Hi Mason,
The DHS Software Assurance Initiative has an Acquisition Working Group:
https://buildsecurityin.us-cert.gov/swa/acqwg.html
The efforts of the WG just got released on the NDU Press site:
http://www.ndu.edu/inss/press/books/irmc.pdf
The body of the document provides guidance on how to
> If it isn't in the RFP then it's not a requirement, regardless of what the
customer implicitly expected.
DHS has a draft guide to raise the awareness of those in the acquisition
process about the need for software security and how to include the RFP
language.
https://buildsecurityin.us-cert.go