Assuring Trustworthiness via Structured Assurance Cases
utilizing assurance cases as has NASA 13 , 14 , 15 , the FDA 16 , NIST 17 , and projects going on in the EU 18 , 19 .
The key idea is that assurance cases can gather all the required information ( including evidence of meeting system trustworthiness claims ) about the systems characteristics and organize it for assessment across the life-cycle of the item and now that there is a standard for exchanging assurance cases 3 , we as a marketplace can compose assurance cases leveraging others ’ work .
SUPPLY CHAIN AND SOFTWARE DEVELOPMENT ARTIFACTS
The other part of the life cycle of a market is the supply chain where , especially in software elements , there may be no visibility into the source of the software and its components and how they were created . Without that information you may incorporate software from sources that , you as the recipient , do not trust . One concept that should be part of your assurance is a software bill of materials with the similar intent and requirements as a hardware bill of materials . When an organization creates a hardware bill of materials ( BOM ), it is from trusted sources that have been validated through standard practices for the components listed in the BOM for longevity , performance and environment sustenance for the intended use . A software bill of materials ( SBOM ) should carry the same level of weight . For the trustworthiness of a system , its components , software , firmware , etc . should be validated for the source , responsibility of the providing party and vulnerability potential .
The design of software is ongoing from concept , to deployment and maintenance . In software design projects there are actually many artifacts ( i . e ., CONOPS , design documents , control flow , etc .) that are created early in the life cycle that can be examined to see if you are on track to meeting your goals about security , safety , resilience , reliability and privacy .
13
National Aeronautics and Space Administration ( NASA ), “ NASA System Safety Handbook , Volume 1 , System Safety Framework and Concepts for Implementation ,” NASA / SP-2010-580 , Version 1.0 November 2011 , https :// ntrs . nasa . gov / archive / nasa / casi . ntrs . nasa . gov / 20120003291 . pdf
14
National Aeronautics and Space Administration ( NASA ), “ Understanding What It Means for Assurance Cases to “ Work ”,” NASA / CR – 2017-219582 , https :// ntrs . nasa . gov / archive / nasa / casi . ntrs . nasa . gov / 20170003806 . pdf
15
National Aeronautics and Space Administration ( NASA ), “ Dynamic Safety Cases for Through-life Safety Assurance – NASA ,” https :// ti . arc . nasa . gov / publications / 21593 / download /
16
Food and Drug Administration ( FDA ), “ Infusion Pump Improvement Initiative ,” https :// www . fda . gov / medicaldevices / productsandmedicalprocedures / generalhospitaldevicesandsupplies / infusionpumps / ucm 202501 . htm
17
National Institute of Standards and Technology ( NIST ), “ NIST SP 800-160 Vol . 1 , Systems Security Engineering : Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems ,” 21 March 2018 , https :// nvlpubs . nist . gov / nistpubs / SpecialPublications / NIST . SP . 800-160v1 . pdf
18
CITADEL , Critical Infrastructure Protection Using Adaptive MILS , http :// www . citadel-project . org /
19
Dependability Engineering Innovation for Cyber Physical Systems ( CPS ), http :// www . deis-project . eu /
September 2018 - 52 -