After years of being criticized for failing to lead by example in information security, the federal government last week for the first time used its unparalleled purchasing power to force technology vendors to improve the security of their products.
Days after the U.S. Department of Energy announced that it had signed an open-ended contract with Oracle Corp. that requires the vendor to adhere to a set of strict security stipulations, Microsoft Corp. officials said they are laying the groundwork for similar contracts in the future. The Redmond, Wash., software developer, however, won a recent contract with the Department of Homeland Security that included no such security provisions, leading some to hit the federal policy as inconsistent.
Oracles sale of its 9i database software to the DOE had several unique attributes, including the requirement that each copy of the software be delivered in a secure configuration. The configuration is based on a set of benchmarks developed by the Center for Internet Security and released last week. The benchmarks lay out specific actions administrators can take to harden Oracle servers. CIS is also at work on a tool that will audit Oracle installations and score them on their security relative to the benchmarks.
The deal is worth $5 million in its first phase. Oracle officials declined to say what the deal will be worth. Oracle, based in Redwood Shores, Calif., has a long-standing relationship with the DOE, but company officials said the agency made it clear during this negotiation that security is now a top priority.
“[Karen Evans, CIO of the DOE] made security very much a part of the discussion. They were very aggressive in getting us to do things we might not have done otherwise,” said Tim Hoechst, senior vice president of technology for government, education and health care at Oracle.
The DOE-Oracle contract is the first major demonstration of the governments willingness to use its economic power as a tool to push vendors for security concessions, but it is unlikely to be the last.
The idea was laid out in detail in the National Strategy to Secure Cyberspace and has been talked about for years inside the government. And with Evans set to take over as CIO at the Office of Management and Budget—which controls the federal governments $59 billion IT budget—within the next few months, more such deals could be on the way.
Sources said several other major software makers were in discussions with federal agencies about similar sales in which security is a major driver.
“DOE will be a testbed. The vendors have been working closely with government on this for a while. The software community is interested in averting regulations mandating security,” said John Frazzini, vice president of intelligence operations at security vendor iDefense Inc., based in Reston, Va. “This will get deployed governmentwide. If youre a vendor, this shows that you cant take security passively.”
With that in mind, Microsoft is working with CIS to develop security benchmarks for its SQL Server 2000 database software and Windows XP operating system in an effort to make them more attractive to the government market, according to Stan Sorensen, director of product management for SQL Server at Microsoft. CIS already has a set of standards for Windows 2000.
However, the new stress on security hasnt filtered down to every agency. Microsoft in July—two months after the Oracle deal was consummated—signed a $90 million contract with the DHS to deliver desktop and server software, but the contract contains no explicit security stipulations. Thats likely to change soon, though.
“I think it would be something that DHS and Microsoft should have talked about,” Frazzini said. “After this, Id be shocked if theyre not talking about doing the same thing. They have to.”
Microsoft officials, meanwhile, maintain that the company will still be able to hold its own in the lucrative government market, despite the increased emphasis on security. “We have been thus far, and I think being able to point to the benchmarks will help,” said Sorensen. “Theres a lot of stuff thats gone on in the last year thats been black marks as far as security, but our willingness to address those things is a positive.”
Sorensen said the governments increased emphasis on security reflects the current attitude and priorities among all customers. “Customers across the board have become very aware of security, not even just inside the government,” he said. “Everybody is thinking very hard about it—which is why it has such a high awareness level inside Microsoft.”
Discuss this in the eWEEK forum.