Software Assurance in Acquisition and Contract Language
Software Assurance in Acquisition and Contract Language
Software Assurance in Acquisition and Contract Language
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Acknowledgements<br />
The SwA Forum <strong>and</strong> Work<strong>in</strong>g Groups function as a stakeholder<br />
mega-community that welcomes additional participation <strong>in</strong><br />
advanc<strong>in</strong>g software security <strong>and</strong> ref<strong>in</strong><strong>in</strong>g SwA-related <strong>in</strong>formation<br />
resources that are offered free for public use. Input to all SwA<br />
resources is encouraged. Please contact <strong>Software</strong>.<strong>Assurance</strong>@<br />
dhs.gov for comments <strong>and</strong> <strong>in</strong>quiries.<br />
The SwA Forum is composed of government, <strong>in</strong>dustry, <strong>and</strong><br />
academic members. The SwA Forum focuses on <strong>in</strong>corporat<strong>in</strong>g<br />
SwA considerations <strong>in</strong> acquisition <strong>and</strong> development processes<br />
relative to potential risk exposures that could be <strong>in</strong>troduced by<br />
software <strong>and</strong> the software supply cha<strong>in</strong>.<br />
Participants <strong>in</strong> the SwA Forum’s <strong>Acquisition</strong> & Outsourc<strong>in</strong>g<br />
Work<strong>in</strong>g Group collaborated <strong>in</strong> develop<strong>in</strong>g the material used<br />
<strong>in</strong> this pocket guide as a step <strong>in</strong> rais<strong>in</strong>g awareness on how to<br />
<strong>in</strong>corporate SwA considerations throughout the acquisition<br />
process.<br />
Information conta<strong>in</strong>ed <strong>in</strong> this pocket guide is primarily derived<br />
from “<strong>Software</strong> <strong>Assurance</strong> <strong>in</strong> <strong>Acquisition</strong>: Mitigat<strong>in</strong>g Risks<br />
to the Enterprise” available through the SwA Community<br />
Resources <strong>and</strong> Information Clear<strong>in</strong>ghouse at https://<br />
buildsecurity<strong>in</strong>.us-cert.gov/swa/acqact.html. The full document<br />
was also co-developed with representatives from the Information<br />
Resources Management College (IRMC) http://www.ndu.edu/<br />
irmc/ <strong>and</strong> published through the National Defense University<br />
Press; so a copy can be accessed at http://www.ndu.edu/<strong>in</strong>ss/<br />
press/NDUPress_Occasional_Papers.htm.<br />
Special thanks to the Department of Homel<strong>and</strong> Security (DHS)<br />
National Cyber Security Division’s <strong>Software</strong> <strong>Assurance</strong> team<br />
who provided much of the support to enable the successful<br />
completion of this guide <strong>and</strong> related SwA documents.<br />
Overview<br />
<strong>Software</strong> vulnerabilities, malicious code, <strong>and</strong> software that does<br />
not function as promised pose a substantial risk to the Nation’s<br />
software-<strong>in</strong>tensive critical <strong>in</strong>frastructure that provide essential<br />
<strong>in</strong>formation <strong>and</strong> services to citizens. M<strong>in</strong>imiz<strong>in</strong>g these risks is<br />
the function of <strong>Software</strong> <strong>Assurance</strong> (SwA). <strong>Software</strong> assurance<br />
is the level of confidence that software is free from vulnerabilities,<br />
either <strong>in</strong>tentionally designed <strong>in</strong>to the software or accidentally<br />
<strong>in</strong>serted at any time dur<strong>in</strong>g its life cycle, <strong>and</strong> that it functions <strong>in</strong><br />
the <strong>in</strong>tended manner [CNSSI No. 4009].<br />
Often the common practice <strong>in</strong> acquisition is to accept software<br />
that satisfies functionality with little regard for specify<strong>in</strong>g,<br />
determ<strong>in</strong><strong>in</strong>g or assur<strong>in</strong>g security properties – <strong>in</strong>creas<strong>in</strong>g the<br />
risk exposure to users. Many purchas<strong>in</strong>g organizations <strong>and</strong><br />
acquirers cont<strong>in</strong>ue to accept software riddled with exploitable<br />
flaws <strong>and</strong> other security vulnerabilities. This, <strong>in</strong> part, may be due<br />
to acquisition policies <strong>and</strong> procedures that do not ensure that<br />
security is a ma<strong>in</strong> concern of software.<br />
In addition, acquirers may not be aware of the <strong>in</strong>creased life<br />
cycle costs <strong>and</strong> <strong>in</strong>creased risk exposure to the organization<br />
attributable to software that is not secure. Purchas<strong>in</strong>g secure<br />
software might entail moderate upfront costs to the acquisition<br />
project (especially <strong>in</strong> deal<strong>in</strong>g with suppliers who have not<br />
<strong>in</strong>corporated security <strong>in</strong> their development processes); however,<br />
the price paid <strong>in</strong> lost time <strong>and</strong> resources to cont<strong>in</strong>ually fix or<br />
patch a vulnerable software component can run as much as<br />
three times the <strong>in</strong>itial purchase of secure software. Many<br />
organizations fall beh<strong>in</strong>d <strong>in</strong> properly patch<strong>in</strong>g vulnerable software<br />
<strong>Software</strong> Vulnerabilities Side Effects<br />
»»<br />
Un<strong>in</strong>tentional errors lead<strong>in</strong>g to faulty operations,<br />
»»<br />
Destruction of <strong>in</strong>formation or major disruption of operations,<br />
»»<br />
Insertion of malicious code,<br />
»»<br />
Theft of sensitive, personal or classified <strong>in</strong>formation, <strong>and</strong><br />
»»<br />
Changed product.<br />
2<br />
<strong>Software</strong> <strong>Assurance</strong> Pocket Guide Series:<br />
<strong>Software</strong> <strong>Assurance</strong> <strong>in</strong> <strong>Acquisition</strong> <strong>and</strong> <strong>Contract</strong> <strong>Language</strong><br />
3<br />
<strong>Acquisition</strong> & Outsourc<strong>in</strong>g, Volume I – Version 1.1, July 31, 2009