The mission of the DoD Joint Federated Assurance Center (JFAC) is to promote software and hardware assurance in defense acquisition programs, systems and supporting activities. This presentation will review the JFAC sponsored effort to provide program managers with a guidebook for “engineering-in” software assurance into defense systems during the entire system acquisition lifecycle. Software assurance (SwA) is the “level of confidence that software functions as intended and is free of vulnerabilities, either intentionally or unintentionally designed or inserted as part of the software, throughout the life cycle.” The latest January 2017 change to Department of Defense (DoD) Instruction (DoDI) 5000.02, Operation of the Defense Acquisition System, includes a new enclosure on cybersecurity that outlines several actions DoD acquisition Program Managers (PMs) should (but not must) implement to ensure system security and related program security across the acquisition, sustainment, and operation life cycle. Software vulnerability and exploitation are the root cause of a majority of computer security problems due in part to the increasing complexity and usage of software in our nation’s defense systems and the increasing amount of latent defects and vulnerabilities contained in the aggregate software. Unfortunately due to the dynamics of their job, program managers often do not fully comprehend the magnitude of the threat/risks associated with software assurance issues in their systems or for either the legacy or modern systems their system will interface to achieve mission effectiveness.
CSIAC Webinars - Systems Engineering Challenges for Integrating Software Assurance into Defense Systems Throughout the System Acquisition Lifecycle
Please see our terms of use located here: https://www.csiac.org/csiac-terms-of-use/
Presenter

This question was asked during the webinar:
How was the guidebook content quality assured?
This question was asked during the webinar:
SE focused on eliminating vulnerabilities – How about zero day vulnerabilities that are not foreseen or known but after their adverse impact?
This question was asked during the webinar:
Does the ‘normal SEI review process’ result in Zero Defects?
This question was asked during the webinar:
How does the intertwined focus on Cybersecurity and Software Assurance address Risk Management given increasing focus of Cybersecurity on Risk Management?
This question was asked during the webinar:
What level of confidence does the guidebook achieve when used?
This question was asked during the webinar:
Has this guide book been produced because the JFAC has determined that too many DoD programs do not have document processes and are not able to quantify their software assurance?
This question was asked during the webinar:
So does the guidebook address the challenges found when integrating software assurance into Defense systems throughout the system acquisition?
This question was asked during the webinar:
How do cyber policymakers fit in the team structure?
This question was asked during the webinar:
Roles obfuscates Results. Assurance (noun) means results. How do you quantify Guidebook Assurance? How was Guidebook Assurance level determined?
This question was asked during the webinar:
Does the guidebook address the software assurance issues raised in the NIST Cyber Physical System framework, version 1.0? https://pages.nist.gov/cpspwg/
This question was asked during the webinar:
Are you collaborating with other Federal and Defense agencies? Specifically the USAF AFLCMC Cyber Resiliency Office for Weapons Systems (CROWS)?
This question was asked during the webinar:
How do we get a copy of the draft guidebook?