In a recent conversation with my DoD customer I mentioned the need for security to be stipulated, starting with the procurement cycle and through delivery and into distribution. He was in disbelief that I thought security should start before procurement.
Apparently others are thinking similar to me. I had this conversation with him a couple weeks ago before this article was published.
Well he is sadly behind the times. Security - in particular software security - is indeed part of the procurement process nowadays. Software Assurance (SwA) terminology has been part of the DoD acquisition process since the National Defense Authorization Act of FY13, and is a defined process controlled by the Deputy Assistant Secretary of Defense for Systems Engineering. It should be in all new RFPs, and if the contract pre-dates this, should be included in all continuing contract mod/extensions. It should be evident extensively in the DoD Architectural Framework (DoDAF) diagrams, which of course are created and evaluated before any actual code is written (or should i say, SHOULD be).