Some Words From a FAR
Posted September 9th, 2008 by rybolovFAR: it’s the Federal Acquisition Regulation, and it covers all the buying that the government does. For contractors, the FAR is a big deal–violate it and you end up blackballed from Government contracts or having to pay back money to your customer, either of which is a very bad thing.
In early August, OMB issued Memo 08-22 (standard .pdf caveat blah blah blah) which gave some of the administratrivia about how they want to manage FDCC–how to report it in your FISMA report, what is and isn’t a desktop, and a rough outline on how to validate your level of compliance.
Now I have mixed feelings about FDCC, you all should know that by now, but I think the Government actually did a decent thing here–they added FDCC (and any other NIST secure configuration checklists) to the FAR.
Check this section of 800-22 out:
On February 28, 2008, revised Part 39 of the Federal Acquisition Regulation (FAR) was published which reads:
PART 39-ACQUISITION OF INFORMATION TECHNOLOGY
1. The authority citation for 48 CFR part 39 continues to read as follows: Authority: 40 U.S.C. 121(c); 10U.S.C. chapter 137; and 42 U.S.C. 2473(c).
2. Amend section 39.101 by revising paragraph (d) to read as follows:
39.101 Policy.
* * * * *
(d) In acquiring information technology, agencies shall include the appropriate IT security policies and requirements, including use of common security configurations available from the NIST’s website at http://checklists.nist.gov. Agency contracting officers should consult with the requiring official to ensure the appropriate standards are incorporated.
Translated into English, what this means is that the NIST configurations checklists are coded into law for Government IT purchases.
This carries a HUGE impact to both the Government and contractors. For the Government, they just outsourced part of their security to Dell and HP, whether they know it or not. For the desktop manufacturers, they just signed up to learn how FDCC works if they want some of the Government’s money.
Remember back in the halcyon days of FDCC when I predicted that one of the critical keys to success for FDCC was to be able to buy OEM desktops with the FDCC images on them. It’s slowly becoming a reality.
Oh what’s that, you don’t sell desktops? Well, this applies to all NIST configuration checklists, so as NIST adds to the intellectual property in the checklists program, you get to play too. Looking at the DISA STIGs as a model, you might end up with a checklist for literally everything.
So as somebody who has no relation to the US Federal Government, you must be asking by now how you can ride the FDCC wave? Here’s Rybolov’s plan for secure desktop world domination:
- Wait for the government to attain 60-80% FDCC implementation
- Wait for desktops to have an FDCC option for installed OS
- Review your core applications on the FDCC compatibility list
- Adopt FDCC as your desktop hardening standard
- Buy your desktop hardware with the image pre-loaded
- The FDCC configuration rolls uphill to be the default OS that they sell
- ?????
- Profit!
And the Government security trickle-down effect keeps rolling on….
Cynically, you could say that the OMB memos as of late (FDCC, DNSSEC) are very well coached and that OMB doesn’t know anything about IT, much less IT security. You probably would be right, but seriously, OMB doesn’t get paid to know IT, they get paid to manage and budget, and in this case I see some sound public policy by asking the people who do know what they’re talking about.
While we have on our cynical hats, we might as well give a nod to those FISMA naysayers who have been complaining for years that the law wasn’t technical/specific enough. Now we have very static checklists and the power to decide what a secure configuration should be has been taken out of the hands of the techies who would know and given to research organizations and bureaucratic organizations who have no vested interest in making your gear work.
Lighthouse From AFAR photo by Kamoteus.
Similar Posts:
Posted in FISMA, NIST, What Doesn't Work, What Works | 8 Comments »
Tags: cashcows • collusion • compliance • fdcc • fisma • government • infosec • management • omb • pwnage • scap • security
September 9th, 2008 at 5:26 pm
I have never understood the fascination with getting vendors to supply desktops with FDCC baked in. In most environments the IT services people have their own Windows installation they will overwrite the vendor supplied disk with. Having FDCC built in means you don’t have the agency tailored version of the FDCC where they’ve customized for environmental requirements (like turning on wireless or adding agency approved banners). At best it is a boon to smaller operations that lack the central IT services that can implement things correctly.
