The U.S. Department of Defense is soliciting bids for a massive anti-spyware software contract that will protect systems across the military.
The deal could be a major opportunity for anti-spyware startups to score a victory against established anti-virus vendors.
The solicitation from the DISA (Defense Information Systems Agency) is for an automated spyware detection, eradication and protection technology, referred to as SDEP.
Estimates on the size of the contract vary from a few hundred thousand seats to between 4 million and 8 million military systems, if the SDEP technology is adopted throughout the entire DOD and used on computers at the homes of servicemen and women.
Leading anti-virus vendors, as well as dedicated anti-spyware companies, are bidding for the contract and may present a big opportunity for dedicated anti-spyware startups, which hope to capitalize on the failure of existing anti-virus vendors to prevent spyware infections on military systems.
The military is looking for an enterprise-wide solution that covers the U.S. Department of Defense, Coast Guard, National Guard and Reserves.
DOD employees will be allowed to download and install the software on their home computers, as well, according to information on the project posted on a government Web site.
The solicitation is being handled as part of I-Assure, a $1.5 billion contract to provide professional information technology security services to the Department of Defense.
“This is going to be a substantial contract,” said David Moll, CEO of anti-spyware company Webroot Software Inc.
DISA would not comment on the contract, saying that the agency is in the middle of “source selection” for an anti-spyware product and didnt want to jeopardize the procurement of a product, according to Maj. Jack Mast, a DISA official.
Symantec Corp., McAfee Inc. and Trend Micro Inc. provide desktop, server and gateway anti-virus protection for military systems under a 2002 I-Assure contract.
Symantec partners with I-Assure prime contractor Northrop Grumman Inc., and Trend Micro partners with Government Technology Solutions Inc. (gTech), another I-Assure prime contractor.
An Ounce of Prevention
However, anti-virus products from those companies havent prevented spyware from infecting machines on the DISA network.
“People are bringing in things from home, installing freeware. Its a big problem,” said Eric Sites of Sunbelt Software Inc., one of the companies that are bidding on the contract.
“If you look at the problems in the corporate environment with spyware and vulnerabilities, the same things are there in everything that the federal government or the DOD is doing, with the added component of top secret networks,” said Tom Simmons, director of federal programs at Trend Micro, which is bidding for the SDEP work.
Symantec and McAfee both declined to comment on the SDEP solicitation.
DISAs original specifications for anti-virus protection, which are now 3 years old, failed to anticipate the spyware problem or the need for anti-spyware features, Simmons said.
“If you look at what was available in anti-virus in 2002, spyware was the purview of very few people who were very forward looking in terms of vulnerabilities and threats,” he said.
Part of the problem is the fast pace of change in malicious code, compared with the rather slow pace of government IT procurement, said Simmons.
“For 25 years, DOD has been visionary in terms of what to try to do with technology, but contracting and program management methods tend to take time to catch up with technology,” he said.
However, the I-Assure contract is flexible enough to allow the government to address shortcomings in its IT security coverage, he said.
“The beauty of the I-Assure approach is that the government can say Heres a contract, go find me the best of breed spyware solution,” Simmons said.
Symantec, McAfee, Computer Associates International Inc. and dedicated spyware vendors Webroot and Sunbelt Software are bidding for the anti-virus work, said Moll.
Whatever anti-spyware technology is selected will have to work with existing anti-virus software used on military systems, which would seem to tip the scales in favor of anti-virus companies such as Symantec, said Simmons.
However, DISAs specification for anti-spyware may give the edge to stand-alone products such as Webroot and Sunbelt over security suite providers such as Symantec, McAfee and Trend, Simmons acknowledged.
“[DISAs Strategic Command] did their own due diligence and tested spyware solutions available in the August-September 2004 time frame. The requirements they scoped out were developed around those technologies,” he said.
Webroot CEO Moll was optimistic, though he said Symantec is using aggressive pricing and other techniques to win the governments anti-spyware business.
“I think Webroot is nicely positioned. Weve made it over enough hurdles with compliance. Were in a nice position,” Moll said.
The government is currently testing the anti-spyware products from the vendors against its STIG (Security Technical Implementation Guide), a kind of checklist to determine whether they comply with military standards for application security and interoperability.
STIG compliance testing was scheduled to be complete by the end of May, when a winner or winners are expected to be announced.
However, with testing ongoing, it could be months before the DOD selects an anti-spyware vendor, Moll said.