Evaluating and Mitigating Software Supply Chain Security Risks

Ellison, Robert J.; Goodenough, John B.; Weinstock, Charles B.; Woody, Carol

Evaluating and Mitigating Software Supply Chain Security Risks

Active / Technical Report | Accession Number: ADA522538 |

Open PDF

Abstract:

The Department of Defense DoD is concerned that security vulnerabilities could be inserted into software that has been developed outside of the DoDs supervision or control. This report presents an initial analysis of how to evaluate and mitigate the risk that such unauthorized insertions have been made. The analysis is structured in terms of actions that should be taken in each phase of the DoD acquisition life cycle

Author(s):

Ellison, Robert J. ; Goodenough, John B. ; Weinstock, Charles B. ; Woody, Carol

Author Organization(s):

CARNEGIE-MELLON UNIV PITTSBURGH PA SOFTWARE ENGINEERING INST

Descriptive Note:

Final rept.

Supplementary Note:

The original document contains color images.

Pagination:

0050

Security Markings

DOCUMENT & CONTEXTUAL SUMMARY

Distribution:

Approved For Public Release

Distribution Statement:

Approved For Public Release; Distribution Is Unlimited.

RECORD

Collection: TR

Identifying Numbers

Report Number(s):

CMU/SEI-2010-TN-016

Contract/Grant Number(s):

FA8721-05-C-0003

Monitor Series:

ESC/MA

Subject Terms

Joint Capability Areas:

JCA_5_Command and Control; JCA_8_Building Partnerships; JCA_8.2_Shape; JCA_8.2.4_Leverage Capacities and Capabilities of Security Establishments; JCA_5.3_Planning; JCA_7_Protection; JCA_7.2.1_Mitigate Lethal Effects; JCA_7.2_Mitigate; JCA_4.1_Deployment and Distribution; JCA_JCA_4.1.2_Sustain the Force; JCA_5.3.2_Apply Situational Understanding; JCA_5.2_Understand; JCA_3_Force Application; JCA_5.6.4_Assess Guidance; JCA_5.6_Monitor; JCA_6_Net Centric; JCA_5.2.3_Share Knowledge and Situational Awareness; JCA_1_Force Support; JCA_6.4.1_Secure Information Exchange; JCA_4.5.2_Contractor Management; JCA_4.5_Operational Contract Support

Modernization Areas:

Cyber

Communities of Interest:

Cyber

Descriptor(s):

*DATA PROCESSING SECURITY, ACQUISITION, DATA TRANSMISSION SECURITY, RISK ANALYSIS, RISK MANAGEMENT, INFORMATION SECURITY, SOFTWARE ENGINEERING, COMPUTER PROGRAMMING

Field(s)/Group(s):

Administration and Management, Computer Programming and Software, Computer Systems, Computer Systems Management and Standards, Logistics, Military Facilities and Supplies

Keyword(s):

SUPPLY CHAINS, RTSS(RESEARCH TECHNOLOGY AND SYSTEM SOLUTIONS)

Report Date:

2010 May 01

Creation Date:

2010 Jul 07