Government and tech industry release security recommendations

Five federal agencies, a nonprofit Internet security group and one of the nation's largest software manufacturers have issued recommendations for making one of the most popular software programs in the government more secure. The move, announced at a press conference in Washington Tuesday, marks a watershed between the government and the technology industry, officials said.

Oracle Corp., the giant database software maker that counts the federal government as its largest single customer, has agreed to deliver a new version of its product to the Energy Department that has more than 250 specific security enhancements. Those modifications have been packaged in a "benchmark document" that is being published on the Internet, so that other federal agencies can take advantage of it.

It's unclear how many agencies will avail themselves of the security recommendations, since implementing them could take considerable time and effort. Karen Evans, Energy's chief information officer and a driving force behind the deal with Oracle, noted that the lengthy process of making security changes to commercial software was one of the reasons her department sought concessions from the company before the product was delivered.

The Energy Department deal conforms to an Office of Management and Budget mandate to use the federal government's significant purchasing power to gain concessions and special arrangements from technology contractors. The government is the single largest purchaser of information technology goods and services in the United States.

The Center for Internet Security, which helped craft Oracle's modifications, is also developing an automated tool that will scan a system and score it on how well it complies with the benchmarks. The tool is in the final stages of development, and the center will release it publicly when it is finished.

Energy and Oracle reached their agreement in the summer, but neither side had publicly announced the deal or the release of the benchmark document before.

Evans will have broader authority over procurement and security strategy when she takes over the position of e-government and technology chief at OMB next month. She replaces Mark Forman, the president's first e-government administrator, who is taking a job in the private sector.

Oracle is delivering the more secure software as part of a two-phase licensing agreement with Energy. The first phase will cover the department's headquarters in Washington and is valued at $5 million, Evans said. The second phase, which Evans expects to be implemented in the next fiscal year, will provide the Oracle software to government and contract Energy locations across the country, she said.