SBIR/STTR Award attributes
Air Force Material Command AFNWC/NXW is embracing next-generation agile technology frameworks that contain large amounts of open-source components. These open-source components provide significant benefits in terms of cost, performance, and functionality but have an “Achilles Heel” in that they are not innately secure. The purpose of this proposal is to provide tools that dramatically improve the security of these agile frameworks by ~60% to ~80% depending on which programing language is utilized. Specifically, this proposal is to develop unique features to enable increased control, visibility, standardization, and compliance for GBSDs Software Supply Chain supporting Air Force Nuclear Weapons Center Technology Focus Area of Supply Chain Risk Management (SCRM) and Software Bill of Material (SBOM) initiatives. The proposal is to enable: Unused code to be removed from software containers resulting in more secure containers. The remaining code to be scanned using a binary scanner (for C, C++) that provides unique insights. The remaining code to be dynamically tracked for changes in vulnerability profiles and analyzed for component change and standardization. To improve SBOM compliance by having smaller more accurate SBOMs that provide actionable insights. To improve SBOM compliance by developing an SBOM Maturity Model. Air Force Material Command AFNWC/NXW GBSD has a national Defense-related mission need in the area of reducing software attack surface, improving binary scanning, improving vulnerability tracking, and expanding SBOM compliance. Scanning/SBOM demand has been driven by recent Presidential Executive Orders, and compliance requirements published by FedRamp, DISA, NSA and CISA to name but a few. The result is that ALL Federal agencies AND the vendors that supply them must use SBOMs. SBOM compliance is the number one identified cloud security need, with vulnerability scanning being the second. These are the central topics of this proposal. Currently, only 48% of industry use SBOMS but 88% will use them by end of 2022. Clearly, there is massive industry demand for this technology generally, in addition to the mandated Federal need. While there are many SCA scanners in the marketplace only one scanner can perform binary analysis, a key aspect of this proposal. RapidFort is in discussions with the provider of the scanner to offer its functionality through an OEM relationship. The output of this proposal will be a military-grade, best-in-industry tool, certified for use across the DoD, that will be made available at very low cost to anybody in the DoD. We believe technology development under this effort will directly contribute to future mission need fulfillment. The mission impact of this project on the DAF and DoD will be to significantly reduce software supply chain risk while delivering secure software using agile frameworks and open-source technologies which are a cornerstone of the DAF software architecture mandate.
