[ISN] IT security requirements now part of the FAR

From: InfoSec News (isn@private)
Date: Mon Oct 03 2005 - 22:50:21 PDT

Previous message: InfoSec News: "[ISN] Symantec buys BindView Development for $209 million"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

http://www.gcn.com/vol1_no1/daily-updates/37162-1.html

By Jason Miller 
GCN Staff
09/30/05 

One of the final pieces to improving agency IT security across the
government finally is in place: Starting today, contracting officers
must include cybersecurity requirements in acquisition planning.

The Federal Acquisition Regulations Council issued an interim rule [1]
today outlining five new steps acquisition workers must take to ensure
IT security is incorporated into all purchases. As an interim rule
taking effect now, the FAR Council will accept comments until Nov. 29.

This rule has been in the works for some time. The E-Government Act of
2002, which included the Federal Information Security Management Act
of 2002, called for increased security in all phases of the system's
lifecycle. And the FAR Council has been writing this rule since 2003 [2].

"The intent of adding specific guidance in the FAR is to provide
clear, consistent guidance to acquisition officials and program
managers," the rule said, "and to encourage and strengthen
communication with IT security officials, CIOs and other affected
parties."

The rule:
 
* Requires acquisition professionals to seek the advice of IT security 
  specialists 

* Defines information security 

* Incorporates security requirements in acquisition planning and when 
  describing agency needs 

* Requires contracting officers to adhere to Federal Information 
  Processing Standards 

* Requires contracting officers to include appropriate agency security 
  policy and requirements in IT acquisitions. 

"The Councils recognize that IT security standards will continue to 
evolve and that agency-specific policy and implementation will evolve 
differently across the spectrum of federal agencies," the rule said. 
"Agencies will customize IT security policies and implementations to 
meet mission need[s]."

[1] http://a257.g.akamaitech.net/7/257/2422/01jan20051800/edocket.access.gpo.gov/2005/05-19468.htm
[2] http://www.gcn.com/21_25/news/19772-1.html



_________________________________________
InfoSec News v2.0 - Coming Soon! 
http://www.infosecnews.org

Previous message: InfoSec News: "[ISN] Symantec buys BindView Development for $209 million"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Oct 03 2005 - 23:13:06 PDT