The JFAC recognizes that the assurance community lacks an assurance tool catalog to assist the potential user community with quickly identifying the complete set of assurance tools available for meeting the needs of a program or system. Thus, the JFAC is establishing a marketplace that identifies the full suite of assurance tool offerings across academia, industry, and government. The marketplace will provide knowledge management features to quickly discover relevant information about the product offerings available to the community. The JFAC’s federated assurance marketplace will consist of identifying various assurance tools available within different enterprise repositories and catalogs (i.e. Azure Marketplace, AWS Marketplace, GitHub, USAF Platform One’s Iron Bank, and other repositories/catalogs).

11/18/2022 at 12:00 PM EST

           

Mr. Brian Nowotny

Director, Joint Federated Assurance Center

Office of the Under Secretary of Defense for Research & Engineering - OUSD(R&E)

Organization: The Joint Federated Assurance Center (JFAC)’s mission is to provide assurance solutions to the federation of DoD customers and program offices for applications to weapon systems, information systems, and national security systems. Assurance is the pillar in which to understand trustworthiness of a system by maximizing the discovery of the capabilities and limitations of the system as it matures across its life cycle. Assurance utilizes life cycle evidence to quantify and contextualize risks as systems mature from concept to deployed operational capability, which can provide credible and accurate insights of warfighting capabilities while mitigating exploitable vulnerabilities. Thus, assurance is a necessary pillar for establishing trust and enabling effective decision making.

JFAC is pursuing a holistic assurance approach intended to connect previously segmented assurance efforts into a fully integrated, traceable, and complete evaluation framework that seeks to provide a holistic risk posture that provides decomposable viewpoints and is reevaluated continuously and in real-time.                         

                                                                                                                   

For the purposes of this Challenge, JFAC is looking to populate capability cards for assurance products supporting the JFAC Portal & Catalog/Marketplace. The following public releasable information (Distribution A) is requested to support the JFAC’s public-facing website:

·  Company Name

·  Assurance Product Name

·  Assurance Product Logo *Image*

·  Brief Description of Capability

·  Category of assurance tool type (could identify multiple, if applicable)

o   Example Categories: Threat Modeling, Model Based Systems Engineering (MBSE), Standards Compliance, Static Source Code Analysis, Data Correlation, Application Vulnerability Correlation, Library Analysis, Binary Analysis, Dynamic Analysis, Container Scanners, Interactive Analysis, Risk Analysis, Penetration Testing, Fuzz Testing, API Testing, Data Assurance, AI Assurance, Software Composition Analysis, Software Bill of Materials (SBOM), etc. (not exhaustive list, identify recommendations for your product offering if there are more suitable assurance categories not listed)

·  What repositories/marketplaces are the tools currently located and available

·  Available delivery options

o   Example: Web-based, cloud-based, desktop-based, Integrated Development Environment (IDE)-based, Software as a Service (SaaS), Platform as a Service (PaaS)

·  If assurance tool is specific to Software Assurance, please identify the additional information:

o   Programming Languages Supported

o   Level of CVE/CWE Coverage

o   Targets

§  Example: executables, Office product suite, PDFs, e-mail, binaries, embedded software, etc.

o   Components

§  Example: .jar, .dll, .c, .cpp, 3^rd party, etc.

o   Version

§  Example: Open Systems Software (OSS), Community, Standard, Enterprise, etc.

·  Hyperlinks/webpages for products 

 

 

In addition to the required information fields above, we request voluntary submission of the following data fields to be shared with the DoD user community with the intent that the knowledge will help equip users with useful insights to help inform decisions regarding assurance tools and their suitability for meeting their specific needs.

·  Product Summary Graphic (or GIF)

·  Unique tool features

·  US Data Rights Assertions

·  License Costs & Available License Procurement Vehicle

·  Technology Readiness Level

·  Containerization/Hardening Status

·  Available DoD Accreditations (Impact Level, Authorizing Official, Network)

·  DoD Market Analysis: Current consumption of tools by DoD programs and systems

·  Competitor Analysis: Similar tools considered competitors to proposed product offering

 

                                                                                                             

Please register your response via the left gutter registration pane. You may ask questions and/or submit comments as needed. Your personal and company information will not be made public when submitting comments or questions.

You may share this opportunity with colleagues via our public challenge page.