WASHINGTON - The U.S. government has started to use its immense purchasing power to influence cybersecurity, beginning with a Department of Energy contract with Oracle that requires the software vendor to build in security configurations.

The Energy Department along with four other federal agencies and the membership organization Center for Internet Security (CIS) announced Tuesday the release of a security configuration benchmark for Oracle Database versions 8i and 9i running on Windows and Unix. An Energy Department contract with Oracle requires the vendor to deliver its database software to the agency with the security configurations installed.

Officials hope the contract will be a model for future software procurement negotiations between the U.S. government and software vendors, although agencies will have to evaluate their needs against procurement requirements, said Karen Evans, chief information officer at the Energy Department.

"What we're talking about today we hope will be called a 'best practice' in federal government," Evans said. "The federal employees and citizens really want to know their systems are secure. The public wants to know that the information they give to the government is going to be protected against theft, fraud and abuse."

Software vendors should expect more such demands in contracts, but not just from government, said others at a press conference in Washington, D.C.

"This is an example for corporations, too," said Sallie McDonald, acting director of outreach and awareness in the National Cyber Security Division of the Department of Homeland Security. "There's no reason why it needs to just exist in government."

The 50-plus-page, 250-item security configuration benchmark, developed with dozens of Oracle software users and the SANS Institute through CIS, will be available to anyone free of charge online. But the contract for an Oracle enterprise license, the first phase of which is worth $5 million, requires Oracle to ship the security configurations in databases delivered to the Department of Energy and requires the vendor to ensure that any future security updates it ships to the agency are compatible with the benchmark.

Along with the security configuration benchmark, CIS will release an automated scoring tool that government agencies and private enterprises can use to test their configurations against the benchmark. The scoring tool, in the final stages of development testing, will give the host system a score ranging from one to 10, based on how closely system administrators have followed the security benchmark.

The IDG News Service is a Network World affiliate.