The answer to the question is NO – as noted in the DoD Director, Operational Test and Evaluation FY 2016 Annual Report1 despite the significant progress the DoD has made in improving the cybersecurity of DoD programs and networks “missions remain at risk when subjected to cyber-attacks emulating an advanced nation-state adversary.” The challenge of assuring that our software will only operate as intended is formidable given the ever-growing complexity of systems and networks. Considerations include the globalization of the defense industrial base, the cost-consciousness and competitiveness of many suppliers, concerns about the insertion of malicious functionality in software and heightened awareness of adversaries targeting DoD supply chains. “Black box” software functionality testing without knowledge of how the internal structure or logic will process the input will not catch many of the critical defects in software.
To address this challenge DODI 5000.02, Operation of the Defense Acquisition System Incorporating Change 2, Effective February 2, 20172, states that Program Managers will implement the use of automated software vulnerability detection and analysis tools and ensure risk-based remediation of software vulnerabilities is addressed in Program Protection Plans (PPPs), included in contract requirements, and verified through continued use of such tools and testing (as required by section 933 of Public Law 112-239)3.
What is Software Assurance (SwA) and why should we care about SwA?
SwA is “The level of confidence that software functions as intended and is free of vulnerabilities, either intentionally or unintentionally designed or inserted as part of the software throughout the lifecycle.” — Committee on National Security Systems Instruction (CNSSI) 4009 – April 20154.
We need SwA because Mission Critical Defense Systems (MCDS) built with inadequate security and unknown but critical flaws put military data, operations and sensitive information at significant risk, especially given that most of these systems operate on the Department of Defense Information Networks (DoDIN)5. Successive National Defense Authorization Acts (NDAAs) have identified the need for SwA as evidence of US Congressional and Presidential support for SwA. Section 933 of the 2013 NDAA mandated that the DoD implement a baseline SwA policy.
Major DoD Baseline SwA policy and key provisions of it are shown in Figure 1:
- DoDI 5200.446, “Protection of Mission-Critical Functions to Achieve Trusted Systems and Networks (TSN),” Incorporating Change 1, Effective August 25, 2016.
- DoDI 5000.02, Operation of the Defense Acquisition System, Incorporating Change 2, Effective February 2, 2017
- DoDI 8500.017, Cybersecurity, 14 March 2014
- DoDI 8510.018, Risk Management Framework (RMF), Incorporating Change 1, Effective May 24, 2016
- CJCSI 6510.01F9, Information Assurance (IA) and Support to Computer Network Defense (CND) , Directive Current as of 9 Jun 2015
Figure 1 – Baseline Software Assurance (SwA) Policy
When acquiring systems managers are faced with the difficult task of balancing software performance, cost, and schedule trade-offs and the level of security needed to provide “survivability” of the resulting mission capability. Managers and system owners address survivability for hardware, such as for a combat vehicle, by engaging experts to address the vehicle’s ability to withstand likely kinetic threats and then checking that the vehicles coming off the assembly line are built to meet the threat. While software is different, a similar approach should work for software.