Communications – Electronics Command (CECOM) has taken action by championing and supporting SwA. CECOM Software Engineering Center’s (SEC’s)17 current software assurance program strategy that we developed using our lessons learned is based on three Lines of Effort (LoE):
- SwA Infrastructure: Establish a sound SwA Infrastructure as a key enabler for SwA. Discover, develop, objectively assess, and then implement “best in breed” software assurance, mobile application, cyber-security and malicious code scan tools. Using the “best in breed” tools and techniques, create a common well-resourced enterprise software engineering capability that team members can leverage, rather than continuing with the current patchwork sets of capabilities. Resource the infrastructure by planning, programming, budgeting and executing the resources to put the infrastructure in place and to keep it relevant and ready
- Governance: As we all know, a major program needs good requirements and senior leader support to succeed. SwA is no different. To do this it is necessary to leverage the best practices, requirements, emerging threat, and lessons learned from other stakeholders to include Department Level Stakeholders to include user representatives from the major commands, the research community, the acquisition community, Chief Information Officers (CIOs), the intelligence community, United States Cyber Command (USCYBERCOM), Department of Homeland Security (DHS), and National and Security Agency (NSA) Center for Assured Software (CAS) so that our governance approach remains relevant and unified. Policy needs to be not only just enforced but also supported by a community that stands ready to support program manages and application developers and maintainers with the formidable task of engineering in security and then maintaining the security of the software baseline.
- Workforce Development: Develop, educate, motivate, and train the workforce. Conduct a strategic communications campaign for our workforce, partners, and leaders to promote the vision and purpose of SwA. Change the culture of our workforce so that they embrace software assurance & cyber-security. Provide educational experiences for the developers and sustainers to address both the theory and engineering application relevant to cybersecurity, which includes software assurance. Provide formal training experiences to the workforce, to include baseline cybersecurity certification training and training on specific and relevant technologies. Provide the workforce with professionally mentored “hands-on” work experience in applying software assurance practices, to include using cyber-security scan tools and implementing Tactics, Techniques, and Procedures (TTPs). Document and track training so that managers can make sure it is happening. This includes making sure that properly applying software assurance TTPs becomes part of performance objectives for all software engineering employees and as part of what we demand in contracts for our supporting contractor workforce.
In Conclusion, to effectively defend against the threats our systems and networks face a collaborative approach is really needed to understand the current and evolving threat, to develop and maintain effective solutions, to proactively address weaknesses in both our systems and software, and to make the smart trade-offs needed between functional mission capabilities and a viable security poster. Program managers, developers, system engineers, software engineers, the intelligence community, the operational organizations that use DoD systems and software, and expert service providers, such as the JFAC Service Providers, need to embrace a spirit of collaboration and team work because no single person or organization has all the knowledge or capability needed to address the daunting problem of assuring software by themselves. A successful program is about more than just simply measuring compliance and making fixes; it needs a unified team effort that is focused on real results that reduce risk given the current threat in a way that contributes to both survivability and mission effectiveness.
Endnotes
- Operational Test & Evaluation Office of the Secretary of Defense, Fiscal Year (FY) 2016 Report, Retrieved from http://www.dote.osd.mil/pub/reports/FY2016/pdf/other/2016cybersecurity.pdf
- DODI 5000.02, Operation of the Defense Acquisition System Incorporating Change 2, Effective February 2, 2017, Retrieved from http://www.dtic.mil/whs/directives/corres/pdf/500002_dodi_2015.pdf
- 112th Congress Public Law 239, U.S. Government Printing Office, Page 1631, National Defense Authorization Act for Fiscal Year 2013, Retrieved from https://www.gpo.gov/fdsys/pkg/PLAW-112publ239/html/PLAW-112publ239.htm
- Committee on National Security Systems Instruction (CNSSI) 4009 – April 2015, Retrieved from https://www.cnss.gov/CNSS/issuances/Instructions.cfm
- Defense Information Systems Agency Strategic Plan 2015-2020, Retrieved from http://www.disa.mil/~/media/files/disa/about/strategic-plan.pdf
- DoDI 5200.44, Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN), Incorporating Change 1, Effective August 25, 2016 Retrieved from http://www.dtic.mil/whs/directives/corres/pdf/520044p.pdf
- DoDI 8500.01, Cybersecurity, March 14, 2014, Retrieved from http://www.dtic.mil/whs/directives/corres/pdf/850001_2014.pdf
- DoDI 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT), Incorporating Change 1, Effective May 24, 2016, Retrieved from http://www.dtic.mil/whs/directives/corres/pdf/851001_2014.pdf
- Chairman of the Joint Chiefs of Staff Instruction (CJCSI) 6510.01F, Directive Current as of 9 June 2015, Information Assurance (IA) and Support to Computer Network Defense, Retrieved from http://www.dtic.mil/cjcs_directives/cdata/unlimit/6510_01.pdf
- U.S. Department of Defense, Inspector General, Consolidated Listing of Reports, Retrieved from http://www.dodig.mil/pubs/index.cfm
- Cyber Security, DoD Cybersecurity Weaknesses as Reported in Audit Reports Issued From August 1, 2015, Through July 31, 2016 (Redacted) (Project No. D2016-D000RB-0139.000), Retrieved from http://www.dodig.mil/pubs/report_summary.cfm?id=7235
- Program Manager’s Guidebook for Integrating the Cybersecurity Risk Management Framework (RMF) into the System Acquisition Lifecycle, Cleared for Open Publication, May 26, 2015 Retrieved from https://acc.dau.mil/adl/en-US/722603/file/80119/Cybersecurity%20Guidebook%20v1_0%20with%20publication%20notice.pdf
- Deputy Assistant Secretary of Defense for Systems Engineering and Department of Defense Chief Information Officer, Software Assurance Countermeasures in Program Protection Planning, dated March 2014, Retrieved from http://www.acq.osd.mil/se/docs/SwA-CM-in-PPP.pdf
- Mead, N.R., Allen, J.H., Conklin, W.A., Drommi, A., Harrison, J., Ingalsbe J., Rainey, J., Shoemaker, D. (University of Detroit Mercy), (April 2009) Making the Business Case for Software Assurance, Software Engineering Institute, CMU/SEI Report Number: CMU/SEI-2009-SR-001 Retrieved from http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=8831
- Build Security In / Software & Supply Chain Assurance content is no longer updated. The reference is provided for historical reference Retrieved from https://www.us-cert.gov/bsi
- Baldwin, K. (2014), Department of Defense (DoD) Joint Federated Assurance Center (JFAC) Overview, 17th Annual NDIA Systems Engineering Conference, Retrieved from http://www.acq.osd.mil/se/briefs/16950-2014_10_29_NDIA-SEC-Baldwin-JFAC-vF.pdf
- CECOM SEC Software Assurance for the Acquisition Enterprise (2017), Retrieved from http://www.sec.army.mil/secweb/corecompCyberSA.html