SwA Initiatives

SwA Initiatives

Software Assurance Initiatives Mr. Thomas Hurt Director, Joint Federated Assurance Center (JFAC), Office of the Under Secretary of Defense for Research & Engineering (OUSD(R&E)) DAU Cybersecurity Acquisition Focus Event California, MD | May 14, 2019 Distribution Statement A: Approved for public release. Distribution is unlimited. Department of Defense Security Spending 84% of breaches exploit the vulnerabilities in the application, yet funding for IT defense vs. software assurance is 23 to 1. DAU Cybersecurity Acquisition Focus Event May 2019 Distribution Statement A: Approved for public release. Distribution is unlimited. 2 Who Fixes the Most Vulnerabilities? DAU Cybersecurity Acquisition Focus Event May 2019 Source: Veracode, used with permission: Distribution Statement A: Approved for public release. Distribution is unlimited. https://www.veracode.com/blog/2015/07/what-state-software-security-2015. 3

Contest: Need for Engineering-in Software Assurance Activities over the Software Development Life Cycle (SDLC) Where Software Flaws Are Introduced 70% Requirements System Engineering Design 20% Software Architectural Design 3.5% Component Software Design 10% Code Unit Integration Development Test 16% System Acceptance Test Test

50.5% 9% Operation 21% Where Software Flaws Are Found Improved focus on engineering-in software assurance activities needed on the front end of the SDLC Source: Carnegie Mellon University, Software Engineering Institute (Critical Code; NIST, NASA, INCOSE, and Aircraft Industry Studies), used with permission. DAU Cybersecurity Acquisition Focus Event May 2019 Distribution Statement A: Approved for public release. Distribution is unlimited. 4 Tools Throughout the System Life Cycle (Especially Sustainment) Requirements Authority Review Development RFP Release Decision Point A MDD Materiel

Solution Analysis B Technology Maturation & Risk Reduction ASR Full Rate Production Decision Review SSR SFR PDR C Engineering & Manufacturing Development CDR TRR Production & Deployment SVR

OTRR IOT&E Operations & Support IOC FOC Architecture and Design Analysis Tools Origin Analyzers Source Code Weakness Analyzers Binary/Bytecode Analyzers Dynamic Analysis tools With the integration and automation of software assurance tools throughout the system life cycle, programs can make informed decisions on the identification and mitigation of risk. DAU Cybersecurity Acquisition Focus Event May 2019 Distribution Statement A: Approved for public release. Distribution is unlimited. 5 Sound Systems Engineering MIL-STD- 1553

System Concept Engine Control SW Engine Monitoring SW Control Panel New System Tactical Use Threads How will a component actually be used? Engine Control SW (ECS) provides needed metrics Input: Engine performance data; Output: Needed alerts/response Read/write capabilities to data bus do needed functions DAU Cybersecurity Acquisition Focus Event May 2019 Bus Controller System Requirements What will my system do? What is required to make

my mission successful? Engine functionality will be controlled by ECS ECS has no known vulnerabilities Mission Threads Engine Monitoring System will monitor engine performance Performance issues will be transmitted by data bus to control panel Distribution Statement A: Approved for public release. Distribution is unlimited. Monitoring SW cannot be exploited to access ESC or data bus Secure Design/Architecture considerations for Data bus communication 6 JFAC Program Support Activities Processes Ticket and Response Coordination Software Assurance License Procurement and Distribution

FOC Planning and Execution Working Groups Action Officer Working Group Software Assurance Technical Working Group SwA Portal content sub-group Hardware Assurance Technical Working Group Standards and best practice, field-programmable gate array (FPGA), supply chain risk management (SCRM), Technical Assessment, ASSESS and EDA assurance sub-groups Applications JFAC Portal Assurance Knowledge Base (AKB) Cyber Integrator Products Defense Acquisition University Software Assurance Course (CLE 081) Security Classification Guide SwA Contract Language Guidance State-of-the-Art Resource (SOAR) for Software Vulnerability Detection DAU Cybersecurity Acquisition Focus Event May 2019 JFAC Operational Structure Distribution Statement A: Approved for public release. Distribution is unlimited. 7 JFAC Assurance Knowledge Base

