DOD moves to improve software assurance

The Defense Department is planning acquisition policy changes aimed at improving the quality and security of the software it buys from vendors.

'We are reviewing our policies to assure acquisition officials that they have the authority to exclude companies or products that represent too much of a risk to DOD,' said Joe Jarzombek, deputy director for software assurance in DOD's Information Assurance Directorate.

The software assurance initiative is expected to include evaluation of vendors and their business practices as well as of products for critical software.

Jarzombek, who spoke today at the security conference in Washington, said his office is planning a series of workshops this summer to discuss the issues. Recommendations will be presented at a forum tentatively scheduled for Aug. 31 and Sept. 1.

A report released by the General Accounting Office last month found that DOD software security policies do not address the risk of using foreign suppliers.

Although DOD agrees that more attention should be paid to the source of sensitive software, the department wants to avoid passage of buy-American legislation, Jarzombek said.

'Congress is keenly interested in foreign suppliers of products and services,' he said. 'But that causes us to focus on the wrong problem,' because the lines between foreign and domestic suppliers are not clear and because there is no guarantee that domestic suppliers are trustworthy.

As envisioned, the software assurance initiative would require three evaluations for high assurance software:

  • Counterintelligence threat assessment of the company, to determine the level of trust in employees

  • Business practice assessment, in which the company is checked against 16 practices to ensure that security is incorporated into the development process

  • Product evaluation.

The rigor of product evaluation will depend in part on the results of the first two assessments.

Two of the five anticipated workshops are expected to be open to the vendor community. Dates and locations of the workshops have not been determined. Additional information about the workshops and participation is available from Jarzombek, 703-604-1489, ext. 154.

About the Author

William Jackson is a Maryland-based freelance writer.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected