State codifies security language

Proposed contracting rule would standardize wording of vendors’ IT security obligations

State’s proposed rule in the Federal Register

After years of struggling with information security, the State Department has decided to codify how contractors implement federal information security regulations. Officials are asking for comments on a proposed rule that would define information technology security requirements for all contractors that do business with State.

The Federal Acquisition Regulation was amended in 2005 to incorporate the Federal Information Security Management Act of 2002. However, State wants to update its internal acquisition rules to be doubly certain the agency does not omit any IT security requirements in its contracts or statements of work, said Gladys Gines, a procurement analyst at State.

The proposed rule “is a way to codify these requirements and to standardize the language so that it is consistent across contracts,” Gines said. “This way, we’ve got the same language for all of our contracts and the same requirements, and there is no issue of somebody perhaps forgetting to include something in a work statement.”

Under State’s proposed rule, IT contractors would be responsible for the security of systems that access the department’s mission-related information. Vendors would need to include a security plan with their bids and monitor information security on projects for which they win contracts. 
State has consistently received low marks on meeting FISMA requirements, which mandate that federal agencies establish IT security policies commensurate with the vulnerability of the systems they are designed to protect. 

Rep. Tom Davis (R-Va.), ranking member of the Oversight and Government Reform Committee, gave State an F on its last two annual FISMA report cards. A Davis spokesman said the lawmaker commended State for the move.

“When you have State, Defense and the Nuclear Regulatory Commission all making Fs and the Department of Homeland Security making a D, it makes sense to start on procurement with reforms and go forward from there,” Davis’ spokesman said. “These are critical agencies. Compromises in security could cost a lot more than identity theft. They could cost lives.”

Jeremy Grant, senior vice president and identity solutions analyst at the Stanford Group, said State and other agencies that have not fully implemented FISMA should have done it long ago. However, he added, most IT contractors already conduct the activities outlined in State’s new rule, so compliance should not be too difficult for contractors.

“Any company that is worth its salt ought to be doing that today and should have been doing that for several years,” he said. “I wouldn’t say there are going to be any radical changes.”

Dave Frederickson, a program manager at Northrop Grumman who works on State contracts, agreed. “I just don’t see that there are a lot of differences there, except that you’ve got the formal specification now that’s in the contractual language upfront,” he said.

Gines added that although the rule’s provisions shouldn’t surprise the contractor community, department officials wanted to offer them as a rule change rather than a policy statement so they would be open for comment.
Daniel Mintz, chief information officer at the Transportation Department, whose rule provided a model for State, said “the critical issue here is to make sure that validating security is an integral part of system procurement and development, not an afterthought.”
State’s it security requirementsThe State Department is seeking public comment on a proposed contracting rule that would require vendors to:
  • Develop an information technology security plan and submit it within 30 days of winning a contract.
  • Provide proof each year that their IT security plans are valid.
  • Receive IT certification and accreditation and comply with other relevant policies and laws.
  • Meet the security requirements established in the Foreign Affairs Manuals and Foreign Affairs Handbooks.
— Ben Bain

The 2014 Federal 100

Get to know the 100 women and men honored this year for going above and beyond in federal IT.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above