Agencies, OMB pushing security requirements through contracts

As the new CIO of the Housing and Urban Development Department, Lisa Schlosser is on a mission to improve the agency’s cybersecurity, and one of her first steps is to put language in all vendor contracts requiring minimum baseline standards.

Schlosser, who came to HUD in February from the Transportation Department, is modeling the program after similar ones in the Air Force and her former agency.

“We got an F on the Federal Information Security Management Act report card, but we are starting the process to improvement,” she said yesterday at a CIO Council’s symposium on cybersecurity in Washington.

The effort to include security requirements in contracts also is happening in the SmartBuy program, the administration’s enterprise software agreement initiative.

Karen Evans, the Office of Management and Budget’s administrator for e-government and IT, said at the symposium that the CIO Council is working with the General Services Administration’s SmartBuy office to build security into the existing and future agreements.

In fact, OMB issued a memo on SmartBuy this week outlining the details of the deal with Oracle Corp.

An administration official said the memo was released to remind acquisition personnel that the terms and conditions are mandatory for purchasing Oracle products, such as database software.

The official added that SmartBuy is working on redoing the other five other enterprise agreements to standardize the terms and conditions for all purchases for those specific products.

At the CIO Council symposium, Schlosser — who while at Transportation led that agency’s climb to an A- in the 2004 report card from a D+ — hopes to use her experience, which includes putting security provisions in contracts, to help HUD improve.

She said HUD is looking at ways to automate the capture and benchmarking of security test results, possibly using a government-owned software program from the Environmental Protection Agency called the Automated Security Self-Evaluation Reporting Tool.

HUD also is looking at a configuration management and testing tool from BindView Corp. of Houston.

All of this work Schlosser and other CIOs have been doing is to meet the FISMA reporting requirements. But more importantly, the efforts are improving the security of their systems, Evans said.

Evans said agencies are minimizing their risks, which mean they earn good grades on the FISMA scorecards. “The goal is for us to be in the best cybersecurity position we can be in so when things happen like Zobot we can deal with it,” Evans said. “We have to have a system in place to continuously analyze the risks.”

About the Author

Connect with the GCN staff on Twitter @GCNtech.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.