DOD SOFTWARE ASSURANCE INITIATIVE: Mitigating Risks Attributable to Software through Enhanced Risk...
-
Upload
prosper-summers -
Category
Documents
-
view
221 -
download
2
Transcript of DOD SOFTWARE ASSURANCE INITIATIVE: Mitigating Risks Attributable to Software through Enhanced Risk...
DOD SOFTWARE ASSURANCE INITIATIVE:Mitigating Risks Attributable to Software
through Enhanced Risk Management
DOD SOFTWARE ASSURANCE INITIATIVE:Mitigating Risks Attributable to Software
through Enhanced Risk Management
Joe Jarzombek, PMP
Deputy Director for Software AssuranceInformation Assurance Directorate
Office of the Assistant Secretary of Defense(Networks and Information Integration)
UNCLASSIFIED -- FOR OVERVIEW DISCUSSIONS
UNCLASSIFIED -- FOR OVERVIEW DISCUSSIONS
Countering Threats that Target Software in Systems and Networks
August 10, 2004
DoD Liaison Report to IEEE CS S2ESC
UNCLASSIFIED -- FOR OVERVIEW DISCUSSIONS
UNCLASSIFIED -- FOR OVERVIEW DISCUSSIONS
National Security Requires Software Assurance
• Assured Software is required to fulfill DoD missions and protect critical infrastructure– National capabilities dependent on software – Exploitable vulnerabilities and malicious code place
critical capabilities at risk– In era of asymmetric warfare, opponents can threaten
software-enabled capabilities cheaply and safely
• Federal Sector has software assurance responsibilities– Software dependency places assurance at core of
national security– Federal core competencies must be security-focused in
acquiring and procuring software
UNCLASSIFIED -- FOR OVERVIEW DISCUSSIONS
UNCLASSIFIED -- FOR OVERVIEW DISCUSSIONS
Congressional Direction on Security of Sensitive Software
Congressional direction: FY04 Def Authorization Conf Report 108-354, Security of Sensitive Software --
• DOD must ensure that recent emphasis on procurement of COTS software will not open vulnerabilities in sensitive DOD C3I software
• DoD must provide IA and protection for all DOD IT assets, including:– unauthorized modifications to code in mission critical software;
– insertion of malicious code into mission critical software;
– reverse engineering of mission critical software.
Responding to 2 Congressional Sub-Committees, GAO Review #120221 “DoD Use of Foreign Sources for Software Development” resulted in May 2004
GAO-04-678 “Defense Acquisitions: Knowledge of Software Suppliers Needed to Manage Risks”– Outsourcing, foreign development risks & insertion of malicious code– Recommendations for Executive Actions to direct DoD PMs to factor in software
risks and for DoD to factor in security in risk assessments
UNCLASSIFIED -- FOR OVERVIEW DISCUSSIONS
UNCLASSIFIED -- FOR OVERVIEW DISCUSSIONS
Software Protection Initiative (SPI)
Software Assurance (SA) Information Assurance (IA)
Anti-Tamper (AT) Trusted Foundry (TF)
Defeating the Threat: DoD Protection Initiatives & Programs
Primarily Hands-On Primarily Hands-On THREAT ACCESS THREAT ACCESS Primarily ExternalPrimarily External
Provide a series layered defenses to mitigate threats
Each has its own merits and also provide additional layers of protection through synergies and interactions with other programs.
