Skip to Content

Notice

Software Assurance Program: Building Better Quality and More Secure Software

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble

AGENCY:

National Cyber Security Division, DHS.

ACTION:

Notice of availability.

SUMMARY:

The purpose of this notice is to inform the public and interested Start Printed Page 5352security partners that two draft documents are being released by the Department of Homeland Security (DHS) for comment prior to publication:

  • Security in the Software Lifecycle—Intended to assist application software developers and project managers in defining a strategy to produce more secure software.
  • Secure Software Assurance—Common Body of Knowledge—Intended to assist college-level educators and private industry trainers in creating a curriculum for software assurance.

ADDRESSES:

If you would like to review the draft Security in the Software Lifecycle and the draft Secure Software Assurance—Common Body of Knowledge you may access the documents and the comment forms through one of the following methods:

  • Build Security In Web site: http://buildsecurityin.us-cert.gov—click on “Additional Resources” Tab. The documents are located in the “Supplementary Department of Homeland Security Resources” and “Software Assurance Common Body of Knowledge (CBK)” sections.
  • Mail self-addressed stamped envelope to: Joe Jarzombek, Director for Software Assurance, National Cyber Security Division, Department of Homeland Security, Washington, DC 20528 (Postage: $5.00 for one document/$8.00 for both documents).

If you desire to submit comments, they must be received by February 21, 2006. A comment form is available on the Build Security In Web site (http://buildsecurityin.us-cert.gov) to facilitate detailed comments. Comments must be identified by DHS-2005-0057 and submitted by one of the following methods:

  • Federal eRulemaking Portal: http://www.regulations.gov. Refer to Docket DHS-2005-0057. Follow the instructions for submitting comments. Detailed comment forms can be uploaded.
  • Mail: Joe Jarzombek, Director for Software Assurance, National Cyber Security Division, Department of Homeland Security, Washington, DC 20528.
Start Further Info

FOR FURTHER INFORMATION CONTACT:

DHS Software Assurance Program: Joe Jarzombek, Director for Software Assurance, National Cyber Security Division, Department of Homeland Security, Washington, DC 20528, 703-235-5126 or joe.jarzombek@dhs.gov.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

In collaboration with other government agencies, academia, and private industry, DHS seeks to reduce software vulnerabilities, minimize exploitation, and address means to improve capabilities to routinely develop and deploy quality and trustworthy software. In furtherance of those goals, DHS established the Software Assurance Program.

The DHS Software Assurance Program is grounded in the National Strategy to Secure Cyberspace issued by President Bush in February 2003. DHS began the Software Assurance Program as a focal point to partner with the private sector, academia, and other government agencies in order to improve software development and acquisition processes. The Program seeks to reduce software vulnerabilities, minimize exploitation, and address means to improve capabilities to routinely develop and deploy quality and trustworthy software products—enabling more resilient assets within the critical infrastructure.

DHS developed the following comprehensive approach to address software assurance in collaboration with industry, academia, and government partners:

  • People—Focus on software developers (includes education and training) and users
  • Process—Focus on developing sound practices and practical guidelines
  • Technology—Focus on software evaluation tools and R&D requirements
  • Acquisition—Focus on standards, specifications, acquisition language

As part of the Software Assurance Program, DHS now seeks comments from the public and interested security partners on two draft documents now being released prior to formal publication:

  • Security in the Software Lifecycle—Intended for application software developers and project managers who wish to increase their understanding of security and quality issues related to software and its production, and to improve their own practices in order to produce more secure and better quality application software. This document should provide enough information to assist the reader in defining a strategy for adapting or expanding existing processes and practices to produce more secure software that also achieves a higher degree of quality, reliability, and integrity.
  • Secure Software Assurance—Common Body of Knowledge—Primarily intended for college-level educators and private industry trainers to use as they create curriculum for software assurance which draws upon multi-disciplinary elements of software engineering, information assurance, project management, systems engineering, safety and security, and acquisition. While some of these disciplines already have a body of knowledge, software assurance has not had a formal source for educators to create curriculum. This document is intended to fill that need.

The information in these documents is not intended to represent a standard or policy mandate by DHS. On the contrary, the documents represent a collection of consensus-based, “sound practices” derived from across government, industry, and academia, both in the U.S. and abroad. As such, they should be seen primarily as tools for educating developers and software project managers.

DHS will consider all timely and pertinent comments received prior to finalizing these documents.

Start Signature

Dated: January 23, 2006.

Robert B. Stephan,

Assistant Secretary for Infrastructure Protection.

End Signature End Supplemental Information

[FR Doc. E6-1346 Filed 1-31-06; 8:45 am]

BILLING CODE 4410-10-P