Agencies, OMB get security provisions in writing

One of the first steps Lisa Schlosser, the new CIO of the Housing and Urban Development Department, is taking to improve cybersecurity is to get it in writing—by including baseline security requirements in all contracts.

Schlosser, who came to HUD in February from the Transportation Department, is modeling the program after similar ones in the Air Force and her former agency.

“[HUD] got an F on the Federal Information Security Management Act report card, but we are starting the process to improvement,” she said recently at a CIO Council symposium in Washington on cybersecurity.

The effort to include security requirements in contracts also includes the SmartBuy program, the administration’s enterprise software agreement initiative.

Karen Evans, the Office of Management and Budget’s administrator for e-government and IT, said at the symposium that the CIO Council was working with the General Services Administration’s SmartBuy office to build security into the existing and future agreements.

In fact, OMB issued a memo on SmartBuy this week, outlining the details of the deal with Oracle Corp.

An administration official said the memo was released to remind acquisition personnel that the terms and conditions are mandatory for purchasing Oracle products, such as database software.
The official added that SmartBuy is working on redoing the five other enterprise agreements to standardize terms and conditions for all purchases of those specific products.

At the symposium, Schlosser—who at Transportation led that agency’s climb to an A- in the 2004 report card from a D+—said putting security provisions in contracts is part of helping HUD improve.

She said HUD is looking at ways to automate the capture and benchmarking of security test results, possibly using a government-owned software program from the Environmental Protection Agency called the Automated Security Self-Evaluation Reporting Tool.

HUD also is looking at a configuration management and testing tool from BindView Corp. of Houston.

The immediate goal of the work Schlosser and other CIOs have been doing is to meet the FISMA reporting requirements, but Evans pointed out that those efforts are also improving the security of their systems.

Evans said agencies are minimizing their risks, which means they earn good grades on the FISMA scorecards. “The goal is for us to be in the best cybersecurity position we can be in, so when things happen like Zobot, we can deal with it,” Evans said. “We have to have a system in place to continuously analyze the risks.”

About the Author

Connect with the GCN staff on Twitter @GCNtech.


  • Defense
    The Pentagon (Photo by Ivan Cholakov / Shutterstock)

    DOD CIO hits pause on JEDI cloud acquisition

    Dana Deasy set cloud as his office's top priority. But when it comes to the JEDI request for proposal, he's directed staff to "pause" to compile a comprehensive review.

  • Cybersecurity
    By Gorodenkoff shutterstock ID 761940757

    Waging cyber war without a rulebook

    As the U.S. looks to go on the offense in the cyber domain, critical questions remain unanswered around who will take the lead and how clearly to draw the rules of engagement.

  • Government Innovation Awards
    Government Innovation Awards -

    Deadline extended for Rising Star nominations

    You now have until July 18 to help us identify the early-career innovators and change agents in government IT.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.