SEPTEMBER 19, 2003 ( COMPUTERWORLD ) - Five federal agencies, in collaboration with the Center for Internet Security and Oracle Corp., tomorrow will announce a broad federal procurement initiative to improve software security. 
Under the initiative, software vendors will have to ensure that their software meets specific safe configuration requirements and that any fixes they provide to patch vulnerabilities are reliable and won’t compromise these configurations. 

The idea behind the initiative is to use the federal government’s purchasing power to make software vendors accept more responsibility for the security of their software, said Alan Paller, director of the SANS Institute, a Bethesda, Md.-based security research firm. 

The initiative was prompted by the growing problems users face because of unsafe software configurations, he said, adding that software vendors will be required to ensure that default settings are secure to avoid problems later on. 

The federal government recently launched a procurement program called SmartBuy, which it hopes will drive better pricing and contractual terms from software vendors by consolidating purchases. SmartBuy will allow federal agencies to negotiate tougher terms relating to security, Paller said. The initiative being announced Tuesday is an example of that tougher stance. 

“This is about partnering with vendors so that they take responsibility” for software security, Paller said. He added that he expects the federal initiative to set a model for software procurement in the private sector as well. 

Karen Evans, CIO of the U.S. Department of Energy who was recently named by President Bush to head all e-government initiatives, will announce the first contract to be signed under the initiative. 

The contract will demonstrate “a new way for government to purchase software with security built in,” according to a press alert from the CIS, which is organizing the event. 

The other federal agencies participating in the announcement are the U.S. Department of Homeland Security, the National Security Agency, the Defense Information Systems Agency and the U.S. General Services Administration. Also involved in the announcement are approximately 120 CIOs and security specialists from government and industry. 

Sources familiar with the announcement confirmed Oracle’s involvement in the initiative. An Oracle spokeswoman today declined to comment. 

CIS Vice President Bert Miuccio said the initiative builds on a CIS-led effort last year involving the creation of benchmark security standards for Windows 2000 professionals (see story). That effort focused on creating a checklist of security settings for Windows 2000 systems that vendors could use when shipping systems to users. 

Last year’s initiative was backed by several government agencies, including NSA, DISA and the National Institute of Standards and Technology. The scope of Tuesday's announcement is significantly broader, Miuccio said.