DOD moves to improve software assurance

The Defense Department is planning acquisition policy changes aimed at improving the quality and security of the software it buys from vendors.

'We are reviewing our policies to assure acquisition officials that they have the authority to exclude companies or products that represent too much of a risk to DOD,' said Joe Jarzombek, deputy director for software assurance in DOD's Information Assurance Directorate.

The software assurance initiative is expected to include evaluation of vendors and their business practices as well as of products for critical software.

Jarzombek, who spoke today at the security conference in Washington, said his office is planning a series of workshops this summer to discuss the issues. Recommendations will be presented at a forum tentatively scheduled for Aug. 31 and Sept. 1.

A report released by the General Accounting Office last month found that DOD software security policies do not address the risk of using foreign suppliers.

Although DOD agrees that more attention should be paid to the source of sensitive software, the department wants to avoid passage of buy-American legislation, Jarzombek said.

'Congress is keenly interested in foreign suppliers of products and services,' he said. 'But that causes us to focus on the wrong problem,' because the lines between foreign and domestic suppliers are not clear and because there is no guarantee that domestic suppliers are trustworthy.

As envisioned, the software assurance initiative would require three evaluations for high assurance software:

  • Counterintelligence threat assessment of the company, to determine the level of trust in employees

  • Business practice assessment, in which the company is checked against 16 practices to ensure that security is incorporated into the development process

  • Product evaluation.

The rigor of product evaluation will depend in part on the results of the first two assessments.

Two of the five anticipated workshops are expected to be open to the vendor community. Dates and locations of the workshops have not been determined. Additional information about the workshops and participation is available from Jarzombek, 703-604-1489, ext. 154.

About the Author

William Jackson is a Maryland-based freelance writer.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected