DoD Software Assurance Initiative. Mitchell Komaroff, OASD (NII)/DCIO



Similar documents
System Security Engineering

DoD Software Assurance (SwA) Overview

System Security Engineering and Comprehensive Program Protection

Implementing Program Protection and Cybersecurity

How To Protect Your Data From Being Hacked

Department of Defense INSTRUCTION

Cyber Security for Advanced Manufacturing Next Steps

DoD CIO s 10-Point Plan for IT Modernization. Ms. Teri Takai DoD CIO

Suggested Language to Incorporate System Security Engineering for Trusted Systems and Networks into Department of Defense Requests for Proposals

The United States Department of Defense Revitalization of System Security Engineering Through Program Protection

Adding a Security Assurance Dimension to Supply Chain Practices

Securing the Supply Chain for Electronic Equipment: A Strategy and Framework by Scott Borg

Software & Supply Chain Assurance: Mitigating Risks Attributable to Exploitable ICT / Software Products and Processes

Subject: Critical Infrastructure Identification, Prioritization, and Protection

Supply Chain Attack Patterns: Framework and Catalog

December 17, 2003 Homeland Security Presidential Directive/Hspd-7

Rapid Prototyping: Leapfrogging into Military Utility

Defining a Secure Mobile Framework Architecture at DHA

Department of Defense INSTRUCTION. SUBJECT: Information Assurance (IA) in the Defense Acquisition System

Using Parametric Software Estimates During Program Support Reviews

ENISA s Study on the Evolving Threat Landscape. European Network and Information Security Agency

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

Promoting Network Security (A Service Provider Perspective)

Defending Against Data Beaches: Internal Controls for Cybersecurity

NDIA Software Industry Experts Panel

Piloting Supply Chain Risk Management Practices for Federal Information Systems

Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems

Software Assurance in Acquisition and Contract Language

January 17, ITI Point of Contact:

Vulnerability Analysis Techniques to Support Trusted Systems and Networks (TSN) Analysis

NATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY

System Security Engineering and Program Protection Integration into SE

Cyber Information-Sharing Models: An Overview

CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS. Steve Mills Professor of Information Technology

NICE and Framework Overview

Rationalizing Governance, Engineering Practice, and Engineering Economics in the System and Software Assurance Trade Space

Supply Chain Risk Management. Operating ahead of the threat, not behind the vulnerabilities

DoD Strategy for Defending Networks, Systems, and Data

Empowering IT Acquisitions

Defense Industrial Base Critical Infrastructure and Key Resources Sector-Specific Plan as input to the National Infrastructure Protection Plan

Department of Defense INSTRUCTION

Update: OSD Systems Engineering Revitalization Efforts

Statement of Gil Vega. Associate Chief Information Officer for Cybersecurity and Chief Information Security Officer. U.S. Department of Energy

Office of Emergency Communications (OEC) Mobile Applications for Public Safety (MAPS)

Writing a Systems Engineering Plan, or a Systems Engineering Management Plan? Think About Models and Simulations

BY ORDER OF THE COMMANDER USTRANSCOM INSTRUCTION UNITED STATES TRANSPORTATION COMMAND 22 JUNE 2015

GAO. IT SUPPLY CHAIN Additional Efforts Needed by National Security- Related Agencies to Address Risks

GAO Information Security Issues

Distribution A. Approved for Public Release; distribution unlimited. (88ABW )

Property and Equipment Accountability and Management Best Practice Discussion

UNCLASSIFIED. UNCLASSIFIED Office of Secretary Of Defense Page 1 of 16 R-1 Line #145

