State codifies security language

Proposed contracting rule would standardize wording of vendors’ IT security obligations

State’s proposed rule in the Federal Register

After years of struggling with information security, the State Department has decided to codify how contractors implement federal information security regulations. Officials are asking for comments on a proposed rule that would define information technology security requirements for all contractors that do business with State.

The Federal Acquisition Regulation was amended in 2005 to incorporate the Federal Information Security Management Act of 2002. However, State wants to update its internal acquisition rules to be doubly certain the agency does not omit any IT security requirements in its contracts or statements of work, said Gladys Gines, a procurement analyst at State.

The proposed rule “is a way to codify these requirements and to standardize the language so that it is consistent across contracts,” Gines said. “This way, we’ve got the same language for all of our contracts and the same requirements, and there is no issue of somebody perhaps forgetting to include something in a work statement.”

Under State’s proposed rule, IT contractors would be responsible for the security of systems that access the department’s mission-related information. Vendors would need to include a security plan with their bids and monitor information security on projects for which they win contracts. 
State has consistently received low marks on meeting FISMA requirements, which mandate that federal agencies establish IT security policies commensurate with the vulnerability of the systems they are designed to protect. 

Rep. Tom Davis (R-Va.), ranking member of the Oversight and Government Reform Committee, gave State an F on its last two annual FISMA report cards. A Davis spokesman said the lawmaker commended State for the move.

“When you have State, Defense and the Nuclear Regulatory Commission all making Fs and the Department of Homeland Security making a D, it makes sense to start on procurement with reforms and go forward from there,” Davis’ spokesman said. “These are critical agencies. Compromises in security could cost a lot more than identity theft. They could cost lives.”

Jeremy Grant, senior vice president and identity solutions analyst at the Stanford Group, said State and other agencies that have not fully implemented FISMA should have done it long ago. However, he added, most IT contractors already conduct the activities outlined in State’s new rule, so compliance should not be too difficult for contractors.

“Any company that is worth its salt ought to be doing that today and should have been doing that for several years,” he said. “I wouldn’t say there are going to be any radical changes.”

Dave Frederickson, a program manager at Northrop Grumman who works on State contracts, agreed. “I just don’t see that there are a lot of differences there, except that you’ve got the formal specification now that’s in the contractual language upfront,” he said.

Gines added that although the rule’s provisions shouldn’t surprise the contractor community, department officials wanted to offer them as a rule change rather than a policy statement so they would be open for comment.
Daniel Mintz, chief information officer at the Transportation Department, whose rule provided a model for State, said “the critical issue here is to make sure that validating security is an integral part of system procurement and development, not an afterthought.”
State’s it security requirementsThe State Department is seeking public comment on a proposed contracting rule that would require vendors to:
  • Develop an information technology security plan and submit it within 30 days of winning a contract.
  • Provide proof each year that their IT security plans are valid.
  • Receive IT certification and accreditation and comply with other relevant policies and laws.
  • Meet the security requirements established in the Foreign Affairs Manuals and Foreign Affairs Handbooks.
— Ben Bain

About the Author

Ben Bain is a reporter for Federal Computer Week.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group