-----BEGIN PGP SIGNED MESSAGE-----
Many policy makers in Washington have concluded that procurement
innovation is a better tool than legislation for getting vendors to
deliver safer systems. SANS has been asked to help with one of the major
procurement initiatives and we would appreciate your help. Our task is
to find examples of procurement language that has been used. If your
organization has used procurement language to improve security, we would
greatly appreciate seeing the wording. Your name and organization will
not be disclosed unless you tell us you want it to be. Some examples we
have already discovered include clauses that call for systems to be
configured secure on delivery - with specific services turned off and
default settings improved, and clauses that call for vendors to affirm
that their systems contain none of the "Top 20 internet vulnerabilities"
published by SANS and the FBI There are probably many more, such as
clauses that call for delivery of patches that do not undo secure
configuration, or automated patch delivery or other ongoing security
responsibilities. If you have used any contract language you think has
helped improve security, please email us at [log in to unmask] with the
subject "procurement examples"
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/.