Article

Government flexes its spending muscle with 'model contract'

Anne Saita

Further proving the government means business about using its spending muscle to influence the development of secure software, five federal agencies on Tuesday announced a new contract practice that puts the onus on vendors to supply customized, more readily secured software -- that won't break other systems when patched.

"Most software is delivered with all the functionality enabled and no security features enabled, and it's up to the implementer, integrator or system administrator to turn off a risky feature -- or even know there is a risky feature," said Glenn Schlarman, associate CIO for cybersecurity for the Department of Energy (DOE).

This new approach, he said, helps remove the guesswork with predetermined security settings. That, in turn, reduces the chance of human error in configuration management and the need for more resources and expenditures.

The DOE led a panel that included federal officials and representatives from the nonprofit Center for Internet Security (CIS) and software giant Oracle Corp. at a Washington, D.C., news conference, called to tout the new "model contract." The contract mandates that vendors deliver software that meets specific "safe configuration requirements," in part by establishing preset security levels and providing patches that won't change existing configurations once installed.

The DOE has signed the first contract under the new plan by agreeing to purchase $14 million worth of Oracle 8 and 9 database

    Requires Free Membership to View

software for its headquarters and for all 85 national laboratories and field sites scattered throughout the country, Schlarman said.

Other agencies expected to participate in the early stages of the new procurement initiative include the Department of Homeland Security, National Security Agency, Defense Information Systems Agency and General Services Administration.

For the past several years, the federal government, with its $50 billion annual IT budget, has used its purchasing power to press vendors for less flawed (and therefore less exploitable) software out of the box. CIS has tried to raise the bar through benchmark security standards for a wide variety of IT environments.

CIS published benchmarks for Oracle that will serve as the guide for configuring federal database servers. Oracle, meanwhile, said new hotfixes and patches will be pushed to a central server at the DOE.

FOR MORE INFORMATION:

SearchSecurity.com news exclusive: "Regulation, bad software, new threats fodder for Congress"

SearchSecurity.com news exclusive: "Cybersecurity plan heavy on public-private cooperation"

Best Web Links on standards and guidelines

Ask the experts

FEEDBACK: What impact will the "model contract" have on the development of secure, stable software?
Send your feedback to the SearchSecurity.com news team.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: