Feds Muscling Greater Security Out of Tech Firms
The federal government is using its purchasing power to force technology vendors to follow strict security guidelines, but a recent deal with Microsoft has some calling the policy inconsistent.After years of being criticized for failing to lead by example in information security, the federal government last week for the first time used its unparalleled purchasing power to force technology vendors to improve the security of their products. Days after the U.S. Department of Energy announced that it had signed an open-ended contract with Oracle Corp. that requires the vendor to adhere to a set of strict security stipulations, Microsoft Corp. officials said they are laying the groundwork for similar contracts in the future. The Redmond, Wash., software developer, however, won a recent contract with the Department of Homeland Security that included no such security provisions, leading some to hit the federal policy as inconsistent.
Oracles sale of its 9i database software to the DOE had several unique attributes, including the requirement that each copy of the software be delivered in a secure configuration. The configuration is based on a set of benchmarks developed by the Center for Internet Security and released last week. The benchmarks lay out specific actions administrators can take to harden Oracle servers. CIS is also at work on a tool that will audit Oracle installations and score them on their security relative to the benchmarks.