Procurement is key to security, IT execs say

Procurement officers have the power to significantly improve the security of government IT systems by including software reliability and security requirements in the contracts they award to vendors—and strengthen the country’s cyberinfrastructure in the process.

That key message was hammered home repeatedly at a two-day forum earlier this month hosted jointly by the Defense and Homeland Security departments.

“We have to shift the paradigm from patch management to software assurance,” said Andy Purdy, acting director of DHS’ National Cyber Security Division.

Vendors will not invest in improving the quality of their software of their own volition, said Priscilla Guthrie, deputy CIO and deputy assistant secretary of Defense for networks and information integration. “We’ve got to use acquisition organizations to put together a software assurance policy,” Guthrie said. “We have to get acquisition organizations to work with us to make sure [it’s] part of the way we buy.”

Dan Wolf, information assurance director of the National Security Agency, said improving the quality of software is a matter of national security.

“Our adversaries have made a big point of how information operations are a preferred weapon,” Wolf said, warning that the country’s enemies are focusing on finding ways to infiltrate and take over critical systems.

Alan Paller, director of research at the SANS Institute of Bethesda, Md., added that procurement officers need to include different language regarding software performance, security and reliability in contracts, as the best way to get vendors to take action.

Integrators, Paller said, are of the opinion that, “If it’s in the [Federal Acquisition Regulations] we can ignore it, but if it’s in the contract we do it.”

About the Author

Connect with the GCN staff on Twitter @GCNtech.


  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

  • Comment
    Blue Signage and logo of the U.S. Department of Veterans Affairs

    Doing digital differently at VA

    The Department of Veterans Affairs CIO explains why digital transformation is not optional.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.