DOD SOFTWARE ASSURANCE INITIATIVE: Mitigating Risks Attributable to Software through Enhanced Risk M

1
DOD SOFTWARE ASSURANCE INITIATIVEMitigating
Risks Attributable to Softwarethrough Enhanced
Risk Management
UNCLASSIFIED -- FOR OVERVIEW DISCUSSIONS
Countering Threats that Target Software in
Systems and Networks

DoD Liaison Report to IEEE CS S2ESC
August 10, 2004

• Joe Jarzombek, PMP
• Deputy Director for Software Assurance
• Information Assurance Directorate
• Office of the Assistant Secretary of Defense
• (Networks and Information Integration)

UNCLASSIFIED -- FOR OVERVIEW DISCUSSIONS
2
National Security Requires Software Assurance

• Assured Software is required to fulfill DoD
  missions and protect critical infrastructure
• National capabilities dependent on software
• Exploitable vulnerabilities and malicious code
  place critical capabilities at risk
• In era of asymmetric warfare, opponents can
  threaten software-enabled capabilities cheaply
  and safely
• Federal Sector has software assurance
  responsibilities
• Software dependency places assurance at core of
  national security
• Federal core competencies must be
  security-focused in acquiring and procuring
  software

3
Congressional Direction on Security of Sensitive
Software

• Congressional direction FY04 Def Authorization
  Conf Report 108-354, Security of Sensitive
  Software --
• DOD must ensure that recent emphasis on
  procurement of COTS software will not open
  vulnerabilities in sensitive DOD C3I software
• DoD must provide IA and protection for all DOD IT
  assets, including
• unauthorized modifications to code in mission
  critical software
• insertion of malicious code into mission critical
  software
• reverse engineering of mission critical software.
• Responding to 2 Congressional Sub-Committees, GAO
  Review 120221
• DoD Use of Foreign Sources for Software
  Development resulted in May 2004 GAO-04-678
  Defense Acquisitions Knowledge of Software
  Suppliers Needed to Manage Risks
• Outsourcing, foreign development risks
  insertion of malicious code
• Recommendations for Executive Actions to direct
  DoD PMs to factor in software risks and for DoD
  to factor in security in risk assessments

4
Defeating the Threat DoD Protection Initiatives
Programs
Trusted Foundry (TF)
Anti-Tamper (AT)
Software Protection Initiative (SPI)
Software Assurance (SA)
Information Assurance (IA)
Global Information Grid
Primarily Hands-On THREAT ACCESS
Primarily External
5

Software Assurance Initiative (initial focus
consistent with DoD Congressional concerns)

• Managed as part of the DoD Information Assurance
  (IA) Strategy to Transform Enable IA
  Capabilities
• With oversight provided by SW Assurance Steering
  Committee under the IA Senior Leadership, the
  Initiative is organized into working groups
• WG1 - Security Process Capability (improvement
  evaluation),
• WG2 - Software Product Evaluation (product
  focused),
• WG3 - Threat Analyses -- Counter Intelligence
  (CI) Support
• WG4 - Acquisition/Procurement and Industrial
  Security, and
• WG5 - User Identification Prioritization of
  Protected Assets
• SW Assurance Initiative provides requisite
  interfaces with related initiatives
• DoD Anti-tamper and Software Protection
  Initiatives
• Government Information Assurance initiatives
• Interagency Standards Groups on Security
  Assurance
• Govt/industry Cyber Security SW development
  lifecycle task force

6
Response for Software Assurance

• October 2002, the Presidents Critical
  Infrastructure Protection Board (PCIPB) IT
  Security Study Group (ITSSG) identified security
  shortfalls in acquisition processes and
  recommended security improvements
• DoD evaluated ITSSG report recommending
• Integrating an enhanced risk management process
  into the DoD acquisition processes
• Specifying lifecycle risk mitigation of software
  vulnerabilities
• Threat analysis of suppliers in source selection
• Security component specification, design, build,
  and integration
• Process capabilities (performance improvement and
  evaluation)
• Product evaluation tools (test, accreditation and
  certification)
• RD and transitioning of enabling advanced
  technologies
• Laws, policies practices for acq/procurement,
  use and support
• Identifying mechanisms to ensure software product
  integrity

7
Enhanced Risk Management Process
Draft Proposal
Threat-Informed/ Security-Aware Risk
Management Decision
Oversight
Threat Assessment
Supplier Security Process Capability Evaluation
Defense in Depth
Product Security Evaluation
8
Scoping Expectations for Workshops Software
Assurance Forum

• Working Group 1, Security Process Capabilities
• (Process Improvement and Capability Evaluation --
  Practice Focused)
• Identify criteria/practices to be used in
  mitigating risks associated with
  development/acquisition processes required to
  deliver secure software
• Leverage work of interagency groups that identify
  best practices for the delivery of secure
  software/systems
• Assistance to PMs in determining capabilities of
  suppliers, part of
• Source selection activities contract process
  monitoring
• Changes in products services
• Need for
• Safe secure style guides (language sub-sets)
  for programming
• Software-related security development guides
• Software assurance guidelines within
  High-Assurance Systems Engineering
• enterprise-level and total system lifecycle
  dependability,
• high-assurance validation and verification
• Need for SW Assurance templates for RFPs
  (including Section L M)

9
Scoping Expectations for Workshops Software
Assurance Forum

• Working Group 1, Security Process Capabilities --
  Leveraging Activities
• IEEE CS Software and Systems Engineering
  Standards Committee (S2ESC) provides oversight of
  largest collection of IEEE standards
• Safety Security Practices for use in evaluating
  delivery capabilities
• Developed as extensions to CMMI iCMM can be
  used stand-alone
• Practices traceable to 7 source standards
• Safety security focus using CMMI iCMM
  implementing practices
• ISO/IEC JTC1/SC7 WG9
• Redefined its terms of reference to software and
  system assurance (part of Systems Engineering
  System Life Cycle Processes)
• ISO/IEC 15026 to address management of risk and
  assurance of safety, security, dependability
  within context of system and software life cycles
• NIST Information System Security Project
• Producing publications on security of Federal
  Information System
• Provides standards for labs conducting software
  product evaluations

Capability Maturity Model, CMM, and CMMI are
registered in the U.S. Patent and Trademark
Office by Carnegie Mellon University
10
(No Transcript)
11
Scoping Expectations for Workshops Software
Assurance Forum

• Working Group 2, Product Evaluation
• Product Diagnostic Capabilities
• Role of Executive Agent for High Assurance
  Software Technology Evaluation
• Working Group 3, Threat Assessment Support
• All-Source Threat Analyses Capabilities
• Types of support needed to support government and
  industry
• Working Group 4, Acquisition/Procurement/Industria
  l Security Policy
• Policies and regulatory guidance for software
  assurance
• Guidance for using information to support
  enhanced risk management, from
• Threat assessments,
• Security process capability evaluations, and
• Product security evaluations
• Working Group 5, Prioritization of Assets
  Requiring High Assurance
• Process for specifying DoD watch list assets
  requiring high assurance
• Sample criteria for use by PMO Systems Engineers
  for determining software components that require
  high assurance

12
Contact Information
Software Assurance Initiative Director Joe
Jarzombek, PMP Deputy Director for Software
Assurance Information Assurance Directorate
Office of the Assistant Secretary of Defense
(Networks and Information Integration)
Business Ph (703) 604-1489 x154 Mobile Cell Ph
(703) 627-4644 Joe.Jarzombek_at_osd.mil
Crystal Gateway 3, Suite 1101 1215 Jefferson
Davis Highway Arlington, VA 22202-4302