SPAA: Software Priority Assurance Assessment
Small Business Information
2020 Kraft Drive, Suite 1000, Blacksburg, VA, -
AbstractHarmonia proposes to create"SPAA: Software Priority Assurance Assessment"which is designed to automate software assurance assessment. The final tool will allow for risk assessment of commercial software through a formal risk acceptance approval process enabling the software to be officially installed and integrated on various weapon system platforms. Our objective is to create a tool through which an individual called the Agent of the Certifying Authority can perform rapid risk assessment of non-Air Force funded software to (a) prioritize which software requires deeper inspection and (b) document evidence that the software should be approved for use in the certification and accreditation (C & A) process. The assessment should produce a report that ranks or prioritizes for each software code the risk of using it. The risk level can then be used to decide which codes to pursue through the certification and accreditation (C & A) process. The Agent of the Certifying Authority (ACA) will prepare the case for codes to be approved for use in the weapon program; the documentation prepared goes to the Certifying Authority (CA). Once certified, each time the code is installed in a new environment it must be accredited by the Designated Accrediting Authority (DAA). BENEFIT: The completed tool will provide a way to quickly and with limited resources do an initial assessment of the risk in using certain non-Air Force developed software codes for weapon systems. This reduces the work for C & A through prioritizing risk and generating the evidence in documentation required for the CA and DAA. We estimate that SPAA can save 54% to 72% of the time required for analysis and documentation by the ACA, based on automating 60% to 80% of the work with a labor reduction of 90% for the portion that is automatable. Manual use of multiple code analysis is difficult to reproduce in a C & A setting, because processes can be documented in spreadsheets that are detail laden and there are many compiler switches and variables in analysis tools where one small change produces a big change in the output.
* information listed above is at the time of submission.