Leonel Garciga, chief information officer of the U.S. Army and a two-time Wash100 awardee, has signed and issued a memorandum detailing the Army’s software assurance policy for the military branch’s information systems in support of Army and Department of Defense DevSecOps initiatives and DOD’s Risk Management Framework, or RMF, process.
Table of Contents
Software Assurance Requirements
The memo published on Friday requires all Army systems to have software assurance requirements validated against the National Institute of Standards and Technology’s Special Publication 800-53 and reported through the RMF process when securing authorizations under the Assess and Authorize or assess only process.
All information system owners should a use certified DevSecOps platform to perform software assurance in accordance with the policy outlined in the memo.
Roles & Responsibilities of Army Officials
The Army chief information security officer should collaborate with the deputy chief of staff, G-6, to develop guidelines, procedures and baseline requirements acceptable for software assurance, the memo said.
The DCS, G-6, will advise the CIO in developing a software assurance policy; update and maintain applicable software assurance procedures; and develop and implement an Army-approved product list.
The document directs authorizing officials to consider software assurance risks into the overall authorization determination and approve baseline requirements for tailoring security controls during software assurance.
According to the memo, information system owners should create or update the security plan as part of the system’s RMF package and use existing third-party assessment results to prevent unnecessary software reassessment.