Donald Coulter, senior science advisor for cybersecurity in the Science and Technology Directorate’s (S&T) Technology Centers, introduces the Software Assurance Community of Practice (SwA CoP) working group.
Over the past couple of decades, our nation’s reliance on the internet and its associated infrastructures and technologies has significantly increased. And, unsurprisingly, cyberattacks have become a much more common and insidious threat. We’ve heard about U.S. defense systems singled out by attacks that targeted their key functions, and various cyberattacks against our critical infrastructure. These ongoing threats serve as a constant reminder of the importance of ensuring our cybersecurity by strengthening the defensive measures that we already have in place.
One way S&T is working to implement and improve state-of-the-art technologies that ensure our nation’s cybersecurity is through our involvement with the SwA CoP, an interagency group founded in 2012 by the Office of the Undersecretary of Defense for Research and Engineering and the National Security Agency (NSA). Now comprised of over 300 members from across the Department of Defense (DoD), NSA, National Nuclear Security Administration (NNSA), the Department of Homeland Security (DHS), and other federal agencies, the SwA CoP brings together subject matter experts on a quarterly basis to develop best practices and standards, exchange research and development efforts, and provide guidance on SwA strategies for defense, federal civilian, and critical infrastructure systems.
The CoP focuses on the latest SwA-related technologies, threats, strategies, and policies, including topics like open-source software (OSS) and Artificial Intelligence (AI), which can be leveraged for organizational efficiency but also introduce novel security risks throughout the software and technology life cycle. This cross-agency information sharing enables experts to continue developing, disseminating, and securing the tools and technologies that play a vital role in mitigating or preventing the effects of cybercrimes and cyberattacks against our country.
The SwA CoP utilizes working groups (WG) to support initiatives that address issues deemed critical for improving software assurance posture. The CoP currently has three active working groups: Software Bill of Materials (SBOM), Binary Analysis, and Education and Workforce Development. The SBOM WG provides technical guidance and recommendations to DoD, Department of Energy, and DHS leadership for policy development on establishing SBOMs. To date, the Binary Analysis WG has focused on understanding and improving government agency abilities to identify malicious content in binaries. And the Education and Workforce Development WG aims to inform training and certification as they align to the latest technologies and topics of SwA. A fourth group recently concluded work to identify Software Composition Analysis and SBOM tools that are currently in use and planned for future use to help drive greater adoption.
Just last month, S&T joined fellow SwA CoP members for the group’s fall quarterly meeting at the Los Alamos National Laboratory in New Mexico. Over the course of three days, we shared our latest data, recommendations, and research updates that are contributing to the creation and implementation of policies, standards, technologies, and practices that will serve as valuable assets in our ongoing mission to improve the nation’s cybersecurity.
One of S&T’s major research efforts that we presented to the group was our ongoing Hierarchical Software Quality Assurance (HSQA) effort, which is part of S&T’s Software Assurance and Data Protection Initiative and funded by our Cybersecurity and Information Analysis program. HSQA measures source code quality and security in industrial control systems and cloud environments to identify security zones and sensitive sections of source code used in critical infrastructure supply chains by extending the Platform for Investigative Software Quality Understanding and Evaluation.
We have previously used the forum to discuss concepts for advancing Software Understanding for National Security and Critical Infrastructure, which aims to inspire and guide collaborative research across government agencies focused on developing tools and capabilities to deepen our understanding of the software we rely upon throughout our national security and critical infrastructure missions.
As the internet and its technologies and utilities continue to evolve, ensuring our cybersecurity has never been a higher priority than it is right now. And with the help of our partners, we will continue doing everything we can to ensure that S&T stays one step ahead of the curve, both today and in the future.
Looking forward, the SwA CoP group is planning to hold its next quarterly meeting in December, in Alexandria, Virginia. Topics for discussion will include the pros and cons of using AI for software assurance, digital assurance, and systems and security engineering.
If you are interested in learning more about SwA CoP or attending the next meeting, please reach out to our Technology Centers. To learn more about our other ongoing cybersecurity efforts, check out S&T’s Cybersecurity/Information Analysis R&D page, along with our Technologically Speaking Podcast, for more news and updates.