Greetings, it is my honor to introduce the second of two special software assurance (SwA) editions of the Journal of Cyber Security & Information Systems, published by the Cyber Security & Information Systems Information Analysis Center (CSIAC).
Our systems continue to increase their reliance on software – software was 66% of total system cost in 2010, software is projected to be 88% of system cost by 2024. Simultaneously, Department of Defense (DoD) systems have become progressively more networked, and dependent on a complicated global supply chain. Securing software through assurance tools, methods, and practices has correspondingly become increasingly necessary to ensure we field systems free from vulnerabilities and malware. To make assurance an integral part of DoD software development, the DoD has established program protection and system security engineering (SSE) as key disciplines to assure technology, components, and information against compromise and exfiltration. SSE is, in part, accomplished through the cost-effective application of protection measures to mitigate risks from vulnerabilities and attacks. The mission of software assurance, in support of SSE, is to remediate all detectable vulnerabilities, defects, and weaknesses as early in program system engineering as technically feasible, for critical functions and components.
DoD acquisition Program Managers (PMs) and their staff are at the front lines for implementing these assurance measures throughout acquisition, sustainment, and operation. For example, PMs will implement the use of automated software vulnerability detection and analysis tools and ensure risk-based remediation of software vulnerabilities is planned and resourced in Program Protection Plans, included in contract requirements, and verified through iterative assessments. We provide guidance for programs describing how to tailor software assurance to requirements according to characteristics of their developmental systems.
Assurance capabilities brought together by the Joint Federated Assurance Center (JFAC) support the planning, contracting, operation, measurement, and reporting of SwA work, including what a program must provide in its Program Protection Plan. Through JFAC, world-class engineering and acquisition professionals are working together in a broad range of initiatives that develop and implement best-practices to help programs engineer-in software assurance from the earliest activities in acquisition. These JFAC initiatives continue to develop and update artifacts, methodologies, guidance, contracting language, visibility, metrics, assessments, S&T focus, and initiatives that engineer assurance into SE activities across the life cycle. JFAC is planning further results that will provide automated SwA tool to enhance those efforts.
The JFAC SwA Technical Working Group has been meeting at least biweekly for about 3 years and includes participation beyond the stakeholder Services and agencies to include other parts of Government. For DoD programs, this group helped develop the JFAC Charter, JFAC Congressional Report, the JFAC Concept of Operations, standardized operating procedures for assurance provider and program relationship, metrics for use by programs to show progress implementing SwA, and more. Recently, the Group published the DoD SwA Capability Gap Analysis that applies Service-wide and that brings the Services and several agencies together on definitions, language, operation, and thinking for how best to implement future innovation in assurance tools and technology for the benefit of programs. Next initiatives include the first DoD-wide SwA Guidebook and the JFAC Outreach Plan.
My personal thanks to the authors and teams who contributed to these SwA special editions and to the CSIAC for working with JFAC to make it possible. I hope you find the articles informative and useful, and that you will take advantage of the critical thought, methodology development, and practical improvements we have made in software assurance. We would like your feedback. If you have comments or questions please contact the DASD(SE) JFAC team at firstname.lastname@example.org. Or, why not go to the JFAC website and write us a ticket!