- By Carl Peckinpaugh
- Jan 26, 2003
During the past several years, federal agencies have spent immense amounts of time and money trying to make their computer systems safe and secure from unauthorized use or intentional damage. These efforts are laudable, and much progress has been made to protect the national information technology infrastructure from malefactors of various sorts.
There is, however, one significant area in which substantially more progress is needed: encouraging government contractors to establish and maintain meaningful computer security procedures.
For little or no cost, much could be accomplished.
At the federal level, basic computer security policy starts with Office and Management and Budget Circular A-130. The document lays out a minimum set of security controls for all federally owned and controlled IT systems. It also requires agencies to provide mandatory periodic training in computer security awareness and accepted computer security practices to all federal employees who are involved in the management, use or operation of federal systems.
Notably, A-130 explicitly extends this training requirement to contractor employees who work with government-owned or supervised computer systems. However, neither the policy nor any other regulation or guideline imposes — or even recommends — such a training procedure for contractor-owned and controlled computer systems.
This lack of concern for contractor-owned computer systems could be viewed as a significant lapse in light of the critical importance that many contractors play in national defense and other national priorities.
In mid-1998, the Defense Department mandated that Defense contracts in which the work is performed outside the continental United States require the contractor to provide their employees with anti-terrorism and force protection awareness information commensurate with what DOD provides to its own military and civilian employees and their families. This was a good idea. It just didn't go far enough.
As we have seen since that rule was adopted, anti- terrorism awareness programs need to include people working in the United States as well as those working abroad. Furthermore, it would seem to make more sense to address physical security in a more comprehensive awareness training program, to include access to computers, offices, file rooms, etc., instead of limiting such training to anti-terrorism concerns. Such physical security considerations are the starting point for any computer security program.
Government contracts should include a provision encouraging contractors to implement physical security awareness training programs modeled on a government standard. That would go a long way to protect information and staff, including the government and its contractors.
Furthermore, the benefits of such a program in loss-avoidance could pay for its cost, especially if the government takes the lead in developing an appropriate model.
Peckinpaugh is corporate counsel for DynCorp in Reston, Va. This column represents his personal views.