Software Assurance in Acquisition: Mitigating Risks to the Enterprise. A Reference Guide for Security-Enhanced Software Acquisition and Outsourcing

Abstract

Software vulnerabilities, malicious code, and software that does not function as promised pose a substantial risk to the Nation's software-intensive critical infrastructure that provides essential information and services to citizens. Minimizing these risks is the function of software assurance (SwA). Software assurance is the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle, and that it functions in the intended manner. SwA is a key element of national security and homeland security. Software vulnerabilities jeopardize intellectual property, consumer trust, business operations and services, and a broad spectrum of critical infrastructure. To ensure the integrity of business operations and key assets within critical infrastructure, software must be reliable and secure. The responsibility for SwA must be shared not only by software suppliers in the supply chain but also by the acquirer in the supply chain who purchases the software. There is a concern that acquirers are not aware of this responsibility and are inadequately prepared to support SwA in the acquisition process. This guide provides information on incorporating SwA throughout the acquisition process from the acquisition planning phase to contracting, monitoring and acceptance, and follow-on phases. For each phase, the material covers SwA concepts, recommended strategies, and acquisition management tips. The guide also includes recommended request for proposal and/or contract language and due diligence questionnaires that may be tailored by acquisition officials to facilitate the contract evaluation process.

Document Details

Document Type

Technical Report

Publication Date

Feb 01, 2009

Accession Number

ADA495389

Entities

Tags