SYSTEMS SECURITY ENGINEERING

Department of Defense DIRECTIVE

Military Handbook 881 Work Breakdown Structure Update

Incident Handling. Applied Risk Management. September 2002

Trusted Systems and Networks (TSN) Analysis

Cisco SAFE: A Security Reference Architecture

Managing Physical Security Risk in Physical Layer Infrastructure Solutions

RMF. Cybersecurity and the Risk Management. Framework UNCLASSIFIED

BlacKnight. Cyber Security international A BUSINESS / MARKETING PRESENTATION

DEFENSE ACQUISITION PROGRAM SUPPORT METHODOLOGY

Fiscal Year (FY) 2016 Budget Estimates Defense Health Program Procurement Budget Item Justification

State of Minnesota. Enterprise Security Strategic Plan. Fiscal Years

Critical Infrastructure & Supervisory Control and Data Acquisition (SCADA) CYBER PROTECTION

Supply Chain Risk Management Practices for Federal Information Systems and Organizations

Missile Defense Agency Small Business Conference Supply Chain Risk Management (SCRM) Information Briefing

The Comprehensive National Cybersecurity Initiative

National Cyber Security Policy -2013

DoD final rule for the detection and avoidance of counterfeit electronic parts impacts contractors operations

Seoul Communiqué 2012 Seoul Nuclear Security Summit

What Risk Managers need to know about ICS Cyber Security

Third Party Security Requirements Policy

Tim Denman Systems Engineering and Technology Dept Chair/ Cybersecurity Lead DAU South, Huntsville

DEFENSE SUPPLY CHAIN SECURITY & RISK MANAGEMENT: PRINCIPLES & PRACTICE

Cybersecurity Delivering Confidence in the Cyber Domain

AEROSPACE INDUSTRY GUIDELINES FOR IMPLEMENTING INTEROPERABILITY STANDARDS FOR ENGINEERING DATA

CUTTING THROUGH THE HYPE: WHAT IS TRUE NEXT GENERATION SECURITY?

Department of Defense INSTRUCTION. SUBJECT: Communications Security (COMSEC) Monitoring and Information Assurance (IA) Readiness Testing

Department of Defense Fiscal Year (FY) 2015 Budget Estimates

Managing Risk in Global ICT Supply Chains

H. R IN THE HOUSE OF REPRESENTATIVES A BILL

SED / Rassa Open Issue: Rapid acquisition and deployment Sep Top SE Issues

1. Computer Security: An Introduction. Definitions Security threats and analysis Types of security controls Security services

CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS. Steve Mills DAU-South

Department of Defense INSTRUCTION

ICT Supply Chain Risk Management

Defense Healthcare Management Systems

Actions and Recommendations (A/R) Summary

Strategies for assessing cloud security

GOVERNMENT USE OF MOBILE TECHNOLOGY

Pb-free Electronics Risk Management (PERM) Consortium

ISACA Kampala Chapter Feb Bernard Wanyama Syntech Associates Limited

Supply Chain Attack Framework and Attack Patterns

Department of Defense Net-Centric Services Strategy

Threat and Vulnerability Management (TVM) Protecting IT assets through a comprehensive program. Chicago IIA/ISACA

Water Critical Infrastructure and Key Resources Sector-Specific Plan as input to the National Infrastructure Protection Plan Executive Summary

Energy Industry Cybersecurity Report. July 2015

Fighting Identity Fraud with Data Mining. Groundbreaking means to prevent fraud in identity management solutions

Obtaining Enterprise Cybersituational

Transcription:

DoD Software Assurance Initiative Mitchell Komaroff, OASD (NII)/DCIO

Agenda Background Software Assurance Definition and Strategy Guiding Principles for SwA DoD SwA Strategy Elements Industry Outreach NDIA System Assurance Initiative Commercial Industry Strategic Goals 2

Background In July 2003, the Assistant Secretary of Defense for Networks and Information Integration [ASD(NII)] established a Software Assurance Initiative to examine software assurance issues On 23 Dec 04, Undersecretary of Defense for Acquisitions, Technology and Logistics [USD(AT&L)] and ASD(NII) established a Software Assurance (SwA) Tiger Team to:» Develop a holistic strategy to reduce SwA risks within 90 days» Provide a comprehensive briefing of findings, strategy and plan On 28 Mar 05, Tiger Team presented its strategy to USD(AT&L) and ASD(NII) and was subsequently tasked to proceed with 180 day Implementation Phase 3