I like the idea of having vendors supplying ISAP/SCAP configured systems out of the box beyond FDCC. All I know for sure is it will be an interesting time as we plunge into the new secure configuration at delivery era.
September 9th, 2008 at 5:34 pm
Ah, the missing piece being that what smart people are doing so far is going to the Dells and HPs of the world with their own image and it gets installed by them–I’ve seen that on a couple “seat management” contracts already. For purchases of 2Bazillion desktops, it makes sense to do it that way.
So yeah, some of this has been happening already, but nobody knows about it much.
September 17th, 2008 at 5:02 pm
So, does anyone have sample contract language to use to ensure your procurement complies with the FAR part 39?
As you point out in the comments, it seems like a tempest in a teapot since 97% of the FDCC can be set through Group Policy Objects and as you point out almost all of us re-image machines from vendors or provide them our image to pre-image the machine with.
We have to renew our hardware contracts and are being told to make them “compliant” with the OMB memorandum, and I’m starting to get a headache in trying to figure out how to come up with a clause that meets the requirement but isn’t so overly specific as to cause undue expense to the government for something that the individual sub-agencies will probably re-do to fit the machine in their environment anyway :p
September 17th, 2008 at 5:26 pm
Hi Eric
I don’t think anybody has a good idea on how to do this. Really what I would do is add something about “using our pre-approved image” into the product requirements when you buy desktops.
To be painfully honest, what I think most contracting officers would do is a one-liner “Contractor must be compliant with the NIST Configuration Checklists Program from SP 800-70” or they’ll blow it off entirely feeling that a blanket “Contractor must be compliant with FISMA and all NIST guidance” covers FDCC too. Either of which is simply “throwing it over the fence to the contractor” and a gross disservice to everyone involved.
And yeah, if all you’re doing is buying hardware, it’s an easy problem. If it’s a truly outsourced desktop environment ala the old “seat management” contracts, then it gets hard really fast.
September 19th, 2008 at 9:15 am
OK, I found some language in an OMB memo:
http://www.whitehouse.gov/omb/memoranda/fy2007/m07-18.pdf
that is more then sufficient to get things started and make the IG happy 🙂
Hope this can help save others some time.
I agree with you – in the long run we are probably going to work to a government provided image. Maybe this can be the stick to finally get a standard image in my agency and move towards actual configuration management.
Or is that me being overly optimistic again? 🙂
October 27th, 2008 at 6:11 am
I don’t think anybody has a good idea on how to do this. Really what I would do is add something about “using our pre-approved image” into the product requirements when you buy desktops.
To be painfully honest, what I think most contracting officers would do is a one-liner “Contractor must be compliant with the NIST Configuration Checklists Program from SP 800-70″ or they’ll blow it off entirely feeling that a blanket “Contractor must be compliant with FISMA and all NIST guidance” covers FDCC too. Either of which is simply “throwing it over the fence to the contractor” and a gross disservice to everyone involved.
And yeah, if all you’re doing is buying hardware, it’s an easy problem. If it’s a truly outsourced desktop environment ala the old “seat management” contracts, then it gets hard really fast.
October 27th, 2008 at 6:43 pm
Well raza, the language provided in the OMB memo I link to is a pretty good start.
For a “simple” hardware volume buy contract like I deal with, ultimately I think a government provided image makes the most sense and where I think we will be going.
For seat management – if you are doing a new contract – NIST provides much or what you need to get started. To modify an existing contract – well, it’s a pretty major new requirement – should be lots of fun to try to incorporate with out a recompete…
October 28th, 2008 at 9:17 am
Just please be careful with a blanket statement on using the NIST checklist program and be suere to specify that it only applies to configurations valid at the start of the contract. If NIST gets its act together and starts making checklists for everything and your contract is something like a 5-year period of performance, who knows what implied requirements both the Government and the Contractor just signed up for.