Blog categories

BACK
Nov 19, 2017 |
Papers, Presentations,  |
cuzimbob |

Software Reuse, Component Trading, and Market Exposure Within the DoD

For many years, it has been assumed that once you sell your software to the Department of Defense (DoD) that anyone within the DoD can and will be able to use it.  Unfortunately, that simply has not been the case.  In the past cyber security assessments have focused on the entire system (e.g. hardware, Operating System, software, network) and not on the individual piece of software.  With the advent of the DoDs adoption of the National Institute for Standards and Technology (NIST) Risk Management Framework (RMF) the DoD finally has a method for you to document your software security in a manner that can be shared throughout the DoD.

For many years, it has been assumed that once you sell your software to the Department of Defense (DoD) that anyone within the DoD can and will be able to use it.  Unfortunately, that simply has not been the case.  In the past cyber security assessments have focused on the entire system (e.g. hardware, Operating System, software, network) and not on the individual piece of software.  With the advent of the DoDs adoption of the National Institute for Standards and Technology (NIST) Risk Management Framework (RMF) the DoD finally has a method for you to document your software security in a manner that can be shared throughout the DoD.


From May of 2013 through the final publishing in October of 2014 BL King Consulting developed the process by which the DoD assesses and authorizes standalone software, especially Web Applications.  The below presentation is a 6-hour training course.  The first 3 hours are intended for a Management audience (e.g. Program Managers, Engineering Managers, Security Managers) whereas the second 3 hours are intended for the technical practitioners (e.g. Security Officers, Software Engineers, Security Engineers).  The engineering group should attend both sessions whereas the management group should attend only the first session.


If you are interested in receiving this training or a tailored version contact us via our contact us page.  We can also work with your team to produce a DoD Software Assurance Reciprocity package for your software and even help with cybersecurity acceptance.
 


The DOD RMF Technical Advisory Group (TAG) accepted and published the products and process outlined in the below presentation on their site in October of 2014.  You can view their publishing here:  https://rmfks.osd.mil/rmf/General/IT/Pages/SwAR.aspx

The RMF provides policy and guidance for the inclusion of web-based IT Products-WebApp Software into accredited systems. The SwAR documents the process used in the RMF to enable web application reciprocity. The SwAR provides the results of the security assessment process and provides essential information necessary to make a risk-based decision by the IS/PIT on whether to allow operation of the WebApp Software on the approved information system. The templates and procedures are designed to aid and assist an ISSM in the assessment, sharing, and cybersecurity reciprocity of IT Products – Software.The sponsor of a WebApp Software IT Product will coordinate and collaborate with a duly appointed Security Controls Assessor to provide for a validated secure development, testing and reporting of the software’s level of assurance. This information will be used during development (if GOTS) and reported on the provided templates. The implementing organization (which may not be the IT Product Sponsor) will then receive the completed reports from the sponsor and use them for assessment and integration into their authorized baseline. The SwAR describes the cybersecurity characteristics of the mission and data components or WebApp. A web application consists of a software-only component, which runs on a server, and is accessible via an end user browser or Application Program Interface (API). The WebApp technologies are defined by the SwAR MetaModel and are specifically constrained to OWF (Ozone Widget Framework), OWF Mobile, JC2CUI (Joint C2 Common User Interface) and OSGi based technologies (Open Service Gateway initiative). The SwAR Template will be used by the sponsor for standardized testing and reporting.

 Add a Review of this item