Assuring Trustworthiness via Structured Assurance Cases
utilizing assurance cases as has NASA 13, 14, 15, the FDA 16, NIST 17, and projects going on in the EU 18, 19.
The key idea is that assurance cases can gather all the required information( including evidence of meeting system trustworthiness claims) about the systems characteristics and organize it for assessment across the life-cycle of the item and now that there is a standard for exchanging assurance cases 3, we as a marketplace can compose assurance cases leveraging others’ work.
SUPPLY CHAIN AND SOFTWARE DEVELOPMENT ARTIFACTS
The other part of the life cycle of a market is the supply chain where, especially in software elements, there may be no visibility into the source of the software and its components and how they were created. Without that information you may incorporate software from sources that, you as the recipient, do not trust. One concept that should be part of your assurance is a software bill of materials with the similar intent and requirements as a hardware bill of materials. When an organization creates a hardware bill of materials( BOM), it is from trusted sources that have been validated through standard practices for the components listed in the BOM for longevity, performance and environment sustenance for the intended use. A software bill of materials( SBOM) should carry the same level of weight. For the trustworthiness of a system, its components, software, firmware, etc. should be validated for the source, responsibility of the providing party and vulnerability potential.
The design of software is ongoing from concept, to deployment and maintenance. In software design projects there are actually many artifacts( i. e., CONOPS, design documents, control flow, etc.) that are created early in the life cycle that can be examined to see if you are on track to meeting your goals about security, safety, resilience, reliability and privacy.
13
National Aeronautics and Space Administration( NASA),“ NASA System Safety Handbook, Volume 1, System Safety Framework and Concepts for Implementation,” NASA / SP-2010-580, Version 1.0 November 2011, https:// ntrs. nasa. gov / archive / nasa / casi. ntrs. nasa. gov / 20120003291. pdf
14
National Aeronautics and Space Administration( NASA),“ Understanding What It Means for Assurance Cases to“ Work”,” NASA / CR – 2017-219582, https:// ntrs. nasa. gov / archive / nasa / casi. ntrs. nasa. gov / 20170003806. pdf
15
National Aeronautics and Space Administration( NASA),“ Dynamic Safety Cases for Through-life Safety Assurance – NASA,” https:// ti. arc. nasa. gov / publications / 21593 / download /
16
Food and Drug Administration( FDA),“ Infusion Pump Improvement Initiative,” https:// www. fda. gov / medicaldevices / productsandmedicalprocedures / generalhospitaldevicesandsupplies / infusionpumps / ucm 202501. htm
17
National Institute of Standards and Technology( NIST),“ NIST SP 800-160 Vol. 1, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems,” 21 March 2018, https:// nvlpubs. nist. gov / nistpubs / SpecialPublications / NIST. SP. 800-160v1. pdf
18
CITADEL, Critical Infrastructure Protection Using Adaptive MILS, http:// www. citadel-project. org /
19
Dependability Engineering Innovation for Cyber Physical Systems( CPS), http:// www. deis-project. eu /
September 2018- 52-