Infosec pact wilts; agencies lack funds

The Defense Department's premier information security contract, valued at almost $2 billion when awarded last July, has fizzled out after hitting its minimum guarantee of just $6 million, knowledgeable industry and former DOD sources said.

The state of the contract worries security experts concerned with the vulnerability of unclassified but sensitive DOD networks and computers—prime targets for hackers. "Some DOD systems are already viewed as weak.... This will only make the situation worse," one security expert said.

The Center for Information Systems Security Infosec Technical Services (CISS-ITS) contract, a five-year, indefinite-delivery, indefinite-quantity (IDIQ) pact awarded by the Defense Information Systems Agency in 1995 was to provide one-stop infosec shopping for all three services and the DOD agencies. The winning contractors—Computer Sciences Corp., Science Applications International Corp. and Merdan Group—were expected to provide a wide range of infosec services, from policy development to training.

But a lack of available funding for security services, combined with wavering support for the contract within DOD, has undercut the infosec pact.

"It's just an empty bag," one industry executive last week said. It is the winning vendors who will be left holding the bag, this source added, because he believes DISA does not plan to process task orders now that it has met its legal minimum.

Asked to comment on the contract at an Armed Forces Communications and Electronics Association forum last week, DISA director Lt. Gen. Al Edmonds said only that the agency had expended the $6 million.

John Pescatore, research director for information security at IDC Government, Falls Church, Va., said the lack of success of the infosec contract does not surprise him. "I don't know of any command that has funding for security that wants to hand those funds over to DISA."

One source said DISA does not plan to cancel the contract but quickly added, "Neither does DISA plan to actively manage it. They cannot afford to." Another source confirmed this take, saying DISA "does not have the money."

Other sources said the situation reflects the chancy nature of IDIQ contracts as well as a lack of commitment by top DOD officials to information security. Roughly 90 percent of the projected value of CISS-ITS was expected to come from funding by individual service agencies and organizations of specific task orders under the contract.

With little infosec money in the till—except $750 million earmarked for the Defense Message System—potential users did not have the funds to get services from the pact. DISA, which must fund its own operations by the overhead it gets from managing programs, could not recover enough of its program management costs from the slow rate of CISS-ITS orders, sources said.

The program also suffered from a lack of strong management, industry sources said. DISA operations chief Air Force Brig. Gen. James Beale has responsibility for CISS-ITS, but his job—particularly his recent commitment to provide telecommunications support to the U.S. forces in Bosnia—has kept him focused elsewhere.

Finally, industry sources familiar with infosec issues said top DOD management has differing views on the need for infosec and its funding in budget-constrained times. DISA's Edmonds and Emmett Paige Jr., assistant secretary of Defense for command, control, communications and intelligence, back a strong infosec program. But top policy makers in the Pentagon do not share the same view, sources said. "Infosec does not fly, sail into harm's way or grind its way across the desert," one former DOD official said, "and that makes it hard to secure a funding line. There are people in the Pentagon who either believe 'information warfare' threats are exaggerated or, conversely, believe that no amount of money will solve the problem."

Don Hagerling, a consultant who previously served as the ADP security assistant to the chief of naval operations, faulted the contractors' marketing efforts. Hagerling said that from his observation, the CISS-ITS vendors failed to market the program "outside the Beltway."

Hagerling added that the other problem with the infosec contract is that it "focuses not on legacy but new systems, and many of those have been put on hold due to funding or deferred to the Global Command and Control System, which has its own security."

Officials of all three CISS-ITS contractors declined to comment for this article.