The Homeland Security Department’s Science and Technology Directorate is requiring that its research partners test and evaluate their software in the Software Assurance Marketplace (SWAMP) before delivering it to the agency.
“We’re going to take the next step and require you to go through an evaluation before you deliver anything, and we won’t accept it if it doesn’t pass a test,” said Doug Maughan, cybersecurity division director for the DHS S&T Directorate, during the agency’s Research and Development Showcase in Washington Feb. 17.
DHS S&T and its Homeland Security Advanced Research Projects Agency designed the Software Assurance Marketplace to help identify defective code or flaws in software cybersecurity.
The Government Accountability Office said installing software with malware or other defects is one of the biggest risks to the government IT supply chain. Many of the top 25 vulnerabilities that existed five years ago still exist today, Maughan said.
“How do we hold vendors accountable to ensure that the products that they’re submitting and selling to the government are as high quality as they can be,” Maughan told Federal News Radio. “Part of our story is that the Software Assurance Marketplace that exists and is used daily could be part of that equation.”
DHS will require researchers to use SWAMP as part of new contracts that begin this fiscal year, Maughan said. But getting vendors on board will take more time — and action from the Office of Management and Budget.
“There has been some discussion at the White House, it came out as part of the President’s National Action Plan,” Maughan said. “We’re arguing that what S&T brings to the table is something that can help execute that idea from the National Action Plan. But we’re not driving that process out of the White House.”
Secure software is one of 10 strategic goals Maughan is working toward this year. The directorate is also diving headlong into its work with international partners and new startup companies, particularly in Silicon Valley.
DHS opened up a satellite office in Silicon Valley about a year ago. The agency is the beginning stages of speeding up the contracting process for new startups — and shortening a solicitation period that can take up to one year.
The directorate is looking for companies that are at least six to 12 months old. It’s not looking to become the startup’s first buyer, but it is interested in companies who have a proven technological capability and a demonstrated interest from other investors, Maughan said.
“They’re already going down a commercial pathway,” he said. “All we want them to do is open up the aperture and think about the homeland security applications for their commercial product.”
S&T is beginning to use an Other Transactional Authority to do business with new companies that have never worked with government before.
The directorate sent out its first Other Transactional Solicitation” for an Internet of Things security solution in December.
S&T held an industry day Dec. 10 and received more than 20 applications for the solicitation, Maughan said. The directorate reviewed seven applications in January.
“Once I’ve reviewed your application, if we want to invite you in for an oral pitch, I can do that,” Maughan said. “From our legal and contracting perspective, as long as it’s a fair and open competition and every vendor is asked the same questions, I can now do an oral pitch and I no longer have to do a 40-page proposal.”
The directorate heard its first round of oral pitches Feb. 1. It awarded its first “other” transaction contract Feb. 12.
In the first round of a recent solicitation, the directorate went from invitation to presentation to an award in about 10 days, Maughan said.
“We’re able to make the decision on the spot, just like they do in Silicon Valley; give them a thumbs-up or thumbs-down,” he said. “The contracting process with an Other Transaction Authority type contract, non-FAR based is much shorter. We don’t have to deal with all of the financial normalities of a traditional FAR contract.”
Though this process is still relatively new for the directorate, S&T expects it will continue to hone its relationship with Silicon Valley startups, said Scott Tousley, deputy cybersecurity director for DHS S&T.
“The conversation in a sense has really just begun, and a large part of what the effort is right now, as of today, is still the communication of our intent and our procedure and how we’re trying to make this work,” he said. “It will unfold as this year goes on [and] next year happens. It will take a couple of years for the system to unfold.”