A recent article in the National Defense Magazine highlighted the ever increasing need for cyber security.  (See http://www.nationaldefensemagazine.org/articles/2016/12/12/pentagon-paying-more-to-be-hacked)  When working on a software estimate for a program office here at Wright-Patterson AFB, I was asked “how do you handle cyber security requirements?”  My response was, “What does that mean for your program?  How are the requirements different?”  There was no good answer.  We may be required to incorporate cyber security requirements into a new software project, but there is no really good guidance as to what that exactly means. 

We can probably assume that costs are higher for a project with robust specifications to combat cyber security issues than for a project without such issues.  We can assume it may take longer to design, code, and test such a software project.  However, as estimators, we should understand exactly what activities in our project will be affected and by how much.  We should seek out directives, policies, and other guidance that describe the additional steps required to have “cyber security.”  This blog is a first in a series that will walk through some sources available to the estimator for cyber security guidance, as well as tackle how these requirements can be modeled in TruePlanning. 

First, let’s address requirements.  The National Institute of Standards and Technology (NIST) has revised and released an updated document titled “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”  NIST Special Publication 800-171 is available for download at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf.  Appendix E of this document states the requirements that must be considered by federal and commercial entities when protecting unclassified environment.  Some of these requirements are basic software security considerations, while others are derived for special applications and environments.

If you look through the cyber security requirements, it isn’t difficult to translate these requirements into separate functionalities of the software.  When we pick up this topic again, we’ll focus in on a few of the requirements.  We’ll discuss how to account for the functionality in TruePlanning and address industry standards for software security!