury and the Veterans Affairs departments, are finalizing their changes to acquisition policies.

GAO noted that some agencies didn’t include the clause in all IT contracts.

Meanwhile, GAO said agencies must push to secure their IT systems because of an increase in security incidents and steady advances in cyberattack technology.

About the Author

Matthew Weigelt is a freelance journalist who writes about acquisition and procurement.

Reader Comments

Thu, Apr 15, 2010 David H. Washington, DC

The FAR already has a requirement to comply with the FDCC although not specifically named as "FDCC". It is located at FAR Part 39.101(d), which states: "d) In acquiring information technology, agencies shall include the appropriate information technology security policies and requirements, including use of common security configurations available from the National Institute of Standards and Technology’s website at Agency contracting officers should consult with the requiring official to ensure the appropriate standards are incorporated." The link provided in FAR 39.101(d) to is the repository for all SCAP checklists. The FDCC is just one example of SCAP checklists. In addition, it is not completely accurate to state that no agency has met the appropriate standards; both the Education and State departments had no findings or recommendations and both have developed appropriate security and risk mgmt practices to allow specific FDCC deviations.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above.


WT Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.