Title: DOD SOFTWARE ASSURANCE INITIATIVE: Mitigating Risks Attributable to Software through Enhanced Risk M
1DOD SOFTWARE ASSURANCE INITIATIVEMitigating
Risks Attributable to Softwarethrough Enhanced
Risk Management
UNCLASSIFIED -- FOR OVERVIEW DISCUSSIONS
Countering Threats that Target Software in
Systems and Networks
DoD Liaison Report to IEEE CS S2ESC
August 10, 2004
- Joe Jarzombek, PMP
- Deputy Director for Software Assurance
- Information Assurance Directorate
- Office of the Assistant Secretary of Defense
- (Networks and Information Integration)
UNCLASSIFIED -- FOR OVERVIEW DISCUSSIONS
2National Security Requires Software Assurance
- Assured Software is required to fulfill DoD
missions and protect critical infrastructure - National capabilities dependent on software
- Exploitable vulnerabilities and malicious code
place critical capabilities at risk - In era of asymmetric warfare, opponents can
threaten software-enabled capabilities cheaply
and safely - Federal Sector has software assurance
responsibilities - Software dependency places assurance at core of
national security - Federal core competencies must be
security-focused in acquiring and procuring
software
3Congressional Direction on Security of Sensitive
Software
- Congressional direction FY04 Def Authorization
Conf Report 108-354, Security of Sensitive
Software -- - DOD must ensure that recent emphasis on
procurement of COTS software will not open
vulnerabilities in sensitive DOD C3I software - DoD must provide IA and protection for all DOD IT
assets, including - unauthorized modifications to code in mission
critical software - insertion of malicious code into mission critical
software - reverse engineering of mission critical software.
- Responding to 2 Congressional Sub-Committees, GAO
Review 120221 - DoD Use of Foreign Sources for Software
Development resulted in May 2004 GAO-04-678
Defense Acquisitions Knowledge of Software
Suppliers Needed to Manage Risks - Outsourcing, foreign development risks
insertion of malicious code - Recommendations for Executive Actions to direct
DoD PMs to factor in software risks and for DoD
to factor in security in risk assessments
4Defeating the Threat DoD Protection Initiatives
Programs
Trusted Foundry (TF)
Anti-Tamper (AT)
Software Protection Initiative (SPI)
Software Assurance (SA)
Information Assurance (IA)
Global Information Grid
Primarily Hands-On THREAT ACCESS
Primarily External
5Software Assurance Initiative (initial focus
consistent with DoD Congressional concerns)
- Managed as part of the DoD Information Assurance
(IA) Strategy to Transform Enable IA
Capabilities - With oversight provided by SW Assurance Steering
Committee under the IA Senior Leadership, the
Initiative is organized into working groups -
- WG1 - Security Process Capability (improvement
evaluation), - WG2 - Software Product Evaluation (product
focused), - WG3 - Threat Analyses -- Counter Intelligence
(CI) Support - WG4 - Acquisition/Procurement and Industrial
Security, and - WG5 - User Identification Prioritization of
Protected Assets - SW Assurance Initiative provides requisite
interfaces with related initiatives - DoD Anti-tamper and Software Protection
Initiatives - Government Information Assurance initiatives
- Interagency Standards Groups on Security
Assurance - Govt/industry Cyber Security SW development
lifecycle task force -
6Response for Software Assurance
- October 2002, the Presidents Critical
Infrastructure Protection Board (PCIPB) IT
Security Study Group (ITSSG) identified security
shortfalls in acquisition processes and
recommended security improvements -
- DoD evaluated ITSSG report recommending
- Integrating an enhanced risk management process
into the DoD acquisition processes - Specifying lifecycle risk mitigation of software
vulnerabilities - Threat analysis of suppliers in source selection
- Security component specification, design, build,
and integration - Process capabilities (performance improvement and
evaluation) - Product evaluation tools (test, accreditation and
certification) - RD and transitioning of enabling advanced
technologies - Laws, policies practices for acq/procurement,
use and support - Identifying mechanisms to ensure software product
integrity
7Enhanced Risk Management Process
Draft Proposal
Threat-Informed/ Security-Aware Risk
Management Decision
Oversight
Threat Assessment
Supplier Security Process Capability Evaluation
Defense in Depth
Product Security Evaluation
8Scoping Expectations for Workshops Software
Assurance Forum
- Working Group 1, Security Process Capabilities
- (Process Improvement and Capability Evaluation --
Practice Focused) - Identify criteria/practices to be used in
mitigating risks associated with
development/acquisition processes required to
deliver secure software - Leverage work of interagency groups that identify
best practices for the delivery of secure
software/systems - Assistance to PMs in determining capabilities of
suppliers, part of - Source selection activities contract process
monitoring - Changes in products services
- Need for
- Safe secure style guides (language sub-sets)
for programming - Software-related security development guides
- Software assurance guidelines within
High-Assurance Systems Engineering - enterprise-level and total system lifecycle
dependability, - high-assurance validation and verification
- Need for SW Assurance templates for RFPs
(including Section L M)
9Scoping Expectations for Workshops Software
Assurance Forum
- Working Group 1, Security Process Capabilities --
Leveraging Activities - IEEE CS Software and Systems Engineering
Standards Committee (S2ESC) provides oversight of
largest collection of IEEE standards - Safety Security Practices for use in evaluating
delivery capabilities - Developed as extensions to CMMI iCMM can be
used stand-alone - Practices traceable to 7 source standards
- Safety security focus using CMMI iCMM
implementing practices - ISO/IEC JTC1/SC7 WG9
- Redefined its terms of reference to software and
system assurance (part of Systems Engineering
System Life Cycle Processes) - ISO/IEC 15026 to address management of risk and
assurance of safety, security, dependability
within context of system and software life cycles - NIST Information System Security Project
- Producing publications on security of Federal
Information System - Provides standards for labs conducting software
product evaluations
Capability Maturity Model, CMM, and CMMI are
registered in the U.S. Patent and Trademark
Office by Carnegie Mellon University
10(No Transcript)
11Scoping Expectations for Workshops Software
Assurance Forum
- Working Group 2, Product Evaluation
- Product Diagnostic Capabilities
- Role of Executive Agent for High Assurance
Software Technology Evaluation - Working Group 3, Threat Assessment Support
- All-Source Threat Analyses Capabilities
- Types of support needed to support government and
industry - Working Group 4, Acquisition/Procurement/Industria
l Security Policy - Policies and regulatory guidance for software
assurance - Guidance for using information to support
enhanced risk management, from - Threat assessments,
- Security process capability evaluations, and
- Product security evaluations
- Working Group 5, Prioritization of Assets
Requiring High Assurance - Process for specifying DoD watch list assets
requiring high assurance - Sample criteria for use by PMO Systems Engineers
for determining software components that require
high assurance
12Contact Information
Software Assurance Initiative Director Joe
Jarzombek, PMP Deputy Director for Software
Assurance Information Assurance Directorate
Office of the Assistant Secretary of Defense
(Networks and Information Integration)
Business Ph (703) 604-1489 x154 Mobile Cell Ph
(703) 627-4644 Joe.Jarzombek_at_osd.mil
Crystal Gateway 3, Suite 1101 1215 Jefferson
Davis Highway Arlington, VA 22202-4302