ABERDEEN PROVING GROUND, Md. – The world of cybersecurity is an ever-changing one. New threats constantly appear which can attack software whether it’s in your home computer or on the Army’s tactical network. The problem which confronts software assurance professionals and practitioners is how to stay ahead of the vulnerabilities that could enable bad actors or enemies to disrupt operations.
Some information technology experts in the U.S. Army Communications-Electronics Command’s Software Engineering Center, in cooperation with agencies throughout the Army, addressed this problem by creating a new Dept. of the Army pamphlet, or DA PAM.
“Software Assurance (SwA) was highlighted by the Deputy Chief of Staff G6 and the Office of the Chief Information Officer (OCIO) as an integral component in cybersecurity,” said James Caseja, with the SEC Technical Services Directorate’s Cybersecurity Division. “We are leading an Integrated Product Team to bridge the gap in improving the implementation and evaluation of Government off-the-shelf (GOTS) and Commercial off-the-shelf (COTS) software within the Army.”
Of course creating a DA PAM for Software Assurance cannot be done unless you have agreement and buy-in from the many agencies which directly, or indirectly, deal with software assurance.
“Writing the SwA DA PAM was a very collaborative endeavor, which required significant research to align existing Departmental and Army policies with industry best practices,” Caseja said. “Subject matter experts from across the Army were often consulted to validate contents within the PAM and ensure achievability for implementation. This process was critical for capturing all perspectives as it relates to product owners, developers, sustainers, and practitioners. Maintaining engagements with leadership at the DCS-G6 and OCIO helped promulgate SwA to the community and generate coalitions for increasing software security.”
Among the Army agencies which cooperated with the development and publishing process were practitioners from the Combat Capabilities Development Command (DEVCOM), Tank-Automotive & Armaments Command (TACOM) and Network Enterprise Technology Command (NETCOM). DCS-G6 and OCIO cultivated the SwA DA PAM from concept into fruition and championed the effort into practice.
The SwA DA PAM 25-2-5 will help to provide clear guidance to all of the Army for implementation and compliance towards fulfilling DoD Directives such as DoDI 5000.02 (Operation of the Adaptive Acquisition Framework) and DoDI 5200.44 (Protection of Mission Critical Functions to Achieve Trusted Systems and Networks).
“Software Assurance will provide the Army with enhanced capabilities to address vulnerabilities early in development while inherently avoiding exponential cost growth for software remediation, providing continuous feedback mechanisms to address software weaknesses, supplementing manual testing through source code scanning, and integrating source code scanning tools within organization processes,” Caseja explained. “The SwA DA PAM fully supports Army readiness as cybersecurity resilience is emphasized in policy from cradle to grave, and streamlines lifecycle management activities for software assurance. As SEC is one of the teams authorized to validate results or perform SwA assessments for the Army, the PAM will serve as a baseline in ensuring products are delivered securely to support the Warfighter’s mission.”
Caseja came to CECOM as a student trainee while he completed his degree from Towson University. He decided on staying with SEC in cybersecurity as the field presents many opportunities for growth and innovation.
“The best thing about working in cybersecurity is the freedom to innovate and lead complex projects in support of the warfighter,” he said. “The constant need for improvement fosters my eagerness to grow, learn from peers, and continuously challenge the norm. The on-the-job training, dynamic team environment, and cross-collaboration opportunities attract new employees just starting out in this field. Working in cybersecurity exposes you to hands-on practices of conducting threat and vulnerability assessments, utilizing automated tools to assess a system’s overall security posture, and engaging with stakeholders to directly affect software.”