Certification deadline draws near
Beginning in July, DOD will prohibit the military services from purchasing information assurance products that have not met a third-party security evaluation
National Information Assurance Partnership
In an effort to improve the security of the commercial software it buys, the Defense Department beginning in July will prohibit the military services from purchasing information assurance products that have not met a third-party security evaluation.
Under the rule, DOD will not buy commercial software that has not been certified by the National Information Assurance Partnership (NIAP), a group formed by the National Security Agency and the National Institute of Standards and Technology. The initiative is essential as DOD increasingly uses commercial software for mission-critical functions, said Eustace King, the technology team leader for the Defense-wide Information Assurance Program, speaking May 14 during a presentation at the Navy's Connecting Technology conference in Virginia Beach, Va.
But the effort is even more critical as DOD moves toward network-centricity, where data is stored on networks and is available to those who need it, King said.
The DOD policy has received little attention despite the broad ramifications it could have for information technology buys.
It is not directed just at information assurance products, such as firewalls or intrusion-detection systems, but also at "information assurance-enabled products" such as Web browsers, operating systems and databases.
The DOD policy requires that all systems be assessed on how mission- critical the data is. That data will then determine the commensurate level of security robustness — high, medium or basic, King said.
Under the National Information Assurance Acquisition Policy, the military services have been giving preference to information assurance products certified by NIAP, but beginning in July that certification will be required, King said.
Products bought before July will be exempt from the policy, King said, although the policy does require any significant upgrades to meet the certification requirement.
Capt. Sheila McCoy, a member of the Navy Department chief information officer's information assurance team, said the hope is that vendors will see the certification as an opportunity to obtain a competitive advantage.
Mary Ann Davidson, chief security officer for Oracle Corp., said that despite nearly a decade of similar requirements, many software vendors have avoided the guidelines and sought waivers instead. DOD must make security a top priority in buying decisions because it is difficult to add it on later if security is not built into a product from the start, she said.
Oracle has made security a critical part of its software development process, Davidson said. The company last week was awarded its 15th NIAP certificate for its Oracle Label Security product, she said. The product enables an organization to control access to shared data.
NSA has published the requirements for several product categories, including firewalls and operating systems. Other requirements are in the works, including those for Web security, intrusion-detection systems, virtual private networks and biometrics.
NIAP has certified about two dozen products, and others are in process, King said.
Davidson said the process can be expensive and time-consuming — Oracle spends as much as $1 million to get a product certified. But the certification process has also helped the company avoid the future costs of applying patches to products, she said.