Procurement is key to security, IT execs say

Procurement officers have the power to significantly improve the security of government IT systems by including software reliability and security requirements in the contracts they award to vendors—and strengthen the country’s cyberinfrastructure in the process.That key message was hammered home repeatedly at a two-day forum earlier this month hosted jointly by the Defense and Homeland Security departments.“We have to shift the paradigm from patch management to software assurance,” said Andy Purdy, acting director of DHS’ National Cyber Security Division.Vendors will not invest in improving the quality of their software of their own volition, said Priscilla Guthrie, deputy CIO and deputy assistant secretary of Defense for networks and information integration. “We’ve got to use acquisition organizations to put together a software assurance policy,” Guthrie said. “We have to get acquisition organizations to work with us to make sure [it’s] part of the way we buy.”Dan Wolf, information assurance director of the National Security Agency, said improving the quality of software is a matter of national security.“Our adversaries have made a big point of how information operations are a preferred weapon,” Wolf said, warning that the country’s enemies are focusing on finding ways to infiltrate and take over critical systems.Alan Paller, director of research at the SANS Institute of Bethesda, Md., added that procurement officers need to include different language regarding software performance, security and reliability in contracts, as the best way to get vendors to take action.Integrators, Paller said, are of the opinion that, “If it’s in the [Federal Acquisition Regulations] we can ignore it, but if it’s in the contract we do it.”