After years of being criticized for failing to lead by example in information security, the federal government last week for the first time used its unparalleled purchasing power to force technology vendors to improve the security of their products.
Days after the U.S. Department of Energy announced that it had signed an open-ended contract with Oracle Corp. that requires the vendor to adhere to a set of strict security stipulations, Microsoft Corp. officials said they are laying the groundwork for similar contracts in the future. The Redmond, Wash., software developer, however, won a recent contract with the Department of Homeland Security that included no such security provisions, leading some to hit the federal policy as inconsistent.
Oracles sale of its 9i database software to the DOE had several unique attributes, including the requirement that each copy of the software be delivered in a secure configuration. The configuration is based on a set of benchmarks developed by the Center for Internet Security and released last week. The benchmarks lay out specific actions administrators can take to harden Oracle servers. CIS is also at work on a tool that will audit Oracle installations and score them on their security relative to the benchmarks.
The deal is worth $5 million in its first phase. Oracle officials declined to say what the deal will be worth. Oracle, based in Redwood Shores, Calif., has a long-standing relationship with the DOE, but company officials said the agency made it clear during this negotiation that security is now a top priority.
"[Karen Evans, CIO of the DOE] made security very much a part of the discussion. They were very aggressive in getting us to do things we might not have done otherwise," said Tim Hoechst, senior vice president of technology for government, education and health care at Oracle.