State codifies security language
Proposed contracting rule would standardize wording of vendors’ IT security obligations
State’s proposed rule in the Federal Register
After years of struggling with information security, the State Department has decided to codify how contractors implement federal information security regulations. Officials are asking for comments on a proposed rule that would define information technology security requirements for all contractors that do business with State.
The Federal Acquisition Regulation was amended in 2005 to incorporate the Federal Information Security Management Act of 2002. However, State wants to update its internal acquisition rules to be doubly certain the agency does not omit any IT security requirements in its contracts or statements of work, said Gladys Gines, a procurement analyst at State.
The proposed rule “is a way to codify these requirements and to standardize the language so that it is consistent across contracts,” Gines said. “This way, we’ve got the same language for all of our contracts and the same requirements, and there is no issue of somebody perhaps forgetting to include something in a work statement.”
Under State’s proposed rule, IT contractors would be responsible for the security of systems that access the department’s mission-related information. Vendors would need to include a security plan with their bids and monitor information security on projects for which they win contracts.
State has consistently received low marks on meeting FISMA requirements, which mandate that federal agencies establish IT security policies commensurate with the vulnerability of the systems they are designed to protect.
Rep. Tom Davis (R-Va.), ranking member of the Oversight and Government Reform Committee, gave State an F on its last two annual FISMA report cards. A Davis spokesman said the lawmaker commended State for the move.
“When you have State, Defense and the Nuclear Regulatory Commission all making Fs and the Department of Homeland Security making a D, it makes sense to start on procurement with reforms and go forward from there,” Davis’ spokesman said. “These are critical agencies. Compromises in security could cost a lot more than identity theft. They could cost lives.”
Jeremy Grant, senior vice president and identity solutions analyst at the Stanford Group, said State and other agencies that have not fully implemented FISMA should have done it long ago. However, he added, most IT contractors already conduct the activities outlined in State’s new rule, so compliance should not be too difficult for contractors.
“Any company that is worth its salt ought to be doing that today and should have been doing that for several years,” he said. “I wouldn’t say there are going to be any radical changes.”
Dave Frederickson, a program manager at Northrop Grumman who works on State contracts, agreed. “I just don’t see that there are a lot of differences there, except that you’ve got the formal specification now that’s in the contractual language upfront,” he said.
Gines added that although the rule’s provisions shouldn’t surprise the contractor community, department officials wanted to offer them as a rule change rather than a policy statement so they would be open for comment.
Daniel Mintz, chief information officer at the Transportation Department, whose rule provided a model for State, said “the critical issue here is to make sure that validating security is an integral part of system procurement and development, not an afterthought.”