DOD moves to improve software assurance

The Defense Department is planning acquisition policy changes aimed at improving the quality and security of the software it buys from vendors.

"We are reviewing our policies to assure acquisition officials that they have the authority to exclude companies or products that represent too much of a risk to DOD," said Joe Jarzombek, deputy director for software assurance in DOD's Information Assurance Directorate.

The software assurance initiative is expected to include evaluation of vendors and their business practices as well as of products for critical software.

Jarzombek, who spoke today at the security conference in Washington, said his office is planning a series of workshops this summer to discuss the issues. Recommendations will be presented at a forum tentatively scheduled for Aug. 31 and Sept. 1.

A report released by the General Accounting Office last month found that DOD software security policies do not address the risk of using foreign suppliers.

Although DOD agrees that more attention should be paid to the source of sensitive software, the department wants to avoid passage of buy-American legislation, Jarzombek said.

"Congress is keenly interested in foreign suppliers of products and services," he said. "But that causes us to focus on the wrong problem," because the lines between foreign and domestic suppliers are not clear and because there is no guarantee that domestic suppliers are trustworthy.

As envisioned, the software assurance initiative would require three evaluations for high assurance software:

  • Counterintelligence threat assessment of the company, to determine the level of trust in employees

  • Business practice assessment, in which the company is checked against 16 practices to ensure that security is incorporated into the development process

  • Product evaluation.

The rigor of product evaluation will depend in part on the results of the first two assessments.

Two of the five anticipated workshops are expected to be open to the vendor community. Dates and locations of the workshops have not been determined. Additional information about the workshops and participation is available from Jarzombek, 703-604-1489, ext. 154.

About the Author

William Jackson is a Maryland-based freelance writer.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here


  • POWER TRAINING: How to engage your customers

    Don't miss our Aug. 2 Washington Technology Power Training session on Mastering Stakeholder Engagement, where you'll learned the critical skills you need to more fully connect with your customers and win more business. Read More


    In our latest Project 38 Podcast, editor Nick Wakeman interviews Tom Romeo, the leader of Maximus Federal about how it has zoomed up the 2019 Top 100. Read More

contracts DB

Washington Technology Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.