DOD SOFTWARE ASSURANCE INITIATIVE: Mitigating Risks Attributable to Software through Enhanced Risk...

DOD SOFTWARE ASSURANCE INITIATIVE:Mitigating Risks Attributable to Software

through Enhanced Risk Management

DOD SOFTWARE ASSURANCE INITIATIVE:Mitigating Risks Attributable to Software

through Enhanced Risk Management

Joe Jarzombek, PMP

Deputy Director for Software AssuranceInformation Assurance Directorate

Office of the Assistant Secretary of Defense(Networks and Information Integration)

UNCLASSIFIED -- FOR OVERVIEW DISCUSSIONS


Countering Threats that Target Software in Systems and Networks

August 10, 2004

DoD Liaison Report to IEEE CS S2ESC



National Security Requires Software Assurance

• Assured Software is required to fulfill DoD missions and protect critical infrastructure– National capabilities dependent on software – Exploitable vulnerabilities and malicious code place

critical capabilities at risk– In era of asymmetric warfare, opponents can threaten

software-enabled capabilities cheaply and safely

• Federal Sector has software assurance responsibilities– Software dependency places assurance at core of

national security– Federal core competencies must be security-focused in

acquiring and procuring software



Congressional Direction on Security of Sensitive Software

Congressional direction: FY04 Def Authorization Conf Report 108-354, Security of Sensitive Software --

• DOD must ensure that recent emphasis on procurement of COTS software will not open vulnerabilities in sensitive DOD C3I software

• DoD must provide IA and protection for all DOD IT assets, including:– unauthorized modifications to code in mission critical software;

– insertion of malicious code into mission critical software;

– reverse engineering of mission critical software.

Responding to 2 Congressional Sub-Committees, GAO Review #120221 “DoD Use of Foreign Sources for Software Development” resulted in May 2004

GAO-04-678 “Defense Acquisitions: Knowledge of Software Suppliers Needed to Manage Risks”– Outsourcing, foreign development risks & insertion of malicious code– Recommendations for Executive Actions to direct DoD PMs to factor in software

risks and for DoD to factor in security in risk assessments



Software Protection Initiative (SPI)

Software Assurance (SA) Information Assurance (IA)

Anti-Tamper (AT) Trusted Foundry (TF)

Defeating the Threat: DoD Protection Initiatives & Programs

Primarily Hands-On Primarily Hands-On THREAT ACCESS THREAT ACCESS Primarily ExternalPrimarily External

Provide a series layered defenses to mitigate threats

Each has its own merits and also provide additional layers of protection through synergies and interactions with other programs.



Managed as part of the DoD Information Assurance (IA) Strategy to “Transform & Enable” IA Capabilities

With oversight provided by SW Assurance Steering Committee under the IA Senior Leadership, the Initiative is organized into working groups:

– WG1 - Security Process Capability (improvement & evaluation),

– WG2 - Software Product Evaluation (product focused),

– WG3 - Threat Analyses -- Counter Intelligence (CI) Support

– WG4 - Acquisition/Procurement and Industrial Security, and

– WG5 - User Identification & Prioritization of Protected Assets

SW Assurance Initiative provides requisite interfaces with related initiatives: – DoD Anti-tamper and Software Protection Initiatives

– Government Information Assurance initiatives

– Interagency & Standards Groups on Security Assurance

– Gov’t/industry Cyber Security SW development lifecycle task force

Software Assurance Initiative(initial focus consistent with DoD & Congressional concerns)



Response for Software Assurance

• October 2002, the President’s Critical Infrastructure Protection Board (PCIPB) IT Security Study Group (ITSSG) identified security shortfalls in acquisition processes and recommended security improvements

• DoD evaluated ITSSG report; recommending:

– Integrating an enhanced risk management process into the DoD acquisition processes

– Specifying lifecycle risk mitigation of software vulnerabilities:

• Threat analysis of suppliers in source selection• Security component specification, design, build, and integration• Process capabilities (performance improvement and evaluation)• Product evaluation tools (test, accreditation and certification)• R&D and transitioning of enabling advanced technologies• Laws, policies & practices for acq/procurement, use and support

– Identifying mechanisms to ensure software product integrity



Program X PMO/O&S Manager

Oversight

Product Security

Evaluation

Threat Assessment

Supplier Security Process

CapabilityEvaluation

Defense inDepth

Threat-Informed/ Security-Aware

Risk ManagementDecision

Cost, SchedulePerformance

Enhanced Risk Management Process



Scoping Expectations for Workshops: Software Assurance Forum

Working Group 1, Security Process Capabilities(Process Improvement and Capability Evaluation -- Practice Focused)

• Identify criteria/practices to be used in mitigating risks associated with development/acquisition processes required to deliver secure software– Leverage work of interagency groups that identify best practices for the

delivery of secure software/systems

• Assistance to PMs in determining capabilities of suppliers, part of:– Source selection activities & contract process monitoring – Changes in products & services

• Need for:– Safe & secure style guides (language sub-sets) for programming– Software-related security development guides– Software assurance guidelines within High-Assurance Systems Engineering

• enterprise-level and total system lifecycle dependability, • high-assurance validation and verification

• Need for SW Assurance templates for RFPs (including Section L & M)




Working Group 1, Security Process Capabilities -- Leveraging Activities

– IEEE CS Software and Systems Engineering Standards Committee (S2ESC) provides oversight of largest collection of IEEE standards

– Safety & Security Practices for use in evaluating delivery capabilities• Developed as extensions to CMMI & iCMM; can be used ‘stand-alone’• Practices traceable to 7 source standards• Safety & security focus using CMMI & iCMM implementing practices

– ISO/IEC JTC1/SC7 WG9 • Redefined its terms of reference to software and system assurance (part of

Systems Engineering System Life Cycle Processes)• ISO/IEC 15026 to address management of risk and assurance of safety,

security, & dependability within context of system and software life cycles

– NIST Information System Security Project

• Producing publications on security of Federal Information System• Provides standards for labs conducting software product evaluations®Capability Maturity Model, CMM, and CMMI are registered in the U.S. Patent and Trademark Office by

Carnegie Mellon University




Working Group 2, Product Evaluation• Product Diagnostic Capabilities• Role of Executive Agent for High Assurance Software Technology & Evaluation

Working Group 3, Threat Assessment Support• All-Source Threat Analyses Capabilities• Types of support needed to support government and industry

Working Group 4, Acquisition/Procurement/Industrial Security Policy• Policies and regulatory guidance for software assurance• Guidance for using information to support enhanced risk management, from:

– Threat assessments, – Security process capability evaluations, and – Product security evaluations

Working Group 5, Prioritization of Assets Requiring High Assurance• Process for specifying DoD ‘watch list’ assets requiring high assurance• Sample criteria for use by PMO Systems Engineers for determining software

components that require high assurance



Contact Information

Software Assurance Initiative Director Joe Jarzombek, PMP Deputy Director for Software Assurance Information Assurance Directorate Office of the Assistant Secretary of Defense (Networks and Information Integration)

Business Ph (703) 604-1489 x154 Mobile Cell Ph (703) 627-4644

[email protected]

Crystal Gateway 3, Suite 1101 1215 Jefferson Davis Highway Arlington, VA 22202-4302

DOD SOFTWARE ASSURANCE INITIATIVE: Mitigating Risks Attributable to Software through Enhanced Risk...

Documents

Transcript of DOD SOFTWARE ASSURANCE INITIATIVE: Mitigating Risks Attributable to Software through Enhanced Risk...