Not Provided
OUSD (R&E) / Joint Federated Assurance Center (JFAC)
Sep 2, 2022
Nov 18, 2022
Closed
Open
1 Attachment
To find out more information about this Challenge, please signin or register for an account.No additonal Challenges were found.
Mr. Brian Nowotny
Director, Joint Federated Assurance Center
Office of the Under Secretary of Defense for Research & Engineering - OUSD(R&E)
Organization: The Joint Federated Assurance Center (JFAC)’s mission is to provide
assurance solutions to the federation of DoD customers and program offices for applications to
weapon systems, information systems, and national security systems. Assurance is the pillar in
which to understand trustworthiness of a system by maximizing the discovery of the capabilities
and limitations of the system as it matures across its life cycle. Assurance utilizes life cycle
evidence to quantify and contextualize risks as systems mature from concept to deployed
operational capability, which can provide credible and accurate insights of warfighting
capabilities while mitigating exploitable vulnerabilities. Thus, assurance is a necessary pillar for
establishing trust and enabling effective decision making.
JFAC is pursuing a holistic assurance approach intended to connect previously segmented assurance efforts into a fully integrated, traceable, and complete evaluation framework that seeks to provide a holistic risk posture that provides decomposable viewpoints and is reevaluated continuously and in real-time.
For context, below are complimentary assurance definitions:
Mission Assurance is a process to ensure that assigned tasks or duties can be performed in
accordance with the intended purpose or plan...to sustain...operations throughout the continuum of
operations.
-DoD Directive 3020.40, January 14, 2010
System Assurance is the justified confidence that the system functions as intended and is free of
exploitable vulnerabilities, either intentionally or unintentionally designed or inserted as part of the
system at any time during the life cycle... This confidence is achieved by system assurance
activities, which include a planned, systematic set of multi-disciplinary activities to achieve the
acceptable measures of system assurance and manage the risk of exploitable vulnerabilities.
–NATO, Engineering for System Assurance in NATO programs, February 2010
Software Assurance is the level of confidence that software functions as intended and is free of
vulnerabilities, either intentionally or unintentionally designed or inserted as part of the software
throughout the lifecycle.
-DoDI 5200.44, 05 Nov 2012
For the purposes of this Challenge, JFAC is looking to populate capability cards for assurance products supporting the JFAC Portal & Catalog/Marketplace. The following public releasable information (Distribution A) is requested to support the JFAC’s public-facing website:
· Company Name
· Assurance Product Name
· Assurance Product Logo *Image*
· Brief Description of Capability
· Category of assurance tool type (could identify multiple, if applicable)
o Example Categories: Threat Modeling, Model Based Systems Engineering (MBSE), Standards Compliance, Static Source Code Analysis, Data Correlation, Application Vulnerability Correlation, Library Analysis, Binary Analysis, Dynamic Analysis, Container Scanners, Interactive Analysis, Risk Analysis, Penetration Testing, Fuzz Testing, API Testing, Data Assurance, AI Assurance, Software Composition Analysis, Software Bill of Materials (SBOM), etc. (not exhaustive list, identify recommendations for your product offering if there are more suitable assurance categories not listed)
· What repositories/marketplaces are the tools currently located and available
· Available delivery options
o Example: Web-based, cloud-based, desktop-based, Integrated Development Environment (IDE)-based, Software as a Service (SaaS), Platform as a Service (PaaS)
· If assurance tool is specific to Software Assurance, please identify the additional information:
o Programming Languages Supported
o Level of CVE/CWE Coverage
o Targets
§ Example: executables, Office product suite, PDFs, e-mail, binaries, embedded software, etc.
o Components
§ Example: .jar, .dll, .c, .cpp, 3rd party, etc.
o Version
§ Example: Open Systems Software (OSS), Community, Standard, Enterprise, etc.
· Hyperlinks/webpages for products
In addition to the required information fields above, we request voluntary submission of the following data fields to be shared with the DoD user community with the intent that the knowledge will help equip users with useful insights to help inform decisions regarding assurance tools and their suitability for meeting their specific needs.
· Product Summary Graphic (or GIF)
· Unique tool features
· US Data Rights Assertions
· License Costs & Available License Procurement Vehicle
· Technology Readiness Level
· Containerization/Hardening Status
· Available DoD Accreditations (Impact Level, Authorizing Official, Network)
· DoD Market Analysis: Current consumption of tools by DoD programs and systems
· Competitor Analysis: Similar tools considered competitors to proposed product offering
Please register your response via the left gutter registration pane. You may ask questions and/or submit comments as needed. Your personal and company information will not be made public when submitting comments or questions.
You may share this opportunity with colleagues via our public challenge page.
Name
Brian Nowotny
brian.m.nowotny.civ@mail.mil
Title
JFAC Director
Phone
Not Provided