Recognize the benefits of applying capability maturity model integrated cmmi concepts and principles to a dod sw development project. As part of the department of homeland security dhs and department of defense dod swa initiative, a working group developed a guide, software assurance in acquisition. Securityaware acquisition software engineering institute. These practices have been standardized since 1995 7. Engage effectively with all organizations within the software and acquisition communities. You should retain detailed knowledge of cybersecurity and mission assurance in the acquisition process. The defense acquisition guidebook dag, chapter 9, provides guidance for the system security. Acquiring and enforcing the governments rights in technical data and computer software under department of defense contracts. This topic discusses guidance for projects implementing those requirements in npr 7150. Software assurance swa is the level of confidence that software functions as intended and is free of vulnerabilities, either intentionally or unintentionally designed or inserted as part of the software throughout the life cycle. Special sections are devoted to assurance in software sustainment and software acquisition.
The main objective of software assurance is to ensure that the processes. Software assurance swa is the justified confidence that the software functions as intended and is free of exploitable vulnerabilities, either intentionally or unintentionally designed or inserted as part of the system at any time during the lifecycle. Best practices for software assurance in the acquisition life cycle paul r. The process of building confidence in security posture of cyber systems is a knowledgeintensive process. You can use the saf to assess your securityaware acquisition practices and chart a course for improvement, reducing the cybersecurity risk of your deployed software. A4 determination of software assurance level of effort 44 as software assurance classification report template 46 appendix acquirer software assurance plan template 48 outline appendix requirements compliance matrix 51 figures and tables figure ai software assurance classification assessment process 31 table example of tailoring for software. Software assurance in the dod acquisition life cycle. Software assurance swa is defined as the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its lifecycle, and that the software functions in the intended manner.
Software assurance a strategic initiative of the u. Software assurance is only available through volume licensing and is purchased when you buy or renew a volume licensing agreement. Three pilots of the cert software assurance framework. Software assurance is available to organizations that support as few as five devices. During sustainmentonce products are in usethey should be monitored, and the evolving threats should be modeled. Second, the paper proposes that software acquisition can be a source of competitive advantage, arguing that in. The road to successful its software acquisition volume ii. Software assurance in acquisition and contract language 1 software assurance swa pocket guide resources this is a resource for getting started in selecting and adopting relevant practices for delivering secure software. Reducing risks in the software acquisition life cycle. Software assurance sei digital library carnegie mellon university.
Software acquisition is a special case in which most or all of the. Performing organization name and address mitretek systems 600 maryland ave sw ste 755 washington, dc 20024 10. Croll 12th annual ndia systems engineering conference, 29. Software acquisition adaptive acquisition framework. To that end, acquisi tion officials3 involved in the purchase of software services or products have.
Software assurance refers to the justified confidence that software functions as intended and is free of vulnerabilities throughout the product lifecycle. In an attempt to overcome both of these hurdles, this paper presents a software assurance approach that is tightly woven into the agile software development lifecycle and emphasizes the benefits that agile development best practices can have on the security posture of a software system. The main objective of software assurance is to ensure that the processes, procedures, and products used to produce. A recent chief information office cio executive council poll indicated that the top two most important attributes of software are reliable software that functions as promised and software free from security vulnerabilities and malicious code. It provides a master schedule for research, development. The guidance and recommendations are given in a system assurance process view on top of isoiecieee 15288 and a software assurance process view on top of isoiecieee 12207. Software assurance methods additional guidance in ppp outline and guidance development process apply assurance activities to the procedures and structure imposed on software development operational system implement countermeasures to the design and acquisition of enditem software products and their interfaces development environment. The main objective of software assurance is to ensure that the processes, procedures, and products used to produce and sustain the software conform to all. The dod risk management framework rmf describes the dod process for identifying, implementing, assessing, and managing cybersecurity capabilities and services, expressed as security controls, and authorizing the operation of information systems is and. Isa 201 intermediate information systems acquisition.
The omg software assurance ecosystem approach focuses at what knowledge is needed, how it is described, collected and exchanged in order to build confidence. Software assurance in acquisition and contract language. Cyber impact on defense acquisition 1 cybersecurity is a requirement for all dod programs and must be fully considered and implemented in all aspects of acquisition programs across the life cycle. Applies knowledge of data, information, processes, organizational interactions, skills, and analytical expertise, as well as systems, networks, and information exchange capabilities to manage acquisition programs. The defense acquisition process, as provided in dodi 5000. A comprehensive program that includes a unique set of technologies, services, and rights to help deploy, manage, and use microsoft products efficiently, software assurance helps keep your business up to date and ready to respond quickly to change and opportunity. This article presents the standard process for acquiring software products and services in business. The main objective of software assurance is to ensure that the processes, procedures, and products used to produce and. Software assurance is defined as t he level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle, and that the software functions in an intended manner the objective of nasa software assurance and software safety is to ensure that the processes. The acquisition process can be leveraged to achieve these important attributes.
