DoD Software Assurance (SwA) Overview



Similar documents
System Security Engineering and Comprehensive Program Protection

System Security Engineering

Implementing Program Protection and Cybersecurity

DEPARTMENT OF DEFENSE 6000 DEFENSE PENTAGON WASHINGTON, D.C

Software Engineering Framing DoD s Issues

DoD Software Assurance Initiative. Mitchell Komaroff, OASD (NII)/DCIO

Vulnerability Analysis Techniques to Support Trusted Systems and Networks (TSN) Analysis

CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS. Steve Mills Professor of Information Technology

Department of Defense INSTRUCTION

AF Life Cycle Management Center

CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS. Steve Mills DAU-South

The United States Department of Defense Revitalization of System Security Engineering Through Program Protection

DoD CIO s 10-Point Plan for IT Modernization. Ms. Teri Takai DoD CIO

WORKFORCE COMPOSITION CPR. Verification and Validation Summit 2010

Trusted Systems and Networks (TSN) Analysis

Suggested Language to Incorporate System Security Engineering for Trusted Systems and Networks into Department of Defense Requests for Proposals

System Security Engineering and Program Protection Integration into SE

How To Protect Your Data From Being Hacked

Middle Class Economics: Cybersecurity Updated August 7, 2015

Missile Defense Agency Small Business Conference Supply Chain Risk Management (SCRM) Information Briefing

Supply Chain Attack Patterns: Framework and Catalog

Software & Supply Chain Assurance: Mitigating Risks Attributable to Exploitable ICT / Software Products and Processes

Writing a Systems Engineering Plan, or a Systems Engineering Management Plan? Think About Models and Simulations

Cybersecurity Enhancement Account. FY 2017 President s Budget

STATEMENT BY DAVID DEVRIES PRINCIPAL DEPUTY DEPARTMENT OF DEFENSE CHIEF INFORMATION OFFICER BEFORE THE

SYSTEMS SECURITY ENGINEERING

Achieving True Risk Reduction through Effective Risk Management

Cybersecurity Delivering Confidence in the Cyber Domain

Early Development Planning Leads to Affordable Systems. NDIA 14 th Annual Systems Engineering Conference Track 4 Early Systems Engineering

FOUNDATION: Material Solution Analysis Is More Than Selecting an Alternative

How To Become A Senior Contracting Official

Cybersecurity: Mission integration to protect your assets

Ideas for a More Proactive Role for Parts Management and DMSMS in Acquisition

Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems

FREQUENTLY ASKED QUESTIONS

Cybersecurity Throughout DoD Acquisition

Supply Chain Attack Framework and Attack Patterns

UNITED STATES AIR FORCE. Air Force Product Support Enterprise Vision

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

The Software Supply Chain Integrity Framework. Defining Risks and Responsibilities for Securing Software in the Global Supply Chain.

The State of DoD Biometrics

How To Ensure Your Software Is Secure

By John Pirc. THREAT DETECTION HAS moved beyond signature-based firewalls EDITOR S DESK SECURITY 7 AWARD WINNERS ENHANCED THREAT DETECTION

DoD Strategy for Defending Networks, Systems, and Data

Cybersecurity is one of the most important challenges for our military today. Cyberspace. Cybersecurity. Defending the New Battlefield

NDIA Manufacturing Council: DoD Systems Engineering / Manufacturing Update

New Acquisition Policy Changes for Systems Engineering

The Comprehensive National Cybersecurity Initiative

UNCLASSIFIED. UNCLASSIFIED Office of Secretary Of Defense Page 1 of 16 R-1 Line #145

Interim DoDI The Cliff Notes Version --

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Dr. David Burns Director for Science and Technology Advanced Technology Missile Defense Agency

SECURITY CONTROLS AND RISK MANAGEMENT FRAMEWORK

NERC CIP VERSION 5 COMPLIANCE

Do You Have The Right Practices In Your Cyber Supply Chain Tool Box? NDIA Systems Engineering Conference October 29, 2014

Improving Cybersecurity and Resilience through Acquisition [DRAFT] IMPLEMENTATION PLAN

Dependable (Safe/Reliable) Systems. ARO Reliability Workshop Software Intensive Systems

Software Assurance in Acquisition and Contract Language

Cyber Security for Advanced Manufacturing Next Steps

Notional Supply Chain Risk Management Practices for Federal Information Systems

Statement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education

Rising to the Challenge

Software Assurance: Enabling Security Automation and Software Supply Chain Risk Management. Commerce. National Defense. Today Everything s Connected

DoD Cloud Computing Strategy Needs Implementation Plan and Detailed Waiver Process

