State codifies security language

Proposed contracting rule would standardize wording of vendors’ IT security obligations

State’s proposed rule in the Federal Register

After years of struggling with information security, the State Department has decided to codify how contractors implement federal information security regulations. Officials are asking for comments on a proposed rule that would define information technology security requirements for all contractors that do business with State.

The Federal Acquisition Regulation was amended in 2005 to incorporate the Federal Information Security Management Act of 2002. However, State wants to update its internal acquisition rules to be doubly certain the agency does not omit any IT security requirements in its contracts or statements of work, said Gladys Gines, a procurement analyst at State.

The proposed rule “is a way to codify these requirements and to standardize the language so that it is consistent across contracts,” Gines said. “This way, we’ve got the same language for all of our contracts and the same requirements, and there is no issue of somebody perhaps forgetting to include something in a work statement.”

Under State’s proposed rule, IT contractors would be responsible for the security of systems that access the department’s mission-related information. Vendors would need to include a security plan with their bids and monitor information security on projects for which they win contracts. 
State has consistently received low marks on meeting FISMA requirements, which mandate that federal agencies establish IT security policies commensurate with the vulnerability of the systems they are designed to protect. 

Rep. Tom Davis (R-Va.), ranking member of the Oversight and Government Reform Committee, gave State an F on its last two annual FISMA report cards. A Davis spokesman said the lawmaker commended State for the move.

“When you have State, Defense and the Nuclear Regulatory Commission all making Fs and the Department of Homeland Security making a D, it makes sense to start on procurement with reforms and go forward from there,” Davis’ spokesman said. “These are critical agencies. Compromises in security could cost a lot more than identity theft. They could cost lives.”

Jeremy Grant, senior vice president and identity solutions analyst at the Stanford Group, said State and other agencies that have not fully implemented FISMA should have done it long ago. However, he added, most IT contractors already conduct the activities outlined in State’s new rule, so compliance should not be too difficult for contractors.

“Any company that is worth its salt ought to be doing that today and should have been doing that for several years,” he said. “I wouldn’t say there are going to be any radical changes.”

Dave Frederickson, a program manager at Northrop Grumman who works on State contracts, agreed. “I just don’t see that there are a lot of differences there, except that you’ve got the formal specification now that’s in the contractual language upfront,” he said.

Gines added that although the rule’s provisions shouldn’t surprise the contractor community, department officials wanted to offer them as a rule change rather than a policy statement so they would be open for comment.
Daniel Mintz, chief information officer at the Transportation Department, whose rule provided a model for State, said “the critical issue here is to make sure that validating security is an integral part of system procurement and development, not an afterthought.”
State’s it security requirementsThe State Department is seeking public comment on a proposed contracting rule that would require vendors to:
  • Develop an information technology security plan and submit it within 30 days of winning a contract.
  • Provide proof each year that their IT security plans are valid.
  • Receive IT certification and accreditation and comply with other relevant policies and laws.
  • Meet the security requirements established in the Foreign Affairs Manuals and Foreign Affairs Handbooks.
— Ben Bain

About the Author

Ben Bain is a reporter for Federal Computer Week.

The 2015 Federal 100

Meet 100 women and men who are doing great things in federal IT.


  • Shutterstock image (by venimo): e-learning concept image, digital content and online webinar icons.

    Can MOOCs make the grade for federal training?

    Massive open online courses can offer specialized IT instruction on a flexible schedule and on the cheap. That may not always mesh with government's preference for structure and certification, however.

  • Shutterstock image (by edel): graduation cap and diploma.

    Cybersecurity: 6 schools with the right stuff

    The federal government craves more cybersecurity professionals. These six schools are helping meet that demand.

  • Rick Holgate

    Holgate to depart ATF

    Former ACT president will take a job with Gartner, follow his spouse to Vienna, Austria.

  • Are VA techies slacking off on Yammer?

    A new IG report cites security and productivity concerns associated with employees' use of the popular online collaboration tool.

  • Shutterstock image: digital fingerprint, cyber crime.

    Exclusive: The OPM breach details you haven't seen

    An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

  • Stephen Warren

    Deputy CIO Warren exits VA

    The onetime acting CIO at Veterans Affairs will be taking over CIO duties at the Office of the Comptroller of the Currency.

  • Shutterstock image: monitoring factors of healthcare.

    DOD awards massive health records contract

    Leidos, Accenture and Cerner pull off an unexpected win of the multi-billion-dollar Defense Healthcare Management System Modernization contract, beating out the presumptive health-records leader.

  • Sweating the OPM data breach -- Illustration by Dragutin Cvijanovic

    Sweating the stolen data

    Millions of background-check records were compromised, OPM now says. Here's the jaw-dropping range of personal data that was exposed.

  • FCW magazine

    Let's talk about Alliant 2

    The General Services Administration is going to great lengths to gather feedback on its IT services GWAC. Will it make for a better acquisition vehicle?

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above