SEI Technical Staff Members Win 2019 ISLA Award
November 4, 2019 • Article
November 4, 2019—A team of SEI technical staff members has received the 2019 Information Security Leadership Award (ISLA®) Government, in the category of Most Valuable Industry Partner (Team). The team includes
- Timothy Chick, systems team technical manager, CERT Division
- William Nichols, senior member of the technical staff, Software Solutions Division
- Kenneth Nidiffer, principal systems software engineer, Software Solutions Division
- Thomas Scanlon, senior member of the technical staff, CERT Division
- Carol Woody, principal researcher, CERT Division
Scanlon accepted the award on behalf of the team at the 2019 (ISC)2 Security Congress on October 30 in Orlando, Fla. (ISC)2, the information technology security professional organization best known for the Certified Information Systems Security Professional (CISSP®) certification, gives the ISLA Government award to “a U.S. federal, state or local contractor or consultant team (currently supporting a government contract) whose project or initiative has significantly contributed to the advancement of information security in the areas of information security workforce, policy, process or technology.”
The award recognized the SEI team’s technical guidance and research performed for the Department of Defense’s (DoD) Joint Federated Assurance Center (JFAC), which supports software and hardware assurance efforts across the DoD. Over two years, the SEI team developed a pair of guidebooks on software assurance at the DoD and delivered them to JFAC in late 2018. The guidebooks have since been distributed across the DoD and, in December 2018, published as SEI special reports: DoD Developer’s Guidebook for Software Assurance, by Nichols and Scanlon, and Program Manager’s Guidebook for Software Assurance, by Nidiffer, Woody, and Chick.
The guidebooks define software assurance as “the justified confidence that software functions as intended and is free of vulnerabilities throughout the product lifecycle,” though in practice, vulnerability risk may always need to be managed.
Nidiffer cautioned that software assurance is difficult to achieve. “Software and systems are increasingly becoming bigger, more complex, and intertwined,” he said. “The changing and expanding role that software plays in our society means that the development of software-enabled systems must continue to evolve while we pursue software quality.”
The SEI guides consolidate advice and resources from the disparate body of software assurance literature into two convenient reference books. They can serve as trusted resources for software development and acquisition planning and for justifying resources for cybersecurity.
The guidebooks also speak to DoD developers and program managers in their own terms. “Much of the DoD guidance published for cybersecurity is written to communicate to security experts,” said Woody. “Our developer’s guidance uses their own language to help them understand their responsibilities for cybersecurity. The guidance for program managers is written in familiar acquisition and engineering terms, to help them see why addressing cybersecurity earlier in the lifecycle can directly impact how well their systems will perform in cybersecurity testing.” She added that the shift to Agile and DevSecOps development demands earlier consideration of cybersecurity.
The advice in the guidebooks is specifically geared toward those in the DoD, an environment with unique regulatory requirements. For example, the DoD Developer’s Guidebook summarizes the State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation, a large report by the Institute for Defense Analyses that lists software tools and related information to help DoD program managers make decisions about software assurance and supply chain risk management. The guidebooks also define the requirements at certain gates in federal government software development and acquisition.
Since their release, the guidebooks have been given to multiple stakeholders in the DoD. The Defense Acquisition University and Carnegie Mellon University’s Heinz College have used the books as well.
“I’m very happy to see the books being used in practice,” said Scanlon. “It validates the work you’re doing, that people are interested in it.”
Woody said that the 2019 ISLA Government Award also confirms the importance of the new guidance on software assurance. She further credited the award to the SEI’s multidisciplinary approach. “The SEI brings expertise in acquisition, engineering, development, and security to the problem space,” she said. “We are mission focused without pushing specific methods, practices, or tools, so we can be trusted to consider the needs of the DoD.”
Download the DoD Developer’s Guidebook for Software Assurance at https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=538756. Download the Program Manager’s Guidebook for Software Assurance at https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=538771.