The federal government on Tuesday announced a major new purchasing initiative designed to reward vendors whose products meet certain stringent security standards. The program is an outgrowth of an emerging philosophy inside the Beltway that the governments purchasing power should be used to encourage software and hardware vendors to improve the security of their offerings.
The first vendor to be involved in the program is Oracle Corp., which signed a large contract to deliver its database software to the Department of Energy. Karen Evans, CIO of the Department of Energy, announced the contract at an event that also included the Department of Homeland Security, the National Security Agency, the Department of Defense, the General Services Administration and the Center for Internet Security. The new contract calls for the vendor to deliver its database software in a securely configured manner.
CIS earlier this month published two sets of benchmarks for Oracles database and those guidelines will be the basis for the configurations of the governments machines.
But, perhaps more importantly, Oracle has also agreed to provide hotfixes and patches that dont change the configurations of machines when theyre installed. As a condition of the contract, Oracle will automatically deliver any new patches or fixes that affect Energys machines to a central server at the department.
“Its not just that theyre buying safe systems. Its that the vendor is taking continuing responsibility that any hotfixes wont undo the safety of the systems,” said Alan Paller, research director at the SANS Institute in Bethesda, Md. “Every one of those will save the government time and money now.”
The governments purchase from Oracle comes just a few months after the Department of Homeland Security announced that it would standardize on Windows on the desktop and server levels. However, the Microsoft contract—which is worth $90 million—does not require Microsoft, based in Redmond, Wash., to meet any of the same security or configuration criteria that Oracle must. In fact, the contract calls for a standard configuration for each machine.
The plan to use purchasing decisions as a hammer to improve product security is one of the key tenets laid out in the National Strategy to Secure Cyberspace. That plan relies heavily on this idea, eschewing government regulation of product security in favor of allowing market pressures to dictate vendor actions.
Sources familiar with the plan say that the government intends to extend the purchasing program to other vendors and federal agencies in the near future.