Implementing a Quantitative Risk- Based Approach to Cyber Security

Frontiers in Cyber Security: Beyond the OS

January 17, ITI Point of Contact:

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Introduction to NICE Cybersecurity Workforce Framework

An Introduction to the ECSS Software Standards

Security Architecture: From Start to Sustainment. Tim Owen, Chief Engineer SMS DGI Cyber Security Conference June 2013

Department of Defense INSTRUCTION

DEFENSE INFORMATION SYSTEMS AGENCY STRATEGIC PLAN UNITED IN SERVICE TO OUR NATION

Reducing risks in the Software Acquisition Life Cycle

The Software Development Life Cycle: An Overview. Last Time. Session 8: Security and Evaluation. Information Systems Security Engineering

Addressing FISMA Assessment Requirements

Adding a Security Assurance Dimension to Supply Chain Practices

NASA OFFICE OF INSPECTOR GENERAL

IoT & SCADA Cyber Security Services

Manufacturing Readiness Level (MRL) Deskbook Version 2.0 May, 2011

Advanced Threat Protection with Dell SecureWorks Security Services

Security Control Standard

Security Risk Management For Health IT Systems and Networks

Statement. Mr. Paul A. Brinkley Deputy Under Secretary of Defense for Business Transformation. Before

Workforce Management: Introducing a Policy Rules Engine to Industrial Security Adrian Fielding, Honeywell Damian Vassallo, RightCrowd

Managing Security Risk In a World of Complex Systems and IT Infrastructures

Obtaining Enterprise Cybersituational

RESPONSIBLE CARE SECURITY CODE OF MANAGEMENT PRACTICES

The introduction covers the recent changes is security threats and the effect those changes have on how we protect systems.

AF Life Cycle Management Center

HP Fortify Software Security Center

DEPARTMENT OF THE NAVY NAVAL AIR SYSTEMS COMMAND RADM WILLIAM A. MOFFETT BUILDING BUSE ROAD, BLDG 2272 PATUXENT RIVER, MARYLAND

Best Practices for the Acquisition of COTS-Based Software Systems (CBSS): Experiences from the Space Systems Domain

Software Security Engineering: A Key Discipline for Project Managers

Supply Chain Risk Management Practices for Federal Information Systems and Organizations

The Impacts Of Agile Development On The System Engineering Process

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Cyber Security Risk

ICT Supply Chain Risk Management

Agency for State Technology

1 July 2015 Version 1.0

Transcription:

DoD Software Assurance (SwA) Overview Tom Hurt Office of the Deputy Assistant Secretary of Defense for Systems Engineering NDIA Program Protection Summit / Workshop McLean, VA May 19, 2014 May 19, 2014 1

Outline Current Assurance Outlook DoD Trusted Defense Systems & Networks Strategy What is Software Assurance? SwA integrated into the DoD System Lifecycle SwA as a Systems Engineering Discipline SwA Analysis and Test Resources DoD SwA R&D Strategy Proposed DoD Enterprise Assurance Approach Challenge to Industry May 19, 2014 2

Current Assurance Outlook Threat: Nation-state, terrorist, criminal, or rogue developer who: Exploits vulnerabilities remotely Gains control of systems through supply chain opportunities Vulnerabilities All systems, networks, and applications (Hardware & Software) Intentionally implanted (i.e. malicious code insertion) Unintentional vulnerabilities maliciously exploited (e.g., poor quality or fragile software) Traditional Consequences: Loss of critical data and technology Emerging Consequences: Exploitation of manufacturing and supply chain, and of software vulnerabilities in sustainment Either can result in corruption; loss of confidence in critical warfighting capability Today s acquisition environment drives the increased emphasis: Then Stand-alone systems >>> Some software functions >>> Known supply base >>> CPI (technologies) >>> Now Networked systems Software-intensive and critical functions in Software Prime Integrator, hundreds of suppliers CPI and critical components May 19, 2014 3

Trusted Defense Systems and Networks Strategy Program Protection Plan Drivers/Enablers National Cybersecurity Strategies Globalization Challenges Prioritize by Mission Dependence Comprehensi ve Program Protection Planning USD(AT&L) Download: http://www.acq.osd.mil/se/pg/guidance.html Increasing System Complexity Pervasive Networks & SW-intensive Systems Enhance R&D for Vulnerability Detection and Response Partner with Industry Report on Trusted Defense Systems Intellectual Property Protection Delivering Trusted Systems USD(AT&L) ASD(NII)/DoD CIO Executive Summary: http://www.acq.osd.mil/se/pg/spec-studies.html May 19, 2014 4

What is Software Assurance? Software Assurance. The level of confidence that software functions as intended and is free of vulnerabilities, either intentionally or unintentionally designed or inserted as part of the software throughout the lifecycle. Reference: DoD Instruction 5200.44, Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN) Our objective is to establish software assurance as an accepted SE discipline within the Department. May 19, 2014 5

