Enhancing security

Department of Commerce Seeks Third-Party Audit on Software Acquisitions

The U.S. Department of Commerce is proposing a mandatory security evaluation by a third-party auditor of all connected software applications before they are approved for acquisition by government agencies. The proposal is in line with President Joe Biden’s executive order which further strengthens former President Donald Trump’s directive aimed at limiting the reach of foreign adversaries seeking to steal sensitive data from Americans, Nextgov reported Monday.

According to the publication, while the Biden order reversed Trump’s ban that specifically targeted TikTok and WeChat, it maintained the core of the previous president’s order authorizing the secretary of commerce to deny transactions deemed threatening to national security under the International Emergency Economic Powers Act. The Biden EO also expanded on the Trump order by making connected software applications subject to the reviews, preferably by third-party auditors.

In a notice published in the Federal Registry on Friday, the Commerce Department proposed that the lack of a credible third-party audit of connected software applications be made grounds for turning down deals involving information and communications technology.

The document also sought to open up the conversation on the audit issue, seeking stakeholder feedback on whether imposing a mandatory third-party audit on vendors’ offerings is too extreme and should be toned down. It also sought suggestions on how the secretary should apply the public feedback to information and communications technology and services transactions involving connected software applications, and whether there are additional criteria that should be considered.

Meanwhile, the Government Accountability Office noted aggressive activity from China, which the audit agency said only highlights the need for the Cybersecurity and Infrastructure Security Agency to enhance its employees training on threat detection.