In this article, we discuss the development and transition of the Software Engineering Institute’s (SEI’s) Software Assurance Curriculum. The Master of Software Assurance Reference Curriculum, developed under U.S. Department of Homeland Security (DHS) sponsorship, was endorsed by the Association for Computing Machinery (ACM) and IEEE Computer Society.
Topic: Operational Technology (OT)
“Hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise” (Gartner, n.d.). Additionally, this is “often comprised of closed systems warranted by system vendors only as long as customers configure and deploy systems using their rigid specifications. By in large, these system vendors focus on system availability rather than security, to the detriment of good security best practices. Vendor support staff can view security controls as inhibitors to effective operations” (National Grid, n.d.).
Gartner. Gartner IT Glossary (Operational Technology). Retrieved 18 Sep 17 from http://www.gartner.com/it-glossary/operational-technology-ot/
National Grid. (n.d.). “Digital Risk and Security. “Response to NIST: Developing a Framework to Improve Critical Infrastructure Security.” Retrieved 18 Sep 17 from http://csrc.nist.gov/cyberframework/rfi_comments/040813_national_grid.pdf
Over the last 30 years, the DoD has struggled to adapt to the ever-changing world of software development. Of these many struggles, implementing Agile software development and practicing systems security engineering are two struggles that continue to plague the DoD. In an attempt to overcome both of these hurdles, this paper presents a Software Assurance
Software is inherent in today’s complex systems and is often the primary cost, schedule, and technical performance driver in Department of Defense (DoD) programs. For DoD mission critical systems, the associated software size, complexity, interdependencies, reliance-on for mission and safety critical functionality, and software assurance (high quality and
The ability for commanders to know and understand an organizational attack surface, its vulnerabilities, and associated risks is a fundamental aspect of command decision-making. In the cyberspace domain, ongoing monitoring sufficient to ensure and assure effectiveness of security controls related to systems, networks, and cyberspace, by assessing security
Cyber Physical Systems (CPSs) are electronic control systems that control physical machines such as motors and valves in an industrial plant. In a networked environment, the security of the physical machines depends on the security of the electronic control systems, but cybersecurity is not typically the main design concern. The main concern for CPSs is the
The U.S. Army Research Laboratory (ARL) received the first salvos in the battle for cybersecurity as early as three decades ago. In terms of technology history, it was an astonishingly long time ago. Before most people ever heard of the Internet. Before there were web browsers. Long before the smartphones. Back in 1986, the laboratory withstood attacks by
Senior leaders within DoD, Congress, and industry have grappled for many years with the inability of the Department of Defense’s (DoD) acquisition processes to deliver timely and effective information technology (IT) solutions. The problems are well documented in a number of studies and reports. [Ref 1, 2, 3, 4] Common conclusions of these studies are
Our discussion of technical best practices for the software development of safety-critical (SC) systems has four parts. First, we set the context by addressing the questions "What are SC systems and why is their development challenging?" The eight technical best practices for SC systems follow. We then briefly address how an organization can prepare for and
The advent and evolution of the Smart Grid initiative to improve the electric utility power infrastructure has brought with it a number of opportunities for improving efficiencies, but along with those benefits come challenges in the effort to assure safety, security, and reliability for utilities and consumers alike. One of the considerations in designing
Schedule slippage is an unfortunate reality for many large development programs. The Australian Defence Materiel Organisation Schedule Compliance Risk Assessment Methodology (SCRAM) provides a framework for identifying and communicating the root causes of schedule slippage and recommendations for going forward to Program and Executive-level management. It is