HOME  |  CONTENTS  |  DISCUSSIONS  DISCUSSION ARCHIVES  |  BLOG  |  QUICK-KITs|  STATES

How To Use the NDAA Pages

Back to William M. (Mac) Thornberry NDAA Contents

TITLE VIII--ACQUISITION POLICY, ACQUISITION MANAGEMENT, AND RELATED MATTERS

Subtitle C--Provisions Relating to Software and Technology

P. L. 116-

House Conference Report   116-617
SEC. 835. BALANCING SECURITY AND INNOVATION IN SOFTWARE DEVELOPMENT AND ACQUISITION.

(a) Requirements for Solicitations of Commercial and Developmental Solutions.--The Under Secretary of Defense for Acquisition and Sustainment, in coordination with the Chief Information Officer of the Department of Defense, shall develop requirements for appropriate software security criteria to be included in solicitations for commercial and developmental solutions and the evaluation of bids submitted in response to such solicitations, including a delineation of what processes were or will be used for a secure software development life cycle. Such requirements shall include--

(1) establishment and enforcement of secure coding practices;

(2) management of supply chain risks and third-party software sources and component risks;

(3) security of the software development environment;

(4) secure deployment, configuration, and installation processes; and

(5) an associated vulnerability management plan and identification of tools that will be applied to achieve an appropriate level of security.

(b) Security Review of Code.--The Under Secretary of Defense for Acquisition and Sustainment, in coordination with the Chief Information Officer of the Department of Defense, shall develop--

(1) procedures for the security review of code; and

(2) other procedures necessary to fully implement the pilot program required under section 875 of the National Defense Authorization Act for Fiscal Year 2018 (Public Law 115-91; 10 U.S.C. 2223 note).

(c) Coordination With Cybersecurity Acquisition Policy Efforts.--The Under Secretary of Defense for Acquisition and Sustainment shall develop the requirements and procedures described under subsections (a) and (b) in coordination with the efforts of the Department of Defense to develop new cybersecurity and program protection policies and guidance that
are focused on cybersecurity in the context of acquisition and program management and on safeguarding information.

 Balancing security and innovation in software development and acquisition (sec. 835)

The Senate amendment contained a provision (sec. 882) that would require the Under Secretary of Defense for Acquisition and Sustainment to incorporate certain considerations while finalizing the interim policy for a software acquisition pathway as part of the Department of Defense's new Adaptive Acquisition Framework.

The House bill contained no similar provision.

The House recedes with an amendment that would modify the considerations, as well as which of the Department's policies would need to incorporate such considerations.

The conferees recognize the growing importance of assuring the security of software and determining the provenance of code and the risks posed by reliance--whether known or inadvertent--on code produced by or within adversary nations.

The conferees are also concerned about the Department's non-compliance with section 875 of the National Defense Authorization Act for Fiscal Year 2018 (Public Law 115-91). Section 875 required the Department to implement an Office of Management and Budget pilot relating to open source software due to significant potential benefits to the Department, to include improved performance. The conferees note that the Department has cited security concerns in connection with openly publishing certain code. The conferees further note that there is no comprehensive Department-wide process for conducting security reviews of code or parts of code and that the National Security Agency, which should have similar security concerns to the Department as a whole, has such a process for the purpose of maximizing appropriate public release.

The conferees encourage the Department to pursue the appropriate balance of innovation and security in developing, acquiring, and maintaining software.

The conferees further direct the Under Secretary of Defense for Acquisition and Sustainment and the Department of Defense Chief Information Officer to develop a roadmap with milestones that will enable the Department to require and effectively manage the submission by contractors of a software bill of materials.

Finally, the conferees direct the Under Secretary of Defense for Acquisition and Sustainment to update the Department's policy defining a Software Pathway to more clearly demonstrate compliance with the portions of section 800 of the National Defense Authorization for Fiscal Year 2020 (Public Law 116-92) to: (1) Ensure applicability to defense business systems as defined by section 2222 of title 10, United States Code; and (2) Provide for delivery of capability to end-users not later than 1 year after funds are obligated noting that other Government-wide policy and best practices call for updates no less frequently than once every 6 months.

Senate Committee Report 116-236 to Accompanying S. 4049

Balancing security and innovation in software development and acquisition (sec. 882)

The committee recommends a provision that would require the Under Secretary of Defense for Acquisition and Sustainment to incorporate certain considerations while finalizing the interim software policy for a software acquisition pathway as part of the Department of Defense's (DOD's) new Adaptive Acquisition Framework.

The committee recognizes the growing importance of assuring the security of software and determining the provenance of code and the risks posed by reliance--whether known or inadvertent--on code produced by or within adversary nations.

The committee is also concerned about DOD's non-compliance with section 875 of the National Defense Authorization Act for Fiscal Year 2018 (Public Law 115-91), which required the Department to implement an Office of Management and Budget pilot relating to open source software due to significant potential benefits to the Department, to include improved performance. The committee notes that the Department has cited security concerns in connection with openly publishing certain code. The committee further notes that there is no comprehensive Department-wide process for conducting security reviews of code or parts of code and that the National Security Agency, which should have similar security concerns to the Department as a whole, has such a process for the purpose of maximizing appropriate public release.

The committee encourages the Department to pursue the appropriate balance of innovation and security in developing, acquiring, and maintaining software.

The committee further directs the Under Secretary and the Department of Defense Chief Information Officer to develop a roadmap with milestones that will enable the Department to require and effectively manage the submission by contractors of a software bill of materials.

Finally, the committee reminds the Department that section 800 of the National Defense Authorization for Fiscal Year 2020 (Public Law 116-92) required that the Department's software policy provide for delivery of capability to end-users no later than 1 year after funds are obligated and that other government-wide policy and best practices call for updates no less frequently than once every 6 months.

ABOUT  l CONTACT