Our objective was to determine whether the Department of the Navy (DON) effectively managed software licenses. Specifically, we determined whether the DON included appropriate clauses in software license contracts. We reviewed 1 Enterprise Licensing Agreement (ELA), 13 non- ELAs, and the associated End User License Agreements (EULAs) to determine if the contracts included desirable language in accordance with the DoD Enterprise Software Initiative approved software licensing training. Findings Overall, the DON made progress toward the mandated use of DON ELAs by issuing a $700 million ELA for Microsoft software. However, the ELA included unacceptable language in 2 of the 11 best practice areas we identified in software licensing training. In addition, the DON non-ELA software license contracts reviewed, valued at $8.1 million, included unacceptable language for contract clauses in 7 of the 11 areas of concern listed in the software licensing training. Furthermore, 8 of the 13 DON contracting officers accepted EULAs containing unacceptable language. This occurred because no established requirements existed to guide contracting personnel in making a determination on whether to include specific clause language in software license contracts. Furthermore, 11 of the 13 contracting officers did not receive the necessary training to gain the specialized knowledge needed to write software license contracts or review EULAs properly. As a result, the DON increased the risk of wasteful spending, disruption to Government operations, and vulnerability to lawsuits, claims, and penalties. We recommend that the Assistant Secretary of the Navy (Research, Development, and Acquisition) (ASN[RDA]) require all DON contracting personnel involved in preparing and issuing software license contracts to take specialized training on using appropriate language in software acquisition contracts.
Published on 09/14/2018
Document details: 35 pages. 4 downloads.
The purpose of this guide is to assist DoD and contractor Program Managers (PMs), program offices and Integrated Product Teams (IPTs) in effectively managing program risks during the entire acquisition process, including sustainment. This guide contains baseline information and explanations for a well-structured risk management program. The management concepts and ideas presented here encourage the use of risk-based management practices and suggest a process to address program risks without prescribing specific methods or tools. Since this is a guide, the information presented within is not mandatory to follow, but PMs are encouraged to apply the fundamentals presented here. The guide should be used in conjunction with related directives, instructions, policy memoranda, or regulations issued to implement mandatory requirements. This guide has been structured to provide a basic understanding of risk management concepts and processes. It offers clear descriptions and concise explanations of core steps to assist in managing risks in acquisition programs. Its focuses on risk mitigation planning and implementation rather on risk avoidance, transfer, or assumption. There are several notable changes of emphasis in this guide from previous versions. These changes reflect lessons learned from application of risk management in DoD programs. management references can be found on the Defense Acquisition University Community of Practice website. This guide is supplemented by Defense Acquisition University (DAU) Risk Management Continuous Learning Module (key words: risk management and course number CLM017). The Office of the Secretary of Defense (OSD) office of primary responsibility (OPR) for this guide is OUSD(AT&L) Systems and Software Engineering, Enterprise Development (OUSD(AT&L) SSE/ED). This office will develop and coordinate updates to the guide as required, based on policy changes and customer feedback.
Published on 06/13/2018
Document details: 40 pages. 5 downloads.
DTIC ADA443742: The Critical Success Factor Method: Establishing a Foundation for Enterprise Security Management
Every organization has a mission that describes why it exists (its purpose) and where it intends to go (its direction). The mission reflects the organization's unique values and vision. Achieving the mission takes the participation and skill of the entire organization. The goals and objectives of every staff member must be aimed toward the mission. However, achieving goals and objectives is not enough. The organization must perform well in key areas on a consistent basis to achieve the mission. These key areas unique to the organization and the industry in which it competes can be defined as the organization's critical success factors. The critical success factor (CSF) method is a means for identifying these important elements of success. It was originally developed to align information technology planning with the strategic direction of an organization. However, in research and fieldwork undertaken by members of the Survivable Enterprise Management (SEM) team at the Software Engineering Institute, it has shown promise in helping organizations guide, direct, and prioritize their activities for developing security strategies and managing security across their enterprises. This report describes the critical success factor method and presents the SEM team's theories and experience in applying it to enterprise security management.
Published on 05/30/2018
Document details: 135 pages. 9 downloads.
DTIC ADA495389: Software Assurance in Acquisition: Mitigating Risks to the Enterprise. A Reference Guide for Security-Enhanced Software Acquisition and Outsourcing
Software vulnerabilities, malicious code, and software that does not function as promised pose a substantial risk to the Nation's software-intensive critical infrastructure that provides essential information and services to citizens. Minimizing these risks is the function of software assurance (SwA). Software assurance is the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle, and that it functions in the intended manner. SwA is a key element of national security and homeland security. Software vulnerabilities jeopardize intellectual property, consumer trust, business operations and services, and a broad spectrum of critical infrastructure. To ensure the integrity of business operations and key assets within critical infrastructure, software must be reliable and secure. The responsibility for SwA must be shared not only by software suppliers in the supply chain but also by the acquirer in the supply chain who purchases the software. There is a concern that acquirers are not aware of this responsibility and are inadequately prepared to support SwA in the acquisition process. This guide provides information on incorporating SwA throughout the acquisition process from the acquisition planning phase to contracting, monitoring and acceptance, and follow-on phases. For each phase, the material covers SwA concepts, recommended strategies, and acquisition management tips. The guide also includes recommended request for proposal and/or contract language and due diligence questionnaires that may be tailored by acquisition officials to facilitate the contract evaluation process.
