Certification deadline draws near

National Information Assurance Partnership

In an effort to improve the security of the commercial software it buys, the Defense Department beginning in July will prohibit the military services from purchasing information assurance products that have not met a third-party security evaluation.

Under the rule, DOD will not buy commercial software that has not been certified by the National Information Assurance Partnership (NIAP), a group formed by the National Security Agency and the National Institute of Standards and Technology. The initiative is essential as DOD increasingly uses commercial software for mission-critical functions, said Eustace King, the technology team leader for the Defense-wide Information Assurance Program, speaking May 14 during a presentation at the Navy's Connecting Technology conference in Virginia Beach, Va.

But the effort is even more critical as DOD moves toward network-centricity, where data is stored on networks and is available to those who need it, King said.

The DOD policy has received little attention despite the broad ramifications it could have for information technology buys.

It is not directed just at information assurance products, such as firewalls or intrusion-detection systems, but also at "information assurance-enabled products" such as Web browsers, operating systems and databases.

The DOD policy requires that all systems be assessed on how mission- critical the data is. That data will then determine the commensurate level of security robustness — high, medium or basic, King said.

Under the National Information Assurance Acquisition Policy, the military services have been giving preference to information assurance products certified by NIAP, but beginning in July that certification will be required, King said.

Products bought before July will be exempt from the policy, King said, although the policy does require any significant upgrades to meet the certification requirement.

Capt. Sheila McCoy, a member of the Navy Department chief information officer's information assurance team, said the hope is that vendors will see the certification as an opportunity to obtain a competitive advantage.

Mary Ann Davidson, chief security officer for Oracle Corp., said that despite nearly a decade of similar requirements, many software vendors have avoided the guidelines and sought waivers instead. DOD must make security a top priority in buying decisions because it is difficult to add it on later if security is not built into a product from the start, she said.

Oracle has made security a critical part of its software development process, Davidson said. The company last week was awarded its 15th NIAP certificate for its Oracle Label Security product, she said. The product enables an organization to control access to shared data.

NSA has published the requirements for several product categories, including firewalls and operating systems. Other requirements are in the works, including those for Web security, intrusion-detection systems, virtual private networks and biometrics.

NIAP has certified about two dozen products, and others are in process, King said.

Davidson said the process can be expensive and time-consuming — Oracle spends as much as $1 million to get a product certified. But the certification process has also helped the company avoid the future costs of applying patches to products, she said.

About the Author

Christopher J. Dorobek is the co-anchor of Federal News Radio’s afternoon drive program, The Daily Debrief with Chris Dorobek and Amy Morris, and the founder, publisher and editor of the DorobekInsider.com, a leading blog for the Federal IT community.

Dorobek joined Federal News Radio in 2008 with 16 years of experience covering government issues with an emphasis on government information technology. Prior to joining Federal News Radio, Dorobek was editor-in-chief of Federal Computer Week, the leading news magazine for government IT decision-makers and the flagship of the 1105 Government Information Group portfolio of publications. As editor-in-chief, Dorobek served as a member of the senior leadership team at 1105 Government Information Group, providing daily editorial direction and management for FCW magazine, FCW.com, Government Health IT and its other editorial products.

Dorobek joined FCW in 2001 as a senior reporter and assumed increasing responsibilities, becoming managing editor and executive editor before being named editor-in-chief in 2006. Prior to joining FCW, Dorobek was a technology reporter at PlanetGov.com, one of the first online community centers for current and former government employees. He also spent five years at Government Computer News, another leading industry publication, covering a variety of federal IT-related issues.

Dorobek is a frequent speaker on issues involving the government IT industry, and has appeared as a frequent contributor to NewsChannel 8’s Federal News Today program. He began his career as a reporter at the Foster’s Daily Democrat, a daily newspaper in Dover, N.H. He is a graduate of the University of Southern California. He lives in Washington, DC.


  • Workforce
    White House rainbow light shutterstock ID : 1130423963 By zhephotography

    White House rolls out DEIA strategy

    On Tuesday, the Biden administration issued agencies a roadmap to guide their efforts to develop strategic plans for diversity, equity, inclusion and accessibility (DEIA), as required under a as required under a June executive order.

  • Defense
    software (whiteMocca/Shutterstock.com)

    Why DOD is so bad at buying software

    The Defense Department wants to acquire emerging technology faster and more efficiently. But will its latest attempts to streamline its processes be enough?

Stay Connected