FAR rule will require IT security plans

Because all federal agencies depend on contractors to perform IT work, the Office of Management and Budget and the Federal Acquisition Regulation Council are developing a rule to require vendors to adhere to governmentwide IT security regulations.

The security clause would be included in all contracts for IT products and services, and would require vendors to meet mandates in the Computer Security Act, the Governmentwide Information Security Reform Act, OMB Circular A-130 and a variety of guidelines from the National Institute of Standards and Technology.

'There is no formal IT security clause in the FAR right now,' said David Drabkin, deputy associate administrator of the General Services Administration for acquisition policy. 'There is a sense of urgency to get this done because all the events over the last year re-emphasized the need for vigilance for IT security.'

This is not the first time OMB has recognized the importance of making sure contractors meet federal IT security regulations. It listed the security of systems maintained by contractors as one of six governmentwide weaknesses in its GISRA report. Based on agencies' GISRA submissions, OMB found many included no security controls in contracts or failed to follow up and verify that contractors fulfilled any requirements that were in place.

Needs follow-through

'Although we have laws and policy that require this, the weakness is in the implementation of that policy,' an OMB official said. 'The rule would make people more knowledgeable about security controls for contracts and mitigate agency risks.'

The rule still is in draft form, and OMB's Information System Security Committee, which includes CIOs, procurement executives and inspectors general, is reviewing it.

There is no timetable for issuing the final rule, Drabkin said.

The IT Committee of the Civilian Acquisition Council also is working on the draft rule, Drabkin said. When a final version of the draft is complete, the Defense FAR Council must sign off on it before OMB gives the rule final clearance, he said.

The FAR Council is considering several ways to incorporate the requirements. One way, Drabkin said, would be to use something similar to military or federal specifications, which agencies used extensively from the 1930s into the mid-1990s.

Follow this outline

Agencies used mil-specs and fed-specs to outline for contractors how to tailor products or services specifically for government use. This would be done in the requirements stage of the procurement process, Drabkin said.

The Office of Federal Procurement Policy abandoned such specifications in the mid-1990s during procurement reform because many times applying the specs was costly and didn't result in better systems, Drabkin said.

'We are looking at what already exists or what we could reuse,' he said. 'If we end up using something like fed-specs and mil-specs, the CIO community likely would have to adapt how they use them because they are used in the requirements phase and not the contracting phase.'
Another option for OMB and the FAR Council is to use NASA's IT security rule as a model. It took effect July 26.

NASA is requiring contractors on unclassified IT projects to submit and implement security plans detailing processes to ensure IT security is based on governmentwide and NASA-specific regulations.

'We decided not to wait for a governmentwide rule because as we became more aware of breaches of our system, we felt it was important to get contractors more aware of our rules now,' said Celeste Dalton, a NASA procurement analyst who worked on the rule. 'When OMB comes out with a governmentwide rule, we will change our internal rule to match that one.'

Drabkin said the council is considering NASA's clause and whether to extend it to all agencies.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above