DOD tightening security buys
Information assurance products soon will be limited to those certified by the National Information Assurance Program
National Information Assurance Partnership
In an effort to improve the security of the commercial software it buys, the Defense Department beginning in July will restrict its purchase of information assurance products to those certified by the National Information Assurance Partnership.
The initiative is essential as DOD increasingly uses commercial software for mission-critical functions, said Eustace King, the technology team lead for the Defense-wide Information Assurance Program, speaking May 14 during a presentation at the Navy's Connecting Technology conference in Virginia Beach, Va.
But the effort is even more critical as DOD moves toward network-centricity, where data is stored on networks and is available to those who need it, King said. Network-centric operations mean that networks are mission-critical, and it becomes fundamental that data is secure, he said.
Under the National Information Assurance Acquisition Policy, the military services have been giving preference to information assurance products that have NIAP certification. But beginning in July, services will be required to buy NIAP-certified products, King said.
The DOD policy has received little attention despite the broad ramifications it could have on information technology buys.
Furthermore, it is not directed just at information assurance products, such as firewalls or intrusion-detection systems. The policy also requires that DOD organizations buying "information assurance-enabled products" purchase products that NIAP has certified. Such products could include Web browsers, operating systems and databases.
The DOD policy requires that all systems be assessed on how mission-critical the data is. That data will then determine the commensurate level of security robustness — high, medium or basic, King said.
Products purchased before July will be exempt from the policy, King said, although the policy does require that any significant upgrades will trigger the certification requirement.
Capt. Sheila McCoy, part of the Navy Department chief information officer's information assurance team, said the hope is that vendors will see the certification as an opportunity to obtain a competitive advantage.
The National Security Agency has published the requirements for several product categories, including firewalls and operating systems. Other requirements are in the works, including those for Web security, intrusion-detection systems, virtual private networks and biometrics.
NIAP has certified about two dozen products, and others are in process, King said.
NIAP is an initiative of NSA and the National Institute for Standards and Technology, and its efforts are designed to meet the security testing, evaluation and assessment needs of IT vendors and buyers.
NEXT STORY: Universities launch cybercenter