Communications – Electronics Command (CECOM) has taken action by championing and supporting SwA. CECOM Software Engineering Center’s (SEC’s)17 current software assurance program strategy that we developed using our lessons learned is based on three Lines of Effort (LoE):
- SwA Infrastructure: Establish a sound SwA Infrastructure as a key enabler for SwA. Discover, develop, objectively assess, and then implement “best in breed” software assurance, mobile application, cyber-security and malicious code scan tools. Using the “best in breed” tools and techniques, create a common well-resourced enterprise software engineering capability that team members can leverage, rather than continuing with the current patchwork sets of capabilities. Resource the infrastructure by planning, programming, budgeting and executing the resources to put the infrastructure in place and to keep it relevant and ready
- Governance: As we all know, a major program needs good requirements and senior leader support to succeed. SwA is no different. To do this it is necessary to leverage the best practices, requirements, emerging threat, and lessons learned from other stakeholders to include Department Level Stakeholders to include user representatives from the major commands, the research community, the acquisition community, Chief Information Officers (CIOs), the intelligence community, United States Cyber Command (USCYBERCOM), Department of Homeland Security (DHS), and National and Security Agency (NSA) Center for Assured Software (CAS) so that our governance approach remains relevant and unified. Policy needs to be not only just enforced but also supported by a community that stands ready to support program manages and application developers and maintainers with the formidable task of engineering in security and then maintaining the security of the software baseline.
- Workforce Development: Develop, educate, motivate, and train the workforce. Conduct a strategic communications campaign for our workforce, partners, and leaders to promote the vision and purpose of SwA. Change the culture of our workforce so that they embrace software assurance & cyber-security. Provide educational experiences for the developers and sustainers to address both the theory and engineering application relevant to cybersecurity, which includes software assurance. Provide formal training experiences to the workforce, to include baseline cybersecurity certification training and training on specific and relevant technologies. Provide the workforce with professionally mentored “hands-on” work experience in applying software assurance practices, to include using cyber-security scan tools and implementing Tactics, Techniques, and Procedures (TTPs). Document and track training so that managers can make sure it is happening. This includes making sure that properly applying software assurance TTPs becomes part of performance objectives for all software engineering employees and as part of what we demand in contracts for our supporting contractor workforce.
In Conclusion, to effectively defend against the threats our systems and networks face a collaborative approach is really needed to understand the current and evolving threat, to develop and maintain effective solutions, to proactively address weaknesses in both our systems and software, and to make the smart trade-offs needed between functional mission capabilities and a viable security poster. Program managers, developers, system engineers, software engineers, the intelligence community, the operational organizations that use DoD systems and software, and expert service providers, such as the JFAC Service Providers, need to embrace a spirit of collaboration and team work because no single person or organization has all the knowledge or capability needed to address the daunting problem of assuring software by themselves. A successful program is about more than just simply measuring compliance and making fixes; it needs a unified team effort that is focused on real results that reduce risk given the current threat in a way that contributes to both survivability and mission effectiveness.