The current overly compliance focused approach often puts less emphasis on building the software capability to address likely advanced threats and expends considerable effort getting over the regulatory “speed bumps” to meet the “schedule” at the end of the Software Development Life Cycle (SDLC). Given the advanced threat, the approach focused only on compliance may not be effective. This potential ineffectiveness is indicated in the DoD Director, Operational Test and Evaluation Reports, and DoD Inspector General Reports10 specifically the, DoD Cybersecurity Weaknesses as Reported in Audit Reports Issued From August 1, 2015, Through July 31, 201611, that identifies the need for “implementing secure information systems on major weapons systems throughout their lifecycle requires effective and continuous software assurance testing.”
The DoD has developed a significant body of information to aid in addressing the challenge, for example the Program Manager’s Guidebook for Integrating the Cybersecurity Risk Management Framework (RMF) into the System Acquisition Lifecycle12 helps program managers (PM) and their staffs clearly understand how to integrate cybersecurity into their programs throughout the system lifecycle in accordance with the Risk Management Framework (RMF). This guidebook identifies software assurance as a systems security engineering activity that is a countermeasure that mitigates cybersecurity risks.
An overall governance process that includes clear mandates for third party SwA assessments, along with a set of practices for ensuring proactive application security, provides the objective perspective and motivation to maintain an effective program to help address making sure the warfighters can trust the software product. Objective assessments must be implemented early on and continuously, to provide the powerful “forcing function” needed to get the developer to implement a fully integrated software assurance discipline throughout the SDLC.
At the system level, it is critical to first establish a coherent and disciplined process by developing a plan and statement of requirements for software assurance early in the acquisition lifecycle. This requires us to incorporate Cybersecurity, which includes software assurance, requirements into the requests for proposal (RFP). Programs then need to use the plan to track software assurance protection throughout the acquisition. The progress toward achieving the plan needs to be measured by actual results that are reported at each of the Systems Engineering Technical Reviews (SETR) just as noted in 2014 Deputy Assistant Secretary of Defense for Systems Engineering and Department of Defense Chief Information Officer’s Software Assurance Countermeasures in Program Protection Planning13 guide.
This level of rigor is economically justified because it saves resources in the long run, as noted in the Software Engineering Institute Special Report: Making the Business Case for Software Assurance14. This report provides evidence of the business case for SwA.
At both the system and enterprise level it is necessary to place more emphasis on developing the capability and capacity to leverage a broad range of software assessment tools and techniques for our portfolio of systems. For example, we need the capability for more “White Box Testing” – structural testing with insight into the internal logic and software structure such as static software code assessments using multiple tools. We also need enhanced capacity, to include enough well trained and motivated people, to actually perform the testing consistently across our portfolio of systems and to work with developers and maintainers to implement effective solutions.
The third and critical step in succeeding in implementing an enduring SwA program is developing, executing, and then maintaining a SwA enterprise level strategic plan that addresses the planning, execution, capability and capacity to build security in15.
At the DoD and Army level action has been taken to establish and support the Joint Federated Assurance Center (JFAC)16. Section 937 of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2014 directed the Department of Defense (DoD) to establish a federation of capabilities to support trusted defense systems and ensure the security of software and hardware developed, acquired, maintained, and used by the Department. The JFAC Service Providers that help deliver the capabilities of the JFAC are available to assist program managers, developers, and maintainers in implementing an effective software assurance program.