The Department of Treasury’s Internal Revenue Service (IRS) issued a request for information (RFI) seeking software cybersecurity tools that can work with an older version of programming language the agency uses, known as common business-oriented language, or COBOL.
Continued reliance on COBOL by some IT shops within the Federal government has been a frequent complaint of critics who say the government needs to modernize operations away from decades-long reliance on outdated programming languages.
COBOL is primarily used in finance systems, and a large portion of the IRS’ current software applications is written in COBOL, according to the RFI. Currently, the agency has 160 COBOL applications, totaling an average of 235,000 lines of source code.
The IRS wants “solutions for software security scanning tools based on national security demands,” that can work with COBOL, the agency said.
“The primary goal is the ability for the tool to perform application security testing (AST) on source code written in various versions of the COBOL programming language, both inside and outside the Continuous Integration / Continuous Delivery (CI/CD) DevOps pipeline,” the RFI says.
The IRS wants a security solution that will address three overarching needs:
- “AST scanning of COBOL applications with accurate, actionable security findings, with a minimal false positive rate;
- Provide full code coverage and integrate with key development tools and processes (for example, Agile, DevSecOps, Jenkins, and the CI/CD pipeline), and
- Provide remediation guidance for identified COBOL code weaknesses.”
Responses to the RFI are due June 28.