DOD SOFTWARE ASSURANCE INITIATIVE: Mitigating Risks Attributable to Software through Enhanced Risk Management Joe Jarzombek, PMP Deputy Director for Software Assurance Information Assurance Directorate Office of the Assistant Secretary of Defense (Networks and Information Integration) UNCLASSIFIED -- FOR OVERVIEW DISCUSSIONS Countering Threats that Target Software in Systems and Networks August 10, 2004 DoD Liaison Report to IEEE CS S2ESC

UNCLASSIFIED -- FOR OVERVIEW DISCUSSIONS National Security Requires Software Assurance Assured Software is required to fulfill DoD missions and protect critical infrastructure –National capabilities dependent on software –Exploitable vulnerabilities and malicious code place critical capabilities at risk –In era of asymmetric warfare, opponents can threaten software-enabled capabilities cheaply and safely Federal Sector has software assurance responsibilities –Software dependency places assurance at core of national security –Federal core competencies must be security-focused in acquiring and procuring software

UNCLASSIFIED -- FOR OVERVIEW DISCUSSIONS Congressional Direction on Security of Sensitive Software Congressional direction: FY04 Def Authorization Conf Report , Security of Sensitive Software -- DOD must ensure that recent emphasis on procurement of COTS software will not open vulnerabilities in sensitive DOD C3I software DoD must provide IA and protection for all DOD IT assets, including: –unauthorized modifications to code in mission critical software; –insertion of malicious code into mission critical software; –reverse engineering of mission critical software. Responding to 2 Congressional Sub-Committees, GAO Review # “DoD Use of Foreign Sources for Software Development” resulted in May 2004 GAO “Defense Acquisitions: Knowledge of Software Suppliers Needed to Manage Risks” – Outsourcing, foreign development risks & insertion of malicious code –Recommendations for Executive Actions to direct DoD PMs to factor in software risks and for DoD to factor in security in risk assessments

UNCLASSIFIED -- FOR OVERVIEW DISCUSSIONS Software Protection Initiative (SPI) Software Assurance (SA)Information Assurance (IA) Anti-Tamper (AT) Trusted Foundry (TF) Defeating the Threat: DoD Protection Initiatives & Programs Primarily Hands-On THREAT ACCESS Primarily External Provide a series layered defenses to mitigate threats Each has its own merits and also provide additional layers of protection through synergies and interactions with other programs.

UNCLASSIFIED -- FOR OVERVIEW DISCUSSIONS Managed as part of the DoD Information Assurance (IA) Strategy to “Transform & Enable” IA Capabilities With oversight provided by SW Assurance Steering Committee under the IA Senior Leadership, the Initiative is organized into working groups: –WG1 - Security Process Capability (improvement & evaluation), –WG2 - Software Product Evaluation (product focused), –WG3 - Threat Analyses -- Counter Intelligence (CI) Support –WG4 - Acquisition/Procurement and Industrial Security, and –WG5 - User Identification & Prioritization of Protected Assets SW Assurance Initiative provides requisite interfaces with related initiatives: –DoD Anti-tamper and Software Protection Initiatives –Government Information Assurance initiatives –Interagency & Standards Groups on Security Assurance –Gov’t/industry Cyber Security SW development lifecycle task force Software Assurance Initiative (initial focus consistent with DoD & Congressional concerns)

UNCLASSIFIED -- FOR OVERVIEW DISCUSSIONS Response for Software Assurance October 2002, the President’s Critical Infrastructure Protection Board (PCIPB) IT Security Study Group (ITSSG) identified security shortfalls in acquisition processes and recommended security improvements DoD evaluated ITSSG report; recommending: –Integrating an enhanced risk management process into the DoD acquisition processes –Specifying lifecycle risk mitigation of software vulnerabilities: Threat analysis of suppliers in source selection Security component specification, design, build, and integration Process capabilities (performance improvement and evaluation) Product evaluation tools (test, accreditation and certification) R&D and transitioning of enabling advanced technologies Laws, policies & practices for acq/procurement, use and support –Identifying mechanisms to ensure software product integrity

UNCLASSIFIED -- FOR OVERVIEW DISCUSSIONS Program X PMO/O&S Manager Oversight Product Security Evaluation Threat Assessment Supplier Security Process Capability Evaluation Defense in Depth Threat-Informed/ Security-Aware Risk Management Decision Cost, Schedule Performance Enhanced Risk Management Process

UNCLASSIFIED -- FOR OVERVIEW DISCUSSIONS Scoping Expectations for Workshops: Software Assurance Forum Working Group 1, Security Process Capabilities (Process Improvement and Capability Evaluation -- Practice Focused) Identify criteria/practices to be used in mitigating risks associated with development/acquisition processes required to deliver secure software –Leverage work of interagency groups that identify best practices for the delivery of secure software/systems Assistance to PMs in determining capabilities of suppliers, part of: –Source selection activities & contract process monitoring –Changes in products & services Need for: –Safe & secure style guides (language sub-sets) for programming –Software-related security development guides –Software assurance guidelines within High-Assurance Systems Engineering enterprise-level and total system lifecycle dependability, high-assurance validation and verification Need for SW Assurance templates for RFPs (including Section L & M)

UNCLASSIFIED -- FOR OVERVIEW DISCUSSIONS Scoping Expectations for Workshops: Software Assurance Forum Working Group 1, Security Process Capabilities -- Leveraging Activities –IEEE CS Software and Systems Engineering Standards Committee (S2ESC) provides oversight of largest collection of IEEE standards –Safety & Security Practices for use in evaluating delivery capabilities Developed as extensions to CMMI & iCMM; can be used ‘stand-alone’ Practices traceable to 7 source standards Safety & security focus using CMMI & iCMM implementing practices –ISO/IEC JTC1/SC7 WG9 Redefined its terms of reference to software and system assurance (part of Systems Engineering System Life Cycle Processes) ISO/IEC to address management of risk and assurance of safety, security, & dependability within context of system and software life cycles –NIST Information System Security Project Producing publications on security of Federal Information System Provides standards for labs conducting software product evaluations ®Capability Maturity Model, CMM, and CMMI are registered in the U.S. Patent and Trademark Office by Carnegie Mellon University

UNCLASSIFIED -- FOR OVERVIEW DISCUSSIONS

Scoping Expectations for Workshops: Software Assurance Forum Working Group 2, Product Evaluation Product Diagnostic Capabilities Role of Executive Agent for High Assurance Software Technology & Evaluation Working Group 3, Threat Assessment Support All-Source Threat Analyses Capabilities Types of support needed to support government and industry Working Group 4, Acquisition/Procurement/Industrial Security Policy Policies and regulatory guidance for software assurance Guidance for using information to support enhanced risk management, from: –Threat assessments, –Security process capability evaluations, and –Product security evaluations Working Group 5, Prioritization of Assets Requiring High Assurance Process for specifying DoD ‘watch list’ assets requiring high assurance Sample criteria for use by PMO Systems Engineers for determining software components that require high assurance

UNCLASSIFIED -- FOR OVERVIEW DISCUSSIONS Contact Information Software Assurance Initiative Director Joe Jarzombek, PMP Deputy Director for Software Assurance Information Assurance Directorate Office of the Assistant Secretary of Defense (Networks and Information Integration) Business Ph (703) x154 Mobile Cell Ph (703) Crystal Gateway 3, Suite Jefferson Davis Highway Arlington, VA