The agreement processes consist of the acquisition processused by acquiring. Software assurance swa is defined as the level of confidence that software is free from. Engineering software assurance into weapons systems during the. Do not require government contract quality assurance at source for contracts or delivery orders valued at or below the simplified acquisition threshold unless the criteria at 246. The software assurance process is the planned and systematic set of activities that. It is based on the recommendations of the agreement processes specified by the ieee 12207 standard. This document provides guidance and recommendations for assurance of a selected claim about the systemofinterest by achieving the claim and showing the achievement. Chair, ndia software industry experts panel industry co chair, ndia systems assurance committee. Software assurance swa relates to the level of confidence that software functions as intended and is free of vulnerabilities, either intentionally or unintentionally designed or inserted as part of the software.
Software assurance benefits help you take full advantage of your investments in it. There are 5 levels of maturity defined by the model as follows. Dod needs to require performance of software assurance. Software assurance framework saf the saf, a working prototype, is a collection of cybersecurity practices that you can apply across the acquisition lifecycle and supply chain. The areas in the sei software assurance competency model cover the entire software and system assurance process. Software assurance swa is the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle, and that the software functions in the intended manner. By partnering with the private sector, academia, and other federal departments and agencies, the program seeks to inluence improvements in software development, quality assurance, and acquisition processes that will lead to producing higher quality, more secure software. Acquisition decision memorandum adm, full rate production frp template v1. A business and technical management approach designed to achieve program objectives within the resource constraints imposed. Programproject management and acquisition national. Software acquisition planned processes have rigor appropriate to the projects risk posture and conditions 1. According to the dod software assurance community of practice cop, 3 more than 80 percent of cybersecurity exploits take advantage of weak or vulnerable. Engineering software assurance into weapons systems during.
Software assurance in the agile software development lifecycle. Software and information assurance software assurance. The key objective of the software assurance program is to shift the security paradigm from patch management. The acquisition process can be leveraged to achieve these. Information assurance, test and evaluation, safety, security, project management, and software acquisition. In the context of this definition of software assurance, the remainder of this post will detail seven principles that will help security and software professionals create a comprehensive lifecycle process for system and software security. Software assurance benefits microsoft volume licensing.
Software acquisition planning guidelines 3 acquisition strategy. The model follows the same architecture as the capability maturity model for software swcmm, but with a unique emphasis on acquisition issues and the needs of individuals and groups who are planning and managing software acquisition efforts. Executes duties governing hardware, software, and information system acquisition programs and other program management policies. Software assurance software assurance linkedin slideshare. Given several processfocused and productfocused software quality assurance methods, describe how each assures quality in a software acquisition. Building security into the business acquisition process cisa. This standard presents the commonly accepted practices for ensuring a welldefined and persistent assurance process for acquired software. Agile software development in defense acquisition a. Department of homeland security to promote integrity, security, and reliability in software collaboratively advancing strategies to mitigate software supply chain risks 30 july 2009 joe jarzombek, pmp, csslp director for software assurance national cyber security division office of. The main objective of software assurance is to ensure that the processes, procedures, and products used to produce and sustain the software conform to all requirements and standards specified to govern those processes, procedures, and products. As part of the software assurance swa pocket guide series, this resource. Microsoft volume licensing microsoft software assurance. Santhanam say, in a typical commercial development organization, the cost of providing this assurance via appropriate debugging, testing, and verification activities can easily range from 50 to 75 percent of the total development cost. This guidance is intended for all persons responsible for the software acquisition process, from the planning stages through contract closeout.
Estimate the cost of each applicable software assurance activity and the risk reduction it would provide 1. It is the framework for planning, directing, contracting for, and managing a program. It is included with some agreements and is an optional purchase with others. System assurance process an overview sciencedirect topics. The automated build scripts and test results shall be available to government testers, so they can reuserecreate any test artifact.
Three pilots of the cert software assurance framework may 8, 2017 sei blog. Software assurance swa is the justified confidence that the software. Defense acquisition guidebook chapter 9 program protection. Department of defense dod and department of homeland. What are the various phases of the software assurance acquisition. While free of vulnerabilities is the ideal, in practice the objective is to manage the risk associated with vulnerabilities. Of these many struggles, implementing agile software development and practicing systems security engineering are two struggles that continue to plague the dod. Mission assurance is development processneutral software mission assurance does not assume any particular software development methodology, programming language, or tools mission assurance is the responsibility of the apo, a defense acquisition oversight organization air force apos enjoy direct help from multiple entities, such as. In software debugging, testing, and verification, ibm systems journal 411, 2002, b. What are the various phases of the software assurance acquisition process according to the u.