DOD to exclude high-risk software vendors
- By William Jackson
- Jul 02, 2004
The Defense Department is changing its software acquisition policy to improve the quality and security of what it buys.
'Acquisition officials have the authority to exclude companies or products that represent too much of a risk to DOD,' said Joe Jarzombek, deputy director for software assurance in the Information Assurance Directorate.
The initiative will require evaluations of developers of critical software and their business practices, as well as of the products themselves.
Jarzombek, who spoke last month at the SecureE-Biz conference in Washington, said his office is planning a series of five workshops. Recommendations for policy changes will be presented at a forum tentatively scheduled for Aug. 31 and Sept. 1.
As government relies more on commercial or outsourced software, and as that software becomes more complex, ensuring its reliability becomes more difficult, the thinking goes. Evaluations focus mainly on software performance and the absence of specified vulnerabilities, with little attention to finding unknown flaws or malicious code.
Undocumented code can open back doors for unauthorized activity.
'We know that major applications we use on our desktops have undocumented features, and it concerns us immensely,' said Edward Kinney, director of IT security for the Homeland Security Department's Customs and Border Protection Directorate.
A General Accounting Office study last month concluded that DOD needs to pay more attention to its software providers. 'Security policies do not fully address the risk of using foreign suppliers to develop weapon system software,' GAO said.
GAO called the use of foreign developers an inherent risk, but it said program managers focus on getting functional software as fast and low-cost as possible. In 16 weapons systems investigated, only five of the program managers said they considered foreign involvement in software development in their risk-mitigation efforts.
DOD agreed it should pay more attention to its software sources but called GAO's complaints and recommendations too narrow.
'We note that risks attributable to software vulnerabilities are not limited to foreign suppliers,' wrote Robert G. Gorrie, director of the Defensewide Information Assurance Program.
He said critical assets requiring high assurance are not limited to weapons systems, and that the task of specifying security requirements and overseeing developers should not be left to program managers, as GAO recommended.
Jarzombek said DOD wants to avoid passage of buy-American legislation that would seek to limit the role of foreign developers.
'Congress is keenly interested in foreign suppliers of products and services,' he said. 'But that causes us to focus on the wrong problem.'Fuzzy dividing line
He said the lines between foreign and domestic companies are unclear, and there are no guarantees that domestic companies are trustworthy. The department would prefer changes in acquisition policy rather than legislation, because policy is more flexible, he said.
The requirements will apply only to high-assurance software, 'because we know we can't do it for everything,' Jarzombek said. The policies could have a trickle-down effect, however, improving other types of software.
Some vendors, especially the smaller ones, are apprehensive about the new rules, Jarzombek said, but some larger companies welcome them. He said Microsoft Corp. favors the initiative because better guidance will make it easier to satisfy customers.
DHS, the Federal Aviation Administration, National Security Agency, and National Institute of Standards and Technology are working with DOD on the new policies. Although they would apply only to DOD acquisitions, Jarzombek said other agencies could adopt the policies.
Dates and locations of the five anticipated workshops have not been set. Two of them will probably be open to vendors. For more information about the workshops and the software assurance initiative, contact Jarzombek at 703-604-1489, extension 154, or e-mail
William Jackson is freelance writer and the author of the CyberEye blog.