Software Assurance Integrated into the DoD System Lifecycle MS A Dev t RFP Release Decision MS B MS C FRP Decision or FDD Review Strategic Guidance (OSD/JCS) Joint Concepts (COCOMs) CBA ICD MDD Materiel Solution Analysis Tech Maturation & Risk Reduction CDD Engineering & Manufacturing Development CPD Production and Deployment O&S Tailorable RFP Language is Available AoA Focus Scope of Protection Identify & mitigate sources of software vulnerabilities COTS known vulnerabilities Secure coding practices & automated code analysis tools Secure development environment and toolset SEP ASR SRR SFR PDR CDR PPP Software Assurance Assessment at SE Technical Reviews SEP PPP SEP PPP SwA blends into Engineering Process Processes, Tools, Techniques Requirements & Metrics System Architecture, SW Design, Coding Practice Test and Evaluation Prevent, Detect, Respond SEP PPP PPP SwA in each part of the lifecycle Chain of custody of knowledge, risks and products Engineering level traceability from MDD through disposal Pre-EMD Review Emphasizing Use of Affordable, Risk-based Countermeasures May 19, 2014 6

Software Assurance as a Systems Engineering Discipline: Countermeasure Selection Development Process Apply assurance activities to the procedures and structure imposed on software development Operational System Incorporate countermeasures in the requirements, architecture, design, and acquisition of end-item software products and their interfaces Development Environment Apply assurance activities to the environment and tools for developing, testing, and integrating software code and interfaces Trends Increased use of automated tools for detection, analysis, and remediation Requirement to use SwA tools and methodology across DoD system life cycle Monitor and assess application of software assurance countermeasures Additional Guidance: http://www.acq.osd.mil/se/docs/swa-cm-in-ppp.pdf May 19, 2014 7

SwA Analysis and Test Resources State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation, August 2013 Approach SwA objectives (e.g., countering weaknesses) were organized and consolidated into categories that the DoD acquisition community can use State-of-the-art of SW analysis and test tools and techniques were organized into families SwA objectives were mapped to tools and techniques, providing a sound basis for a tool selection and use methodology by DoD programs Findings There is utility in grouping SwA tools and techniques into families Some tools are costly, and use of any tool or technique incurs program cost Policy, guidance and resources must evolve at pace with constantly changing threats No silver bullet tool or technique exists May 19, 2014 8

DoD SwA R&D Strategy: Focus Areas Near and Long Term Goals Malicious Code Detection Measures of Effectiveness Designed-in Security Near Term Technical Goals Existing and evolutionary: Advanced passive monitoring Data collection across all system layers Near real-time detection and isolation of zero days Workforce education and training Method and Baseline: Effectiveness and cost Across the DoD lifecycle Across Government agencies and industry Advance security in design as early as possible: Reduction of costs and risk for development and sustainment Automated processes, dataintensive design and development Assurance result composability Revolutionary: Automated MoE Assessment and Reporting System: Co-develop System and Evidence for Assurance: Long Term Technical Goals Automated enterprise-wide detection coordination and correlation Threat vector prediction from behaviors, signatures and information external to code Automated trend analysis Community acceptance and standards that drive contracts Simultaneous development of systems and attestation evidence Fully integrated supply chain considerations Verification and Assurance scalable across system size, complexity and criticality Feedback across entire lifecycle May 19, 2014 9

Proposed DoD Enterprise Assurance Approach Identify participating parties AT&L, CIO, Services, Agencies, Parties agree to: Establish a federation of SW and HW assurance capabilities to support DoD programs Bring to bear SW and HW assurance expertise, and capabilities in support of DoD needs Identify capability needs for SwA and HwA R&D program Identify needed improvements in SW and HW assurance tools and methodoligies Procure, manage, and distribute enterprise licenses for SW and HW assurance tools Enhance DoD SW and HW Assurance Infrastructure May 19, 2014 10

System Security Engineering (SSE); Software Assurance Is a cross-cutting, multi-disciplinary area of interest Impacts not only security, but SW development, test, deployment, and operation techniques and practices Has tools and techniques that support cyber security, software design, software development techniques and practices, software test, and supply chain risk management Is a growing area of importance in industry Requires cooperative research, participation, innovation, and engagement Challenges are: Translating systems engineering requirements into SwA contract language Identifying effective contract language and verifying results Specifying metrics for security risks, vulnerability detection, and validated mitigation Training and educating the workforce Building efficacy/scalability of tools and techniques Integrating SwA capability into engineering disciplines May 19, 2014 11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information