Support for Sound Systems Engineering Development Artifacts Assurance assessments SwA tool findings Vulnerability prioritization (consequence and likelihood) Deployed assurance countermeasure rationale Mitigations Regression test results AKB Transition to Sustainment Latent vulnerabilities and characteristics Mitigated vulnerabilities Decisions and rationale Vulnerability test results Bill of materials (BoM) Chain of custody Metadata collected through the identification of tactical threads, mission threads, and systems requirements throughout development is critical to sustainment of software. DAU Cybersecurity Acquisition Focus Event May 2019 Distribution Statement A: Approved for public release. Distribution is unlimited.

8 Is the Future Sustainable? New Features/Components Added continuously Components Everything is interconnected or networked (Internet of Things (IoT) Technology continues to advance (methods of attack) The addition of new components, changes to the network, and advancement of adversary technology creates a continuous cycle of redesign and patching to protect against unwanted access. DAU Cybersecurity Acquisition Focus Event May 2019 Distribution Statement A: Approved for public release. Distribution is unlimited. 9 Last Thoughts Latent software vulnerabilities identified or exploited in sustainment are exponentially more expensive to fix. Acquisition of source code and documentation in the data rights package are expensive and ineffective steps for legacy DoD programs. Logistical data needs must be included in the development Request for Proposals (RFP). Sound systems engineering, implementation of SwA countermeasures, and transition of assurance rational into sustainment is critical to the protection of our weapons systems. JFAC needs your advocacy for development programs to use the AKB to store and retain assessment data collected throughout development, test, and deployment for use in

sustainment. Select JFAC assessment data retention uses: Vulnerability and mitigation rationale retention throughout the life cycle Data mining (tracking, trending, intel, etc.) Chain of custody Bill of materials https://jfac.navy.mil DAU Cybersecurity Acquisition Focus Event May 2019 Distribution Statement A: Approved for public release. Distribution is unlimited. 10 DoD Research and Engineering Enterprise Solving Problems Today Designing Solutions for Tomorrow DoD Research and Engineering Enterprise Defense Innovation Marketplace Twitter https://www.CTO.mil https://defenseinnovationmarketplace.dtic.mil @DoDCTO DAU Cybersecurity Acquisition Focus Event

May 2019 Distribution Statement A: Approved for public release. Distribution is unlimited. 11 For Additional Information Mr. Tom Hurt Director, JFAC / Deputy Director, Software Assurance Strategic Technology Protection and Exploitation Office of the Under Secretary of Defense for Research and Engineering 571-372-6129 [email protected] DAU Cybersecurity Acquisition Focus Event May 2019 Distribution Statement A: Approved for public release. Distribution is unlimited. 12 Engineering Software Assurance into the Life Cycle DAU Cybersecurity Acquisition Focus Event May 2019 Distribution Statement A: Approved for public release. Distribution is unlimited. 13

JFAC Service Provider Capabilities Software and Hardware Assurance (SwA and HwA) Requirements Support: Identification of applicable SwA and HwA requirements from policy, standards, instructions, and guidance Knowledge Source: Identification of applicable SwA and HwA assessments and attack information from the AKB Subject Matter Experts (SMEs): System security engineering (SSE) support during lifecycle, e.g., secure architecture & design, criticality analysis techniques, supply chain assurance (SCRM), SETR criteria, sustainment support, etc. and HwA Program Protection Plan (PPP) & SSE Planning: Assistance with PPP development and the planning of SSE activities and countermeasures, to include SwA and HwA Engineering assurance Into the lifecycle

