Cyber Eye: Leveraging federal purchasing power is tricky
Rep. William Lacy Clay made a familiar plea at a recent congressional hearing about cybersecurity.
'The government should use its purchasing power to increase the security quality of software,' the Missouri Democrat said. 'The government doesn't have to regulate software manufacturers, it only has to use its position in the marketplace.'
The National Security Agency's Michael G. Fleming pointed out the weak spot. There is no single government market, said NSA's chief of information assurance solutions. The market is made up of scores of small federal customers.
In a recent deal with Oracle Corp., however, the Energy Department showed that it is possible to leverage federal purchasing power. Under an enterprise license agreement, Oracle must configure its database software to meet security benchmarks recently released by the Center for Internet Security of Hershey, Pa.
The benchmarks join a growing number of consensus configurations for software. Although vendors have cooperated to develop these benchmarks, they typically have not shipped their products with the default settings. As one Oracle official said, it's difficult to come up with secure default settings because there is no default customer.
The Energy-Oracle deal was possible because of three things:
- Energy is a large Oracle customer.
- Oracle had a financial incentive in the form of administrative savings from consolidating licenses.
- Energy was the lead agency in developing the configuration benchmarks, so it could be sure the benchmarks would produce the settings it needed.
Not every agency can meet these conditions for its software buys. Tim Hoechst, Oracle's senior vice president of technology, said the company does not have immediate plans to ship its software to other customers with the CIS configurations.
But Karen Evans, who helped negotiate the agreement as Energy CIO before moving to the Office of Management and Budget, said she hopes to see such deals institutionalized by the CIO Council as a best practice.
Making security configuration benchmarks a best practice will require agencies to agree on a common set of systems requirements. Every agency has its own special requirements, but such an agreement could give administrators a head start on securing their systems.