$1.5B DOD security deal in the works

  • By Dan Verton
  • Mar 05, 2000

The Defense Department this week plans to launch a $1.5 billion procurement for a wide range of information security services, including new efforts to defend critical DOD networks against the kind of attacks that recently locked up Yahoo, Amazon.com and other popular Web sites.

The Information Assurance Capabilities contract, managed through a Defense Information Systems Agency and National Security Agency joint program office, will replace contracts awarded in 1995 to Computer Sciences Corp., Science Applications International Corp. and Merdan Group Inc.

Although the new contract focuses on off-the-shelf security products and services, DOD also aims to use the contract to integrate its major networks and ensure that those networks remain secure and available around-the-clock.

"What we are really concerned about is the protection of the network from denial-of-service attacks," said Peter Paulson, chief of the Networks Division at DISA, speaking at the Federal Telecommunications Conference last week.

Senior DISA officials also have told industry that the contract's task areas, including a classified portion known as Task Area 5, "place a great deal of emphasis on network-based intrusion detection and recovery techniques and processes."

Despite increased interest in denial-of-service attacks, not everyone is convinced that the contract will be used to its full potential. The $2 billion Infosec Technical Services deal, which this contract will replace, fizzled in 1996 after only about $6 million in business.

At the time, officials blamed the contract's poor performance on lack of security funding and agencies' lack of commitment to security.

But that may be changing.

In a March 3 executive memorandum, the Clinton administration directed all agency and department heads to seek assistance from contractors with expertise in denial-of-service attacks. The administration also plans to enforce new governmentwide security policies as early as next year (see related story).

Security Checklist

1. Show that system security is an integral part of the agency's ITarchitecture.

2. Report the costs of security and show how the security plan is partof the life-cycle of the system. Develop a security plan that includes thesecurity rules for the system and the consequences of violating the rulesand a way to identify, limit and control connections to other systems.

3. Identify security risks and how risks will be assessed and minimized.Demonstrate how security controls are commensurate with the risk.

4. Use appropriate security for systems that permit public access. Ensurepersonal information is consistent with relevant federal policies.

5. Account for departures from National Institute for Standards andTechnology guidance.

BY Dan Verton
Mar. 6, 2000

More Related Links

Featured

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.