The hoops that companies must jump through in order to sell into the Federal government can be difficult to understand and sometimes misleading. As with any government process, misconceptions surrounding what is required begin to evolve and companies can potentially lose revenue as a result.
Here are a few of the most common myths and misconception we have encountered over the years as we helped companies navigate the DoD mandated listing process for the DoDIN APL (Department of Defense Information Network Approved Products List):
Myth 1: “I’m already selling into the DoD, I don’t need additional product security hardening.”
Per DoD guidelines, procurements are restricted to those solutions specifically listed on the DoDIN APL. If your product is not currently on the list, or you are not actively pursuing a listing, the new restrictions will shut you out of any future procurements.
Although your current customers may have purchased your solution in the past, they are in fact not authorized to do so in the future, and could require you to get listed at any time moving forward without prior notice.
Myth 2: “I already completed JITC/STIG Testing and or have a CON, I don’t need to do anything further.”
Previously, each military branch would issue a Certificate of Net-worthiness (CON) on their own to individual contractors. A CON gave you the ability to sell into that specific agency, but that agency alone. Year after year, each branch issued their own CON until finally the DoD collectively agreed to develop one singular list to buy from – and hence the Unified Capabilities Approved Product List was created.
To be listed on the DoDIN APL, your product must go through Interoperability (IO) testing as well as Information Assurance (IA) testing. The Joint Interoperability Test Command (JITC) is the IO certifying authority within The DoD. Any previously certified products tested solely by JITC would need to re-list on the DoDIN APL.
Security Technical Implementation Guide (STIG) testing is part of the initial submission for the DoDIN APL listing process. It includes the completion of a questionnaire on product internals, secure protocols, and access. The results determine which STIGs will be applied to your product. Testing is only one portion of DoDIN APL listing requirements, and while it can help in a quick RFP/RFQ response, it is only a first step. Completing the process ensures access to the total DoD procurement engine.
Myth 3: “The DoD only purchases from U.S. based companies.”
Companies outside the United States that are attempting to develop solutions for the DoD may do so as long as they are listed on the DoDIN APL. In fact, companies from ten different countries outside of the United States have products currently listed on the DoDIN APL.
LEARN MORE about inclusion on the DoDIN APL and how to get started.
Corsec brings you all the most recent updates to the standards, certifications, and requirements – Subscribe