FRAMINGHAM (09/19/2003) - Five federal agencies, in collaboration with the Center for Internet Security and Oracle Corp., next Tuesday will announce a broad federal procurement initiative to improve software security.
Under the initiative, software vendors will have to ensure that their software meets specific safe configuration requirements and that any fixes they provide to patch vulnerabilities are reliable and won't compromise those configurations.
The idea behind the initiative is to use the federal government's purchasing power to make software vendors accept more responsibility for the security of their software, said Alan Paller, director of the SANS Institute, a Bethesda, Md.-based security research firm.
The initiative was prompted by the users' growing list of problems resulting from unsafe software configurations, he said, adding that software vendors will be required to ensure that default settings are secure to avoid problems later on.
The federal government recently launched a procurement program called SmartBuy, which it hopes will elicit better pricing and contractual terms from software vendors by consolidating purchases. SmartBuy will allow federal agencies to negotiate more stringent terms relating to security, Paller said. The initiative being announced tomorrow is an example of that tougher stance.
"This is about partnering with vendors so that they take responsibility" for software security, Paller said. He added that he expects the federal initiative to set a model for software procurement in the private sector as well.
U.S. Department of Energy CIO Karen Evans, who was recently named by President Bush to head all e-government initiatives, tomorrow will announce the first contract to be signed under the initiative. The contract will demonstrate "a new way for government to purchase software with security built in," according to a press alert from the CIS, which is organizing the event.
The other federal agencies participating in the announcement are the U.S. Department of Homeland Security, the National Security Agency, the Defense Information Systems Agency and the U.S. General Services Administration. Also involved in the announcement are approximately 120 CIOs and security specialists from government and industry.
Sources familiar with tomorrow's announcement confirmed Oracle's involvement in the initiative. An Oracle spokeswoman on Friday declined to comment.
CIS Vice President Bert Miuccio said the initiative builds on an effort that the CIS led last year involving the creation of benchmark security standards for Windows 2000 professionals. That effort focused on creating a checklist of security settings for Windows 2000 systems that vendors could use when shipping systems to users.
Last year's initiative was backed by several government agencies, including the NSA, DISA and the National Institute of Standards and Technology. The scope of tomorrow's announcement is significantly broader, Miuccio said.
Dan Verton contributed to this story.