navigation-background arrow-down-circle Reply Icon Show More Heart Delete Icon wiki-circle wiki-square wiki arrow-up-circle add-circle add-square add arrow-down arrow-left arrow-right arrow-up calendar-circle chat-bubble-2 chat-bubble check-circle check close contact-us credit-card drag menu email embed facebook-circle snapchat-circle facebook-square facebook faq-circle faq film gear google-circle google-square googleplus history home instagram-circle instagram-square instagram linkedin-circle linkedin-square linkedin load monitor Video Player Play Icon person pinterest-circle pinterest-square pinterest play readlist remove-circle remove-square remove search share share2 sign-out star trailer trash twitter-circle twitter-square twitter youtube-circle youtube-square youtube

Officials: Be specific about cybersecurity during acquisition

October 13, 2015 (Photo Credit: File)

The administration has been pushing agencies to include more cybersecurity language in contracts, specifically in citing control standards like those advanced by the National Institute of Standards and Technology. Some officials don't think those standards are enough and are encouraging agencies to get specific with vendors when writing cybersecurity requirements.

CYBERCON 2015: Learn how best to protect your agency — Register now for CyberCon

"In software assurance or as a computer scientist you say it's all about the code," Kris Britton, director of NSA's Center for Assured Software, said during a panel discussion hosted by the Consortium for IT Software Quality (CISQ) on Oct. 13. "Ultimately it is. But it all begins — at least in government — back at the acquisition process."

Britton also noted the difficulty in holding contractors accountable if cybersecurity duties aren't explicitly laid out in the service level agreements (SLAs).

John Keane, software assurance lead for the Department of Defense Healthcare Management System Modernization (DHMSM) program, took it a step further, outlining in the solicitation the specific software assurance tools the agency planned to use to test potential vendors for its massive electronic health records system.

Keane said the companies looked at it from a business perspective and made the determination that it would be cost effective to develop their solutions with these tools in mind, rather than going in blind.

More than that, it gave both the vendors and the government confidence that the code being provided would be acceptable to everyone involved.

Keane suggested contracting officers be explicit about what testing software they plan to use, offering open source examples like FindBugs for testing Java applications.

"You say, 'Here's the tool and this is how we're going to go through and rate you,'" he said. "No category 1 [defects] or you don't get an ATO."

Next Article