Sign In
  • Question

    What types of certifications are required outside of cybersecurity to operate under the Software Acquisition Pathway and what are the governing bodies where we get those certifications from?


    Answer

    The questions is "What types of certifications are required outside of cybersecurity to operate under the Software Acquisition Pathway and what are the governing bodies where we get those certifications from?" Some of the answers address only cybersecurity. There are numerous others out there that MAY be required. I cannot find a definitive list. It depends on the program, the type system, how its employed, etc.

     

    Here are the various responses that may be helpful

     

    --------------------------------------------------------------------------------------------------------------------
    Just because it is not specifically mentioned in DoDI 5000.87 does not mean that the requirement for certification goes away. There are other policies, directives, regulations, etc that

     

    Thanks!

     

    Bob

    I have talked with Mr. Wicke and would like to forward this conversation to him. He can then continue his research based on your comments.

    ---------------------------------------------------------------------------------------------------------------------------

     

    Sean Brady and I discussed this and, for the DoDI 5000.87 SW Acq Pathway there are no plans for any certifications---either product or person...no Interoperability Certs, no Cyber Certs.

     

    Bob

    -------------------------------------------------------------------------------------------------------------------

    The design of cybersecurity under the DoDI 5000.87 is very different than our current compliance based approach (achieve an ATO/ATC). Please look at the attached slides pulling out the construct of cybersecurity under the DODI 5000.87 SWP.  It is a risk-based management approach that goes for continual testing, recurring assessment, high automation (testing, software assurance, threat assessment, vulnerability discovery, etc.), continuous monitoring, and vulnerability remediation that works towards a continuous Authority to Operate (cATO).  A program office following these constructs would have a mature process for: secure development; cybersecurity and assurance capabilities; and secure lifecycle management.  They would work towards frequent and continual drops of capability that for each incremental drop - either does not degrading the existing security posture or corrects another known issue/vulnerability.  This construct starts to implement resilience with at least rolling back to known good configurations.  This approach is a dramatic improvement over our current approaches.  If you read the most recent GAO report (dated 8 June 2021) on DoD Report to Congressional Committees - "Weapons Systems Annual Assessment" (available at https://www.gao.gov/assets/gao-21-222.pdf):

     

    "We found that while MTA programs more regularly reported in questionnaire responses that they include cybersecurity in planning documents than MDAPs, about half of the MDAPs and all MTA programs have not consistently implemented cybersecurity test and evaluation processes recommended by DOD guidance. This guidance notes that cybersecurity test and evaluation starts at acquisition initiation and continues throughout the entire life cycle. Accordingly, our analysis this year focused on the extent to which programs included cybersecurity in early planning, such as in cybersecurity strategies and requirements, as well as the extent to which programs assessed cybersecurity resilience and identified vulnerabilities throughout contractor development." (p. 53)

     

    Please focus on the above statement - "have not consistently implemented cybersecurity test and evaluation processes recommended by DOD guidance" for MDAPs and MTAs. 

     

    If we help program offices work towards implementation of these SWP constructs - we have a chance to make a major impact in their security posture.  Doing this approach requires education and training for the required cybersecurity approach, a culture change at the program office in their software development and contractor management, adoption of a shared responsibility model in their workforce development, and a willingness to adapt to a co-evolving intelligent cyber threat that is continually imposing new cybersecurity requirements on their system and its surrounding environment.

     

    Vr,

     

    Paul Shaw

    -------------------------------------------------------------------------------------------------------------------

    Software Pathway (SWP) is a little bit more complex and involved for cybersecurity than an Authority to Operate and Authority to Connect.  All programs of record regardless if selecting in the AAF the route of SWP - need an ATO and an ATC.  The fact that the group is talking about containers and deploying on Navy ships - implies many other things, such as the use of a DevSecOps process (especially the security piece with automated testing tools), awareness and alignment with the Navy's Project Overmatch, migration to the construct on a Continuous Authority to Operate (cATO) (such as with the Navy RAISE Process), and the many other elements of the SWP process (also described as the .87 process). 

     

    May I ask - as there are only 18 officially approved programs in the DoD for SWP on the attached slide (as of last week).  If their name is not listed on the attached slide, may I suggest - we work with this customer to better understand what the DoDI 5000.87 instruction on SWP (attached) means.  There is a group in DAU West that has been working with 3 of the programs listed on the 18 officially approved SWP programs for the last four months.  There are many lessons learned and best practices to assist this potential customer.  Please look at the attached OSD briefs on SWP.  The great news - the OSD Lead for SWP is Sean Brady.  Sean Brady was a professor with DAU before going back to OSD to assume the lead for the SWP program.  Please be aware that a Navy program going on Navy Ships will follow NAVADMIN 342-20.   This customer most likely needs assistance with the Navy's Risk Management Framework (RMF) Assess and Incorporate Software Engineering (RAISE) process.

     

    Vr,

     

    Paul Shaw

    Open full Question Details
Chat with DAU Assistant
Bot Image