UNCLASSIFIED -- FOR OVERVIEW DISCUSSIONS
UNCLASSIFIED -- FOR OVERVIEW DISCUSSIONS
Managed as part of the DoD Information Assurance (IA) Strategy to “Transform & Enable” IA Capabilities
With oversight provided by SW Assurance Steering Committee under the IA Senior Leadership, the Initiative is organized into working groups:
– WG1 - Security Process Capability (improvement & evaluation),
– WG2 - Software Product Evaluation (product focused),
– WG3 - Threat Analyses -- Counter Intelligence (CI) Support
– WG4 - Acquisition/Procurement and Industrial Security, and
– WG5 - User Identification & Prioritization of Protected Assets
SW Assurance Initiative provides requisite interfaces with related initiatives: – DoD Anti-tamper and Software Protection Initiatives
– Government Information Assurance initiatives
– Interagency & Standards Groups on Security Assurance
– Gov’t/industry Cyber Security SW development lifecycle task force
Software Assurance Initiative(initial focus consistent with DoD & Congressional concerns)
UNCLASSIFIED -- FOR OVERVIEW DISCUSSIONS
UNCLASSIFIED -- FOR OVERVIEW DISCUSSIONS
Response for Software Assurance
• October 2002, the President’s Critical Infrastructure Protection Board (PCIPB) IT Security Study Group (ITSSG) identified security shortfalls in acquisition processes and recommended security improvements
• DoD evaluated ITSSG report; recommending:
– Integrating an enhanced risk management process into the DoD acquisition processes
– Specifying lifecycle risk mitigation of software vulnerabilities:
• Threat analysis of suppliers in source selection• Security component specification, design, build, and integration• Process capabilities (performance improvement and evaluation)• Product evaluation tools (test, accreditation and certification)• R&D and transitioning of enabling advanced technologies• Laws, policies & practices for acq/procurement, use and support
– Identifying mechanisms to ensure software product integrity
UNCLASSIFIED -- FOR OVERVIEW DISCUSSIONS
UNCLASSIFIED -- FOR OVERVIEW DISCUSSIONS
Program X PMO/O&S Manager
Oversight
Product Security
Evaluation
Threat Assessment
Supplier Security Process
CapabilityEvaluation
Defense inDepth
Threat-Informed/ Security-Aware
Risk ManagementDecision
Cost, SchedulePerformance
Enhanced Risk Management Process
UNCLASSIFIED -- FOR OVERVIEW DISCUSSIONS
UNCLASSIFIED -- FOR OVERVIEW DISCUSSIONS
Scoping Expectations for Workshops: Software Assurance Forum
Working Group 1, Security Process Capabilities(Process Improvement and Capability Evaluation -- Practice Focused)
• Identify criteria/practices to be used in mitigating risks associated with development/acquisition processes required to deliver secure software– Leverage work of interagency groups that identify best practices for the
delivery of secure software/systems
• Assistance to PMs in determining capabilities of suppliers, part of:– Source selection activities & contract process monitoring – Changes in products & services
• Need for:– Safe & secure style guides (language sub-sets) for programming– Software-related security development guides– Software assurance guidelines within High-Assurance Systems Engineering
• enterprise-level and total system lifecycle dependability, • high-assurance validation and verification
• Need for SW Assurance templates for RFPs (including Section L & M)
UNCLASSIFIED -- FOR OVERVIEW DISCUSSIONS
UNCLASSIFIED -- FOR OVERVIEW DISCUSSIONS
Scoping Expectations for Workshops: Software Assurance Forum
Working Group 1, Security Process Capabilities -- Leveraging Activities
– IEEE CS Software and Systems Engineering Standards Committee (S2ESC) provides oversight of largest collection of IEEE standards
– Safety & Security Practices for use in evaluating delivery capabilities• Developed as extensions to CMMI & iCMM; can be used ‘stand-alone’• Practices traceable to 7 source standards• Safety & security focus using CMMI & iCMM implementing practices
– ISO/IEC JTC1/SC7 WG9 • Redefined its terms of reference to software and system assurance (part of
Systems Engineering System Life Cycle Processes)• ISO/IEC 15026 to address management of risk and assurance of safety,
security, & dependability within context of system and software life cycles
– NIST Information System Security Project
• Producing publications on security of Federal Information System• Provides standards for labs conducting software product evaluations®Capability Maturity Model, CMM, and CMMI are registered in the U.S. Patent and Trademark Office by
Carnegie Mellon University
UNCLASSIFIED -- FOR OVERVIEW DISCUSSIONS
UNCLASSIFIED -- FOR OVERVIEW DISCUSSIONS
Scoping Expectations for Workshops: Software Assurance Forum
Working Group 2, Product Evaluation• Product Diagnostic Capabilities• Role of Executive Agent for High Assurance Software Technology & Evaluation
Working Group 3, Threat Assessment Support• All-Source Threat Analyses Capabilities• Types of support needed to support government and industry
Working Group 4, Acquisition/Procurement/Industrial Security Policy• Policies and regulatory guidance for software assurance• Guidance for using information to support enhanced risk management, from:
– Threat assessments, – Security process capability evaluations, and – Product security evaluations
Working Group 5, Prioritization of Assets Requiring High Assurance• Process for specifying DoD ‘watch list’ assets requiring high assurance• Sample criteria for use by PMO Systems Engineers for determining software
components that require high assurance
UNCLASSIFIED -- FOR OVERVIEW DISCUSSIONS
UNCLASSIFIED -- FOR OVERVIEW DISCUSSIONS
Contact Information
Software Assurance Initiative Director Joe Jarzombek, PMP Deputy Director for Software Assurance Information Assurance Directorate Office of the Assistant Secretary of Defense (Networks and Information Integration)
Business Ph (703) 604-1489 x154 Mobile Cell Ph (703) 627-4644
Crystal Gateway 3, Suite 1101 1215 Jefferson Davis Highway Arlington, VA 22202-4302