WILLIAMSBURG, Va. - The government could rate software manufacturers according to their supply chain practices when considering which applications to buy, said a Homeland Security Department official while speaking at an industry conference.

"There are suppliers in that chain who are people we would not allow into our facilities, but we're just going to take their software and install it? Anybody understand that there's a problem with that?" said Joe Jarzombek, director for software assurance and global cybersecurity management within the DHS National Cyber Security Division. He spoke Oct. 25 during a panel of the ACT-IAC Executive Leadership Conference.

The intention behind the ratings isn't to create a blacklist of vendors deemed too risky for federal acquisition, but to identity supply sources that "require a little bit more due diligence and therefore risk management," Jarzombek added.

Getting a good rating would not require relocating all coding activities domestically, he said. Many exploitable weaknesses found in software come from developers using U.S. citizen personnel with software clearances.

"I'll use a technical term--they're clueless on how to develop secure products," Jarzombek said. Among the practices called out by Jarzombek is subcontracting with entities the government is unaware of. While the government might think it's getting code from a trusted source, in fact a hidden third party is delivering the final product merely with the vendor's nameplate.

Jarzombek also said that developers who deliver code compiled with bug flags turned off is akin to handing someone unaware a gun with the safety turned off. "Somehow we would think that's wrong, but we don't think that's wrong in software."

In a related conference session, former Office of Management and Budget Administrator for e-Government and Information Technology Karen Evans urged the government to be tougher with all information technology companies over their supply chain practices.

The minute that the Defense Department rejects a router for cybersecurity reasons, "it will send a ripple effect through the industry, and then people will fix it," she said. "If you marked a deliverable as undeliverable, it gets everybody's attention all the way up the chain."

The Federal Acquisition Regulation--specifically, Part 39.101 already requires contracting offices to utilize common security configurations developed by the National Institute of Standards and Technology, Evans noted.

However, said John Gilligan, president of the Gilligan Group and a former Air Force chief information officer, many federal contracts fail to enforce NIST guidelines. "Why would you ever buy a product with security features not turned on?" he said.

For more:
- read all our ELC 2010 coverage
- go to FAR Part 39
- go to the NIST product security configuration webpage

Related Articles:
IG: LockMart census system had vulnerabilities 
Ross: Agencies should better manage cybersecurity risk 
Congress wants to know: Does NASA protect its info systems?