A recently issued policy for Defense Department acquisition officials provides an overview of how to purchase custom-built software from planning to execution, but a leading software trade association says the policy leaves room for interpretation on supply chain security and other issues that need to be addressed.
The software acquisition pathway is part of the Pentagon’s major overhaul of its acquisition policies known as the Adaptive Acquisition Framework. The development of a software pathway was recommended by the Defense Innovation Board and mandated in the fiscal 2020 National Defense Authorization Act.
“We share the goal of the Defense Department to embrace modern software development and the policy is very useful for us and our members,” Tommy Ross, senior director of policy at BSA-The Software Alliance, told Inside Cybersecurity. “However, the pathway should not just be about developing software rapidly. It needs to also be about developing software that is secure.”
The pathway says “Cybersecurity and software assurance will be integral to strategies, designs, development environment, processes, supply chain, architectures, enterprise services, tests, and operations. Continuous and automated cybersecurity and cyber threat testing will identify vulnerabilities to help ensure software resilience throughout the lifecycle.”
But that provides little detail on what the implementation will actually entail, according to Ross.
“Clearly, there is work that will need to be done to actually translate this guidance into practice,” Ross said. Directing acquisition officials to the BSA Framework for Secure Software, updated in September, and the National Institute of Standards and Technology’s Secure Software Development Framework would help ground the policy in best practices, Ross said.
More direction on how the software acquisition pathway will be enacted could come from DOD components, Ross said, who would issue guidance to implement the policy specific to their needs. Further implementation guidance is also possible from the Office of the Under Secretary of Defense for Acquisition and Sustainment, which issued the pathway policy on Oct. 2.
The software acquisition pathway includes language requiring programs to “develop and track a set of metrics to assess and manage the performance, progress, speed, cybersecurity, and quality of the software development, its development teams, and ability to meet users’ needs,” and it encourages officials to use leverage “automated tools to the maximum extent practicable” to collect data.
Ross said more guidance on how DOD components are supposed to collect and define the metrics would also be beneficial to BSA members.
The policy is directed specifically at customized solutions for the Defense Department, which Ross says doesn’t take advantage of commercial off-the-shelf solutions with strong security controls.
“You would expect to DOD to buy COTS software for [Office 365] and custom-built software for weapons systems but there are a lot of things they do in between where they intend to buy custom built software but probably would benefit from industry offerings that involve data analytics, data management tools and office productivity software for human resources,” Ross said.
On a broader level, Ross said it would be helpful to get more guidance on how the Defense Department wants to address vulnerability management.
“There are often contracts for the development of software and then DOD issues a separate contract for the sustainment or maintenance of the software and so responsibility for how vulnerability management gets passed on and that transition between contracts can get tricky,” Ross said.
Issues still need to be worked out, Ross said, over the appropriate requirements for vendors to “remediate vulnerabilities when they are identified, the timeline and at what cost to taxpayers.”
The Defense Department is planning to release a policy separate from the software acquisition pathway that will focus on cybersecurity. The policy is intended to cut across all of the pathways that make up the Adaptive Acquisition Framework while adding in requirements corresponding to the Pentagon’s Cybersecurity Maturity Model Certification program. -- Sara Friedman (sfriedman@iwpnews.com)