USDA to certify security

Officials at the Agriculture Department, with 29 agencies and more than 500 computer information systems, expects to spend as much as $60 million to certify and accredit those systems during the next five years.

"It's a major undertaking — it's going to take us some time," Gregory Parham, acting associate chief information officer for cybersecurity at USDA told Federal Computer Week.

In an interview this week, Parham said two USDA data centers, the National Finance Center in New Orleans and the National Information Technology Center in Kansas City, Mo., have taken the lead in certifying and accrediting their information systems, as the Federal Information Security Management Act of 2002 requires.

Last October, USDA officials awarded purchasing agreements worth up to $60 million for security certification and accreditation services to 11 companies on the General Services Administration schedule. The companies include: Anteon Corp., CACI Inc., Computer and Hi-tech Management Inc., DSD Laboratories Inc., Newberry Group Inc., Science Applications International Corp., PEC Solutions Inc., Telos Corp., Titan Corp and two others.

Parham said agencies are beginning to tap those contracts for doing IT security-risk assessments, creating security and disaster-recovery plans, writing security guidebooks for users and testing and evaluating computer-security controls. For contracting purposes, he said, agencies typically bundle several of their information systems along with a statement of work, and then ask the companies to bid.

Telos, for example, won a recent task order worth $226,293 to evaluate 15 systems and produce 17 documents for the Kansas City data center.

A portion of USDA's computer-security work is remedial and is not limited to certification and accreditation, Parham said. "We are doing some things that are deferred maintenance."

With respect to computer security, the department faces a challenge similar to that of a few years ago when it had to prepare its systems for the Year 2000 date change, Parham said. The biggest difference, he said, is that the testing of security controls is never really finished.