SECURITY RESOURCES > COMPLIANCE BULLETIN
These library resources require an Ounce Labs ID. Log in or register.
Software Security Assurance
Compliance Guide for Federal Agencies
Increasingly, US federal agencies rely on complex and internetworked software to enable their mission. As federal services from taxpayer information to national defense move onto the Web, agencies have a driving need to ensure that the software managing those services and related data is written securely. The regulatory environment has expanded recently to address the need for ongoing, measurable software security assurance programs, and is mandating that agencies demonstrate their compliance. Both FISMA and DITSCAP/DIACAP mandate periodic risk assessments of critical applications to determine potential exploitability, and require the remediation of discovered flaws.
Agencies, armed with automated software security assurance tools such as those that Ounce Labs provides, can now have the metrics and policy compliance information they need to report to agency heads and federal regulators on the process and state of their software security assurance efforts. This guide provides key agency personnel charged with fulfilling these various regulatory requirements with a quick reference to understanding:
This guide provides key personnel charged with fulfilling these various requirements with a quick reference to understanding:
- The major compliance categories into which software security assurance activities fall, including Risk Assessment, Identification and Authentication, and Vulnerability Remediation.
- The applicable regulatory and compliance frameworks and the specific control activities within each that apply to software security assurance activities.
- The Ounce Labs solution and the way in which its capabilities provide the necessary metrics and policy compliance information to help prove compliance with these activities.
The regulatory and compliance frameworks covered in this guide include:
- FISMA: This core federal security mandates software security assurance calls for "periodic assessments of the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency."¹ Key implementation guide: NIST's Special Publication 800 Series
- DITSCAP / DIACAP: Applying specifically to the National Security Agency and the Department of Defense (DoD), the DITSCAP / DIACAP regulations require its agencies to "evaluate security vulnerabilities with regard to confidentiality, integrity, availability and accountability and recommend applicable countermeasures... [the systems must be] analyzed to determine its susceptibility to exploitation, the potential rewards to the exploiter, the probability of occurrence, and any related threat."² Key Implementation Guide: Defense Information Systems Agency's (DISA) Application Security Checklist