The U.S. government has started to use its immense purchasing power to influence cybersecurity, beginning with a Department of Energy (DOE) contract with Oracle Corp. that requires the software vendor to build in security configurations.
The DOE along with four other federal agencies and the membership organization Center for Internet Security (CIS) announced Tuesday the release of a security configuration benchmark for Oracle Database versions 8i and 9i running on Windows and Unix. A DOE contract with Oracle requires the vendor to deliver its database software to the agency with the security configurations installed.
DOE and CIS officials hope the DOE contract will be a model for future software procurement negotiations between the U.S. government and software vendors, although agencies will have to evaluate their needs against procurement requirements, said Karen Evans, chief information officer at DOE.
“What we’re talking about today we hope will be called a best practice in federal government,” Evans said. “The federal employees and citizens really want to know their systems are secure. The public wants to know that the information they give to the government is going to be protected against theft, fraud and abuse.”
Software vendors should expect more such demands in contracts, but not just from government, said others at a press conference in Washington, D.C.
“This is an example for corporations, too,” said Sallie McDonald, acting director of outreach and awareness in the National Cyber Security Division of the Department of Homeland Security (DHS). “There’s no reason why it needs to just exist in government.”
The 50-plus-page, 250-item security configuration benchmark, developed with dozens of Oracle software users and the SANS Institute through CIS, will be available to anyone free of charge at http://www.cisecurity.org. But a DOE contract for an Oracle enterprise license, the first phase of which is worth US$5 million, requires Oracle to ship the security configurations in databases delivered to DOE and requires the vendor to ensure that any future security updates it ships to DOE are compatible with the benchmark.
Along with the security configuration benchmark, CIS will release an automated scoring tool that government agencies and private enterprises can use to test their configurations against the benchmark. The scoring tool, in the final stages of development testing, will give the host system a score ranging from one to 10, based on how closely system administrators have followed the security benchmark.
The Oracle Database is not the first software configuration benchmarking project done at CIS – others include various Windows products, HP-UX and Linux – but it’s the first built into a federal agency contract.
Tim Hoechst, Oracle’s senior vice president of technology for government, education and health care, welcomed the DOE contract, saying it will help create a culture of cybersecurity that his company has encouraged for its customers.
Oracle is just beginning to look into whether to ship the CIS benchmark settings on all its database software by default, Hoechst said. The problem is that Oracle has a wide range of users, from government agencies wanting to protect data at all costs, to research scientists who want to strip out all the security settings so that they can write information to the database as quickly as possible, he said.
The DOE contract will encourage users to use Oracle Database products in the best way they’re intended to work, and it provides an important feedback loop to Oracle about security features customers want built in, Hoechst said.
“What it’s done is shown us how one of our most important customer bases uses security in their environment, how they … want to exploit our technology, and given us the opportunity to help influence that technology,” he said.
The CIS/DOE recommendations could be implemented easily by changing several configurations as the Oracle Database is installed, Hoechst said. For already installed software, implementing the changes could take hours longer, although how long depends on the configuration a government agency or private company wants.
The security configuration didn’t cost the DOE any extra money, Evans said. “What we said is, ‘No, no, no, this is something you should be giving us right out of the box,'” she said.
The DOE contract should serve as a model to other large organizations looking to leverage their buying power with software vendors, and is the first step in the government using its buying power to influence vendors, added McDonald, from DHS. “It’s really putting your money your mouth is,” she said of the DOE demands. “You’ve got to look at the buying influence the government has.”