Software Assurance Scope: Software is fundamental to the GIG and critical to all weapons, business and support systems Threat agents: Nation-state, terrorist, criminal, rogue developer who:» Gain control of IT/NSS through supply chain opportunities» Exploit vulnerabilities remotely Vulnerabilities: All IT/NSS (incl. systems, networks, applications)» Intentionally implanted logic (e.g., back doors, logic bombs, spyware)» Unintentional vulnerabilities maliciously exploited (e.g., poor quality or fragile code) Consequences: The enemy may steal or alter mission critical data; corrupt or deny the function of mission critical platforms Software assurance (SwA) relates to the level of confidence that software functions as intended and is free of vulnerabilities, either intentionally or unintentionally designed or inserted as part of the software. 4

Guiding Principles for SwA Understand problem from a systems perspective Response should be commensurate with risk Sensitive to potential negative impacts» Degradation of our ability to use commercial software» Decreased responsiveness/ increased time to deploy technology» Loss of industry incentive to do business with the Department» Minimize burden on acquisition programs Exploit and extend relationships with:» National, international, and industry partners» DoD initiatives, e.g., trusted integrated circuits and Information Assurance 5

DoD SwA Strategy Elements Partner with Industry to focus science and technology on research and development of technologies» Improve assured software development tools and techniques» Strengthen standards for software partitioning and modularity» Enhance vulnerability discovery Employ repeatable Systems Engineering (SE) and test processes to identify, assess, and isolate critical components, and mitigate software vulnerabilities Leverage and coordinate with industry, academia and national and international partners to address shared elements of the problem 6

Industry Outreach USD(AT&L)/ASD(NII) memo to Industry» Requested participation in an Executive Roundtable Tiger Team held initial meetings with directors:» National Defense Industrial Association (NDIA)» Government Electronics & Information Technology Association (GEIA)» Aerospace Industries Association (AIA)» Object Management Group (OMG) Identified areas of interest for SwA white papers» OMG leveraging ongoing standards activities of ADM to apply metamodel concept to assurance problem» NDIA hosted SwA Summit and Standing up SwA Committee» GEIA will share lessons and collaborate to develop new processes» AIA will help integrate SwA processes into mainstream integration activities DoD/Industry Executive Roundtable held in December 2005» Planned Industry-DoD initiatives encouraged 7

NDIA System Assurance Committee Goals Create a uniform perspective on system assurance problems and solutions» Start bridging the gap between: the weapons systems and the enabling technologies communities traditional DoD industrial base and commercial industry DoD and critical infrastructure (e.g. telecom, finance, energy, medical) Goal Extended community to engage in system assurance strategy 8

NDIA System Assurance Committee Charter Extend community to engage in system assurance strategy Vet and comment on recommendations coming out of DoD strategy Develop a System Assurance Handbook Leverage standards activities Chairs» Paul Croll, NDIA SED» Kristen Baldwin, OUSD AT&L» Mitchell Komaroff, OASD NII 9

Commercial Industry: Strategic Goals Create Commercial Industry Center of Mass to sort out assurance issues» Dialog with NDIA System Assurance Committee» Include broad commercial participation Develop Industry End-to-end reference models (RM), standards, requirements» Product level assurance properties Systems of Known Assurance» Express RM/Standards/Requirements in modeling language Identify methods for validating compliance with requirements/ standards, using industry-developed tools NDIA COTS Integrators DIALOG Industry Stakeholders COTS Developers Commercial Developers develop products within reference model» Understood assurance properties meeting Business Model» Become stakeholders in models: tools become key to standards compliance Systems Integrators compose systems with system-level assurance properties based upon technically demonstrable product-level properties. 10

Questions? 11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information