Published on 07/11/2018
Document details: 133 pages. 3 downloads.
This presentation first describes the problem of cybersecurity from a reactive/intruder-based perspective, as we in the security community typically consider it. What becomes clear is that we cannot continue to attempt to solve the security problem solely from this point of view. We will never catch up or be able to fully anticipate new and increasingly sophisticated attack patterns or even old ones with known solutions that continue to proliferate. We must begin to broaden the solution to encompass an enterprise wide, proactive, and controls- and process-based approach that addresses impact, not just threat and vulnerability. From this broader vantage point, we offer several promising ways to think about the problem and tackle it effectively, based on current work with high performing organizations. We call this approach Enterprise Security Management.
Published on 11/19/2018
Document details: 59 pages. 3 downloads.
This Graduate Research Project first determines MICT?s utility relative to existing processes and tools in the areas of selfinspection efficiency, commander oversight, deficiency identification, corrective action plan development, trending, and resolution. Then, it determines how MICT?s capabilities can best be leveraged to improve efficiency and effectiveness in the new Air Force Inspection System (AFIS) and enable future, desired transformations. Methodologies employed include inferential and descriptive statistics, surveys, and interviews to answer the following research questions: 1) Does MICT?s utility relative to existing processes and tools in the areas of self-inspection efficiency, commander oversight, deficiency identification, corrective action plan development, trending, and resolution warrant mandatory, enterprise-wide employment? 2) Which MICT capabilities (if any) should be leveraged to improve efficiency and effectiveness in the new AFIS and to enable future desired transformation; 3) How should MICT key capabilities (if any) be leveraged to maximize efficiency and effectiveness in the new AFIS and to enable future desired transformation of the AFIS? 4) Which MICT key capabilities should software developers enhance to improve efficiency and effectiveness in the new AFIS and to enable future desired transformation of the AFIS? The three methodologies produced results that strongly supported research hypotheses presented in the introductory chapter.
Published on 09/02/2018
Document details: 178 pages. 2 downloads.
Published on 11/09/2018
Document details: 48 pages. 1 download.
Governing for enterprise security means viewing adequate security as a non-negotiable requirement of being in business. If an organization's management -- including boards of directors, senior executives, and all managers -- does not establish and reinforce the business need for effective enterprise security, the organization's desired state of security will not be articulated, achieved, or sustained. To achieve a sustainable capability, organizations must make enterprise security the responsibility of leaders at a governance level, not of other organizational roles that lack the authority, accountability, and resources to act and enforce compliance. This technical report examines governance thinking, principles, and approaches and applies them to the subject of enterprise security. Its primary intent is to increase awareness and understanding of the issues, opportunities, and possible approaches related to treating security as a governance concern. In addition, this report identifies resources for enterprise security that leaders can use both within their organizations and with their networked partners, suppliers, and customers.
Published on 05/28/2018
Document details: 80 pages. 4 downloads.
Security has become one of the most urgent issues for many organizations. It is an essential requirement for doing business in a globally networked economy and for achieving organizational goals and mission. But it is no small task. The technical and environmental complexity of today's organizations and the ever-increasing dependence on technology to drive and automate processes and create competitive advantages make security a challenging activity. Adding to this complexity is a growing list of vulnerabilities and increasingly sophisticated threats to which organizations are subjected on a daily basis. Organizations can no longer be effective in managing security from the technical sidelines. Security lives in an organizational and operational context, and thus cannot be managed effectively as a stand-alone discipline. Because security is a business problem, the organization must activate, coordinate, deploy, and direct many of its existing core competencies to work together to provide effective solutions. And to sustain success, security at an enterprise level requires that the organization move toward a security management process that is strategic, systematic, and repeatable-in other words, efficient at using security resources and effective at meeting security goals on a consistent basis. Managing tor enterprise security defines a disciplined and structured means tor realizing these objectives.
Published on 05/23/2018
Document details: 56 pages. 6 downloads.
The Air Force is developing a Distributed Information Enterprise Modeling and Simulation (DIEMS) framework under sponsorship of the High Performance Computer Modernization Office Common High Performance Computing Software Support Initiative (HPCMO/CHSSI). The DIEMS framework provides a design analysis environment for deployable distributed information management systems. DIEMS establishes the necessary analysis capability allowing developers to identify and mitigate programmatic risk early within the development cycle to allow successful deployment of the associated systems. The enterprise-modeling framework builds upon the Synchronous Parallel Environment for Emulation and Discrete-Event Simulation (SPEEDES) foundation. This simulation framework will utilize Challenge Problem class resources to address more than five million information objects and hundreds of thousands of clients comprising the future information based force structure. The simulation framework will be capable of assessing deployment aspects such as security, quality of service, and fault tolerance. SPEEDES provides an ideal foundation to support simulation of distributed information systems on a multiprocessor platform. SPEEDES allows the simulation builder to perform optimistic parallel processing on high performance computers, networks of workstations, or combinations of networked computers and HPC platforms.
Published on 05/21/2018
Document details: 45 pages. 2 downloads.