Security Tips for Last-Minute Buyers
Like shoppers crowding stores on Christmas Eve, many officials charged with buying information technology for the federal government wait until the last minute to make their purchases.
Roughly $1 in $5 of the federal government funding for IT goods and services is spent in September, the last month of the fiscal year, according to INPUT, a business intelligence service that tracks government IT. For FY 2009, some $15 billion will be spent this month on IT for executive branch departments and agencies. And, INPUT reports, late-in-the-year tech buying is on the rise: the percentage of IT spending occurring in the fourth quarter by federal agencies has jumped to 34 percent from 28 percent in the past decade.
Why the last minute spending spree? It's use it or lose it: If an agency doesn't spend its budget on IT wares by Sept. 30, it will lose the money in most instances.
In order to keep "their base," chief information officers, chief information security officers, acquisition officials and others responsible for acquiring IT goods might overlook federal compliance rules to assure their purchases are SCAP validated products. It's not that uncommon.
SCAP stands for Security Content Automation Protocol, and is a fusion of interoperable specifications derived from community ideas. I concur with what the National Institute of Standards and Technology says about SCAP:
Community participation is a great strength for SCAP, because the security automation community ensures the broadest possible range of use cases is reflected in SCAP functionality.
Not conforming to SCAP and assuring that purchased IT products - especially those involving personal computers - would not only be unwise from a security perspective, but against federal law. As the administrator for e-government and IT in the Office of Management and Budget, I issued a memorandum establishing the Federal Desktop Core Configuration, a required set of security controls for government computers running Microsoft Windows XP and Vista operating systems.
Still, not everyone in government who should know about this mandate is aware of it. Purchasing agents seeking the best financial deal might not realize that non-compliance could result in down-the-road costs because of avoidable security lapses. With a change in administration, some new IT and acquisition officials might not be aware of the FDCC and SCAP compliance with the federal acquisition rules. Not every inspector general auditor might be up-to-date on these requirements, and even if they are, by the time their audits are released in six months or a year, it could be too late.
So, it's incumbent upon CIOs and CISOs to make sure their IT acquisition agents ask vendors if their products are SCAP validated. It's the vendors, not the agencies, who must conduct the SCAP tests.
But you shouldn't comply just because it's the law. By using SCAP tools and implementing the FDCC, you're configuring your computers to not only be secured, but to position them to accept patches and other changes to safeguard them and government data.
Plus, by complying, you're sending a message to industry that you're serious about managing risk and want to ensure you trust and rely on partners who are honor the federal requirements. It's just the right thing to do.
Karen Evans, as administrator of e-government and information technology in the White House Office of Management and Budget and director of the Federal CIO Council from 2003 to 2009, served as the highest ranking IT executive in the federal government. During her 27-year government career, Evans held numerous IT managerial positions, including CIO of the Department of Energy. She is a partner at KE&T Partners LLC.