Director for Software Assurance,
National Cyber Security Division,
Department of Homeland Security
Serves as Director for Software Assurance in the Policy and Strategic Initiatives Branch
of the National Cyber Security Division (NCSD) within the Department of Homeland Security
(DHS) to provide the focal point on software integrity issues.
- Leads collaboration efforts in analyzing software lifecycle components including people,
processes, and technology and identifies areas for software quality and security improvement
with a focus on development, acquisition, and support.
- Guides DHS initiatives in analyzing and resolving software challenges; supports evolution of
policy and guidance on software assurance, including assessment of federal policies,
procedures and evaluation schemes, such as the National Information Assurance Partnership
- Functions as DHS coordinator for software quality and acquisition initiatives; working with
other federal agencies, state agencies, and international allies to focus on identifying and
specifying organizational software-related processes and software-enabled technologies to
mitigate risks attributable to software.
- Works with federally-funded research and development centers (FFRDCs), consortiums,
foundations, universities, and standards groups to coordinate relevant initiatives and
leverage organizational resources to share best practices, tools, processes, and research to
improve software assurance.
- Serves as DHS liaison on government/industry working groups and serves on NIST, IEEE and
ISO/IEC standards committees and advisory groups, and other executive groups to ensure
software assurance needs are addressed in standards, best practices, process models and
product lifecycle initiatives.
- Publishes best practices relating to software security via the web site
as information for developers and acquisition managers.
- Working with government/academic/industry groups, leads team efforts to develop the Software
Assurance Common Body of Knowledge to provide a framework to recommend updates in curriculum
to enhance IT acquisition and software-related education and training across the federal
acquisition workforce curricula, within universities and colleges, and within industrial
- Works with government/academic groups, such as the National Science Foundation (NSF),
University Affiliated Research Centers (UARCs), and IA Centers of Academic Excellence (CAEs),
to prioritize research consistent with software assurance needs.
- Provides requisite interfaces with other federally-sponsored software related initiatives,
such as the National Science Foundation (NSF) Cyber Trust Initiative, DoD Software Protection
and Software Assurance Initiatives, National Institute of Standards and Technology (NIST)
computer security projects and initiatives, and interagency Information Assurance initiatives.
- Leads interagency and international collaboration efforts engaging industry and measurement
bodies, such as the Practical Software and Systems Measurement Support Center, NIST, and
FFRDCs to develop software assurance measurement practices and support.
- Provides support for special projects and DHS initiatives and studies relating to software
assurance, and support of DHS’s response to Congressional inquiries, Government Accountability
Office (GAO) reviews, and audit reports and studies related to software assurance.
The DHS Software Assurance (SwA) Program is based on the National
Strategy to Secure Cyberspace that specifies: "DHS will facilitate a
national public-private effort to promulgate best practices and
methodologies that promote integrity, security, and reliability in
software code development, including processes and procedures that
diminish the possibilities of erroneous code, malicious code, or trap
doors that could be introduced during development."
As a strategic initiative of the DHS National Cyber Security Division,
the SwA Program also guides the SwA Forum and SwA Working Groups under
auspices of the Critical Infrastructure Partnership Advisory Council
(CIPAC) providing venues for government and the private sector to
collaborate in addressing SwA issues associated with: Processes and
Practices, Workforce Education and Training, Acquisition and
Outsourcing, Technology, Tools and Product Evaluation, Malware
Countermeasures, Measurement, and Business Case.
Scoped to address mechanisms to achieve software trustworthiness,
predictable execution, and conformance, the DHS SwA Program collaborates
with other agencies, industry, and academia to develop, publish and
update relevant information via:
- "Build Security In" web portal
- SwA Common Body of Knowledge from which to assist curriculum development,
- Developers' Guide on Security Enhancing the Software Development Lifecycle,
- SwA-related standards of IEEE CS, ISO/IEC, OMG, NIST,
- CMM-based Security/Assurance extensions,
- Practical Measurement Guidance for SwA and Information Security,
- SwA Metrics and Tool Evaluation (with NIST),
- Common Weaknesses Enumeration (CWE) dictionary,
- Common Attack Pattern Enumeration and Classification,
- Due-diligence questionnaires and sample procurement language in
"SwA in Acquisition: Mitigating Risks to the Enterprise."
Back to Main Page
last updated 3 November 2007 - cgr