DARPA is aiming to develop a process for continuous software certification and mission risk evaluation that can reduce impediments to developing and fielding new warfighting capabilities in a timely manner.
Modern military systems are increasingly using software to support functionality, new capabilities, and beyond. Before a new section of software can be deployed within a system however, its functional safety and compliance with certain cybersecurity standards must be verified and ultimately receive certification. As the rapid rate of software usage continues to grow, it is becoming exceedingly difficult to assure that all software considered for military use is coded correctly and then tested, verified, and documented appropriately, DARPA said in a release.
“Software requires a certain level of certification – or approval that it will work as intended with minimal risks – before receiving approval for use within military systems and platforms,” said Dr. Ray Richards, a program manager in DARPA’s Information Innovation Office (I2O). “However, the effort required to certify software is an impediment to expeditiously developing and fielding new capabilities within the defense community.”
Today, the software certification process is largely manual and relies on human evaluators combing through masses of documentation, or assurance evidence, to determine whether the software meets certain certification criteria. The process is time consuming, costly, and can result in superficial or incomplete evaluations as reviewers bring their own sets of expertise, experiences, and biases to the process.
A lack of an ethical means of decomposing evaluations makes it difficult to create a balanced and trustworthy process that applies equally to all software, DARPA said. Further, each subsystem and component must be evaluated independently and re-evaluated before it can be used in a new system. “Just because a subsystem is certified for one system or platform does not mean it is unilaterally certified for all,” Richards explained. This creates additional time delays and review cycles.
To help accelerate and scale the software certification process, DARPA developed the Automated Rapid Certification Of Software (ARCOS) program. The goal of ARCOS is to create tools and a process that would allow for the automated assessment of software evidence and provide justification for a software’s level of assurance that is understandable. Taking advantage of recent advances in model-based design technology, “Big Code” analytics, mathematically rigorous analysis and verification, as well as assurance case languages, ARCOS seeks to develop a capability to automatically evaluate software assurance evidence to enable certifiers to rapidly determine that system risk is acceptable.
“This approach to reengineering the software certification process is well timed as it aligns with the DoD Digital Engineering Strategy, which details how the department is looking to move away from document-based engineering processes and towards design models that are to be the authoritative source of truth for systems,” said Richards.
To create a much needed automated capability, ARCOS will explore techniques for automating the evidence generation process for new and legacy software; create a means of curating evidence while maintaining its provenance; and develop technologies for the automated construction of assurance cases, as well as technologies that can validate and assess the confidence of an assurance case argument. The evidence generation, curation, and assessment technologies will form the ARCOS tools and processes, working collectively to provide a scalable means of accelerating the pathway to certification, DARPA explained.
Throughout the program’s expected three phases, evaluations and assessments will occur to gauge how the research is progressing. ARCOS researchers will tackle progressively more challenging sets of software systems and associated artifacts. The envisioned evaluation progression will move from a single software module to a set of interacting modules and finally to a realistic military software system.
Interested proposers will have an opportunity to learn more during a Proposers Day on May 14, 2019, from 8:30AM to 3:30PM (EST) at the DARPA Conference Center, located at 675 N. Randolph Street, Arlington, Virginia, 22203. The purpose of the Proposers Day is to outline the ARCOS technical goals and challenges, and to promote an understanding of the BAA proposal requirements. For details about the event, including registration requirements, please see: here
Additional information will be available in the forthcoming Broad Agency Announcement, which will be posted to www.fbo.gov.