Subscribe to the Free Print Edition!
Celebrating 25 Years

GCN Home > 08/26/02 issue

FAR rule will require IT security plans

By Jason Miller, GCN Staff

Because all federal agencies depend on contractors to perform IT work, the Office of Management and Budget and the Federal Acquisition Regulation Council are developing a rule to require vendors to adhere to governmentwide IT security regulations.

The security clause would be included in all contracts for IT products and services, and would require vendors to meet mandates in the Computer Security Act, the Governmentwide Information Security Reform Act, OMB Circular A-130 and a variety of guidelines from the National Institute of Standards and Technology.

“There is no formal IT security clause in the FAR right now,” said David Drabkin, deputy associate administrator of the General Services Administration for acquisition policy. “There is a sense of urgency to get this done because all the events over the last year re-emphasized the need for vigilance for IT security.”

This is not the first time OMB has recognized the importance of making sure contractors meet federal IT security regulations. It listed the security of systems maintained by contractors as one of six governmentwide weaknesses in its GISRA report. Based on agencies’ GISRA submissions, OMB found many included no security controls in contracts or failed to follow up and verify that contractors fulfilled any requirements that were in place.

Needs follow-through

“Although we have laws and policy that require this, the weakness is in the implementation of that policy,” an OMB official said. “The rule would make people more knowledgeable about security controls for contracts and mitigate agency risks.”

The rule still is in draft form, and OMB’s Information System Security Committee, which includes CIOs, procurement executives and inspectors general, is reviewing it.

There is no timetable for issuing the final rule, Drabkin said.

The IT Committee of the Civilian Acquisition Council also is working on the draft rule, Drabkin said. When a final version of the draft is complete, the Defense FAR Council must sign off on it before OMB gives the rule final clearance, he said.

More news on related topics: Acquisition / Contracts, Executive Center, Outsourcing