DOD tightening security buys

National Information Assurance Partnership

In an effort to improve the security of the commercial software it buys, the Defense Department beginning in July will restrict its purchase of information assurance products to those certified by the National Information Assurance Partnership.

The initiative is essential as DOD increasingly uses commercial software for mission-critical functions, said Eustace King, the technology team lead for the Defense-wide Information Assurance Program, speaking May 14 during a presentation at the Navy's Connecting Technology conference in Virginia Beach, Va.

But the effort is even more critical as DOD moves toward network-centricity, where data is stored on networks and is available to those who need it, King said. Network-centric operations mean that networks are mission-critical, and it becomes fundamental that data is secure, he said.

Under the National Information Assurance Acquisition Policy, the military services have been giving preference to information assurance products that have NIAP certification. But beginning in July, services will be required to buy NIAP-certified products, King said.

The DOD policy has received little attention despite the broad ramifications it could have on information technology buys.

Furthermore, it is not directed just at information assurance products, such as firewalls or intrusion-detection systems. The policy also requires that DOD organizations buying "information assurance-enabled products" purchase products that NIAP has certified. Such products could include Web browsers, operating systems and databases.

The DOD policy requires that all systems be assessed on how mission-critical the data is. That data will then determine the commensurate level of security robustness — high, medium or basic, King said.

Products purchased before July will be exempt from the policy, King said, although the policy does require that any significant upgrades will trigger the certification requirement.

Capt. Sheila McCoy, part of the Navy Department chief information officer's information assurance team, said the hope is that vendors will see the certification as an opportunity to obtain a competitive advantage.

The National Security Agency has published the requirements for several product categories, including firewalls and operating systems. Other requirements are in the works, including those for Web security, intrusion-detection systems, virtual private networks and biometrics.

NIAP has certified about two dozen products, and others are in process, King said.

NIAP is an initiative of NSA and the National Institute for Standards and Technology, and its efforts are designed to meet the security testing, evaluation and assessment needs of IT vendors and buyers.

About the Author

Christopher J. Dorobek is the co-anchor of Federal News Radio’s afternoon drive program, The Daily Debrief with Chris Dorobek and Amy Morris, and the founder, publisher and editor of the DorobekInsider.com, a leading blog for the Federal IT community.

Dorobek joined Federal News Radio in 2008 with 16 years of experience covering government issues with an emphasis on government information technology. Prior to joining Federal News Radio, Dorobek was editor-in-chief of Federal Computer Week, the leading news magazine for government IT decision-makers and the flagship of the 1105 Government Information Group portfolio of publications. As editor-in-chief, Dorobek served as a member of the senior leadership team at 1105 Government Information Group, providing daily editorial direction and management for FCW magazine, FCW.com, Government Health IT and its other editorial products.

Dorobek joined FCW in 2001 as a senior reporter and assumed increasing responsibilities, becoming managing editor and executive editor before being named editor-in-chief in 2006. Prior to joining FCW, Dorobek was a technology reporter at PlanetGov.com, one of the first online community centers for current and former government employees. He also spent five years at Government Computer News, another leading industry publication, covering a variety of federal IT-related issues.

Dorobek is a frequent speaker on issues involving the government IT industry, and has appeared as a frequent contributor to NewsChannel 8’s Federal News Today program. He began his career as a reporter at the Foster’s Daily Democrat, a daily newspaper in Dover, N.H. He is a graduate of the University of Southern California. He lives in Washington, DC.


Featured

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.