Contract Assistance: Assist programs with the development of SwA and HwA contract language for RFPs and CDRLs Third Party Assessment: Assistance in program evaluation and risk assessments, including bitstream analysis, hardware functional verification, static source code analysis, dynamic binary analysis, static binary analysis, web application analysis, database analysis, and mobile application analysis DAU Cybersecurity Acquisition Focus Event May 2019 Metrics Assistance: Assist programs with the identification, benchmarking, and collection of SwA and HwA related metrics (contract, progress, TPMs, ) Distribution Statement A: Approved for public release. Distribution is unlimited. 14 Joint Federated Assurance Center (JFAC) Capabilities PROMO TE PROTE CT Protecting force lethality and increasing

resilience through software and hardware assurance Assured Design Methods Binary Software Analysis Physical/Functional Verification IC Component Markers Source Code Analysis Supply Chain Assessments Technology/Prototype Development and Transitions https://jfac.navy.mil PARTNE R laboratory capability of expertise and tools for vulnerability detection and analysis Federated Support program offices with software and hardware assurance expertise and capabilities Stakeholders - Army, Navy, Air Force, National Security Agency (NSA), Defense MicroElectronics Activity (DMEA), OUSD(R&E), DoD CIO, Defense Information Systems Agency (DISA), National Reconnaissance Office (NRO), Missile Defense Agency (MDA), OUSD(A&S) DAU Cybersecurity Acquisition Focus Event May 2019 Distribution Statement A: Approved for public release. Distribution is unlimited. 15

Recently Viewed Presentations

  • Mitosis/Meiosis - Weebly

    Mitosis/Meiosis - Weebly

    Exit Quiz 10 MIN. Home Learning. Summarize the processes of mitosis and meiosis in your own words. Write at least 3 sentences for EACH process. For example: "In mitosis, first the cell prepares for division. The nuclear membrane breaks apart...
  • Out of Hours Care: Empowerment at a Local

    Out of Hours Care: Empowerment at a Local

    Key areas in the Department's Review General Practice Out-of-Hours Services: project to consider and assess current arrangements (February 2010) David Colin-Thomé, DH & Steve Field, RCGP Key issues raised by the CQC's Review Investigation into the out of hours services...
  • Web-based Control Interface For a model train control system

    Web-based Control Interface For a model train control system

    Web-based Control Interface For a model train control system By: Kevin Sendra Presentation Outline Overview of the Project Standards Project Description Work Completed Equipment List Schedule for Work Remaining Project Overview Add-on to the Local Control System Allows control from...
  • Introduction to Advanced Computing Platforms for Data Analysis

    Introduction to Advanced Computing Platforms for Data Analysis

    Hadoop In Action, Chuck Lam, Manning Data-Intensive Text Processing with MapReduce, Jimmy Lin and Chris Dyer ( www.umiacs.umd.edu /~ jimmylin/ MapReduce -book-final.pdf) Many Online Tutorials and Papers
  • Melaleuca Melaleuca alternifolia dTERRA University dTERRA Product Tools

    Melaleuca Melaleuca alternifolia dTERRA University dTERRA Product Tools

    dōTERRA® Product Tools. dōTERRA® Product Tools. dōTERRA® University. Sensitive. Internal Usage Suggestions - Add to a drink or veggie cap for healthy immune system support*
  • Impact of Antibiotic Use in Animal Agriculture and

    Impact of Antibiotic Use in Animal Agriculture and

    BTM: 37/48 =77%. QMS: 93/115 = 81% . NO MRSA strain isolated from Pennsylvania dairy herds . Jayarao, unpublished 2015. Prevalence of fecal shedding in adult cattle-110 cow free stall barn. Bedded on sand. Vaccine intervention. Water and feed hygiene...
  • NOTAN

    NOTAN

    The principle of Notan as it relates to art is defined as the interaction between positive (light) and negative (dark) space. notan. The theory behind Notan is: positive and negative areas should complement one another. They must coexist without one...
  • SOME MEN SUCCEED BECAUSE THEY ARE DESTINED TO,

    SOME MEN SUCCEED BECAUSE THEY ARE DESTINED TO,

    Decreased oxygen delivery. Anaerobic metabolism. Decreased ATP production. Lactic acid formation. Failure of Na+/K+ pump *Accumulation of Na+ in cell. Cellular swelling AND organelle swelling