Defense officials would outline requirements and procedures with implications for all the federal government.
A small nugget in the National Defense Authorization Act under debate on the Senate floor could have big implications by requiring Defense Department solicitations to include certain software security criteria.
“The Under Secretary of Defense for Acquisition and Sustainment, in coordination with the Chief Information Officer of the Department of Defense, shall develop requirements for inclusion in solicitations for both commercial and developmental solutions, and for the evaluation of bids, of appropriate software security criteria,” reads section 882 of the legislation.
The language is included in both the 2021 National Defense Authorization Act (S. 4049) and a substitute amendment proposed by Sen. James Inhofe, R-Okla. The amendment from Inhofe, chairman of the Senate Armed Services Committee, itself has 141 amendments.
The software security criteria would be developed by the undersecretary of Defense for acquisition and sustainment, in coordination with DOD’s chief information officer and include: “delineation of what processes were or will be used for a secure software development lifecycle, including management of supply chain and third-party software sources and component risks; and an associated vulnerability management plan or tools.”
The Defense officials would also develop a process for reviewing code for security purposes. The department would publish this in accordance with a pilot program from the 2018 NDAA regarding “promotion of the use of government-wide and other interagency contracts.”
In January, the Defense Acquisitions office issued a memorandum of interim policy and procedure for a software procurement “pathway.”
Sec. 882 spells out that the new requirements should be developed in “Coordination with Software Acquisition Pathway Efforts.”