[Federal Register Volume 71, Number 21 (Wednesday, February 1, 2006)]
[Notices]
[Pages 5351-5352]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E6-1346]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

Office of the Secretary

[Docket No. DHS-2005-0057]


Software Assurance Program: Building Better Quality and More 
Secure Software

AGENCY: National Cyber Security Division, DHS.

ACTION: Notice of availability.

-----------------------------------------------------------------------

SUMMARY: The purpose of this notice is to inform the public and 
interested

[[Page 5352]]

security partners that two draft documents are being released by the 
Department of Homeland Security (DHS) for comment prior to publication:
     Security in the Software Lifecycle--Intended to assist 
application software developers and project managers in defining a 
strategy to produce more secure software.
     Secure Software Assurance--Common Body of Knowledge--
Intended to assist college-level educators and private industry 
trainers in creating a curriculum for software assurance.

ADDRESSES: If you would like to review the draft Security in the 
Software Lifecycle and the draft Secure Software Assurance--Common Body 
of Knowledge you may access the documents and the comment forms through 
one of the following methods:
     Build Security In Web site: http://buildsecurityin.us-cert.gov click on ``Additional Resources'' Tab. The documents are 
located in the ``Supplementary Department of Homeland Security 
Resources'' and ``Software Assurance Common Body of Knowledge (CBK)'' 
sections.
     Mail self-addressed stamped envelope to: Joe Jarzombek, 
Director for Software Assurance, National Cyber Security Division, 
Department of Homeland Security, Washington, DC 20528 (Postage: $5.00 
for one document/$8.00 for both documents).
    If you desire to submit comments, they must be received by February 
21, 2006. A comment form is available on the Build Security In Web site 
(http://buildsecurityin.us-cert.gov) to facilitate detailed comments. 
Comments must be identified by DHS-2005-0057 and submitted by one of 
the following methods:
     Federal eRulemaking Portal: http://www.regulations.gov. 
Refer to Docket DHS-2005-0057. Follow the instructions for submitting 
comments. Detailed comment forms can be uploaded.
     Mail: Joe Jarzombek, Director for Software Assurance, 
National Cyber Security Division, Department of Homeland Security, 
Washington, DC 20528.

FOR FURTHER INFORMATION CONTACT: DHS Software Assurance Program: Joe 
Jarzombek, Director for Software Assurance, National Cyber Security 
Division, Department of Homeland Security, Washington, DC 20528, 703-
235-5126 or [email protected].

SUPPLEMENTARY INFORMATION: In collaboration with other government 
agencies, academia, and private industry, DHS seeks to reduce software 
vulnerabilities, minimize exploitation, and address means to improve 
capabilities to routinely develop and deploy quality and trustworthy 
software. In furtherance of those goals, DHS established the Software 
Assurance Program.
    The DHS Software Assurance Program is grounded in the National 
Strategy to Secure Cyberspace issued by President Bush in February 
2003. DHS began the Software Assurance Program as a focal point to 
partner with the private sector, academia, and other government 
agencies in order to improve software development and acquisition 
processes. The Program seeks to reduce software vulnerabilities, 
minimize exploitation, and address means to improve capabilities to 
routinely develop and deploy quality and trustworthy software 
products--enabling more resilient assets within the critical 
infrastructure.
    DHS developed the following comprehensive approach to address 
software assurance in collaboration with industry, academia, and 
government partners:
     People--Focus on software developers (includes education 
and training) and users
     Process--Focus on developing sound practices and practical 
guidelines
     Technology--Focus on software evaluation tools and R&D 
requirements
     Acquisition--Focus on standards, specifications, 
acquisition language
    As part of the Software Assurance Program, DHS now seeks comments 
from the public and interested security partners on two draft documents 
now being released prior to formal publication:
     Security in the Software Lifecycle--Intended for 
application software developers and project managers who wish to 
increase their understanding of security and quality issues related to 
software and its production, and to improve their own practices in 
order to produce more secure and better quality application software. 
This document should provide enough information to assist the reader in 
defining a strategy for adapting or expanding existing processes and 
practices to produce more secure software that also achieves a higher 
degree of quality, reliability, and integrity.
     Secure Software Assurance--Common Body of Knowledge--
Primarily intended for college-level educators and private industry 
trainers to use as they create curriculum for software assurance which 
draws upon multi-disciplinary elements of software engineering, 
information assurance, project management, systems engineering, safety 
and security, and acquisition. While some of these disciplines already 
have a body of knowledge, software assurance has not had a formal 
source for educators to create curriculum. This document is intended to 
fill that need.
    The information in these documents is not intended to represent a 
standard or policy mandate by DHS. On the contrary, the documents 
represent a collection of consensus-based, ``sound practices'' derived 
from across government, industry, and academia, both in the U.S. and 
abroad. As such, they should be seen primarily as tools for educating 
developers and software project managers.
    DHS will consider all timely and pertinent comments received prior 
to finalizing these documents.

    Dated: January 23, 2006.
Robert B. Stephan,
Assistant Secretary for Infrastructure Protection.
 [FR Doc. E6-1346 Filed 1-31-06; 8:45 am]
BILLING CODE 4410-10-P