An Assurance Educated Workforce Is Critical to Addressing Software and Supply Chain Acquisition Lifecycle Risks

Abstract

Today’s systems are software-intensive and complex, with a growing reliance on third-party technology. Through reuse, systems can be assembled faster with less development cost. Traditionally, systems were hardware-based, and operational risks were primarily linked to reliability. Now systems are largely software-based, which does not wear out like hardware, and the critical risks are different. All software contains vulnerabilities that are hard enough to manage directly. Inheritance through the supply chain increases the management challenges and magnifies the risk of a potential compromise. Attacks on the software supply chain are increasingly frequent and devastating. Software risk management capabilities are brought in too late, if at all, to identify and address software risks that can appear throughout the lifecycle. Extensive compliance rules have been put in place for federal acquisitions to address software and supply chain risk, but there is a noticeable gap in the current acquisition and engineering workforce’s knowledge and skills needed to address the rules effectively. Expanding the knowledge of decision-makers and participants in system acquisition, engineering, and integration are critical activities that are necessary to address the growing software risk.