DOD moves to improve software assurance

The Defense Department is planning acquisition policy changes aimed at improving the quality and security of the software it buys from vendors.

"We are reviewing our policies to assure acquisition officials that they have the authority to exclude companies or products that represent too much of a risk to DOD," said Joe Jarzombek, deputy director for software assurance in DOD's Information Assurance Directorate.

The software assurance initiative is expected to include evaluation of vendors and their business practices as well as of products for critical software.

Jarzombek, who spoke today at the SecurE-Biz.net security conference in Washington, said his office is planning a series of workshops this summer to discuss the issues. Recommendations will be presented at a forum tentatively scheduled for Aug. 31 and Sept. 1.

A report released by the General Accounting Office last month found that DOD software security policies do not address the risk of using foreign suppliers.

Although DOD agrees that more attention should be paid to the source of sensitive software, the department wants to avoid passage of buy-American legislation, Jarzombek said.

"Congress is keenly interested in foreign suppliers of products and services," he said. "But that causes us to focus on the wrong problem," because the lines between foreign and domestic suppliers are not clear and because there is no guarantee that domestic suppliers are trustworthy.

As envisioned, the software assurance initiative would require three evaluations for high assurance software:

• Counterintelligence threat assessment of the company, to determine the level of trust in employees


• Business practice assessment, in which the company is checked against 16 practices to ensure that security is incorporated into the development process


• Product evaluation.