September 23, 2003
Government Executive
Government and tech industry release security recommendations
By Shane Harris
<mailto:sharris@xxxxxxxxxxx>sharris@xxxxxxxxxxx
Five federal agencies, a nonprofit Internet security group and one of the
nations largest software manufacturers have issued recommendations for
making one of the most popular software programs in the government more
secure. The move, announced at a press conference in Washington Tuesday,
marks a watershed between the government and the technology industry,
officials said.
Oracle Corp., the giant database software maker that counts the federal
government as its largest single customer, has agreed to deliver a new
version of its product to the Energy Department that has more than 250
specific security enhancements. Those modifications have been packaged in
a <http://www.cisecurity.org/bench.html>benchmark documentthat is being
published on the Internet, so that other federal agencies can take
advantage of it.
Its unclear how many agencies will avail themselves of the security
recommendations, since implementing them could take considerable time and
effort. Karen Evans, Energys chief information officer and a driving force
behind the deal with Oracle, noted that the lengthy process of making
security changes to commercial software was one of the reasons her
department sought concessions from the company before the product was
delivered.
The Energy Department deal conforms to an Office of Management and Budget
mandate to use the federal governments significant purchasing power to
gain concessions and special arrangements from technology contractors. The
government is the single largest purchaser of information technology goods
and services in the United States.
The Center for Internet Security, which helped craft Oracles
modifications, is also developing an automated tool that will scan a
system and score it on how well it complies with the benchmarks. The tool
is in the final stages of development, and the center will release it
publicly when it is finished.
Energy and Oracle reached their agreement in the summer, but neither side
had publicly announced the deal or the release of the benchmark document
before.
Evans will have broader authority over procurement and security strategy
when she takes over the position of e-government and technology chief at
OMB next month. She replaces Mark Forman, the presidents first
e-government administrator, who is taking a job in the private sector.
Oracle is delivering the more secure software as part of a two-phase
licensing agreement with Energy. The first phase will cover the
departments headquarters in Washington and is valued at $5 million, Evans
said. The second phase, which Evans expects to be implemented in the next
fiscal year, will provide the Oracle software to government and contract
Energy locations across the country, she said.