Visibility & Control: Addressing Supply Chain Challenges to Trustworthy Software-Enabled Things

Robert A. Martin Sr. Secure Software & Technology Prin. Eng. Trust & Assurance Cyber Technologies Dept. Cyber Solutions Technical Center

IIC Forum | Long Beach, CA

© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Everything is Becoming Software-Enabled and Connected, Either through Task Dependency, Supply Chain, or Information Flow

Today Your System is: • attackable or • susceptible to a hazard…

We need to be assured When this Other System that not only are our own gets subverted through: systems trustworthy but • an un-patched vulnerability; • a mis-configuration; also everything we • an application weakness; depend upon… • a counterfeit item; • tainted software or hardware; or • the system’s susceptibility to a hazard…

© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 How is Software-Enabled and Connected (aka Cyber) Becoming so Pervasive? Context: 1976 Chevy Vega

The only software was behind the wheel – no microelectronics.

Electric throttle valve control

© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Control/Communication Transitioned from Point-to-Point Wiring to Network-based

Air Anti- Con- Engine Lock dition Control Lighting Power Brakes Locks

Dash- board

Airbag Trans- Active Power Power mission Suspen- Seats Control sion Win- Air dows Anti- Con- Engine Lock dition Control Lighting Power Brakes CAN Locks CAN CAN CAN Connected Software and HW CAN (microelectronics) High Speed CAN Dash- Low Speed

board CAN CAN CAN CAN CAN Power Airbag Trans- Active CAN Seats mission Suspen- Power Control sion Win- dows © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Critical Functions Are Migrating into Connected SW/HW

Anti-Lock Brakes Transmission Control Lighting Air Conditioning Power Locks Airbag Power Seats Power Windows

Smart Catalytic Converter

Beam Shaping Headlights

© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 The Connectivity and Complexity of Connected Software-Enabled Systems is Still Expanding

Driverless Cars, ADAS, V2V, V2I, Safety

Medical Buildings Aeronautics Manufacturing

Energy Shipping

Vehicles

Water Treatment Status & Health Monitoring Oil & Gas

Hydro Power & Dam Mngt Smart Munitions

Remote Management

Safe Behavior MIND THE GAP

Resilient Behavior Privacy Expectations

© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Pervasiveness of connected SW & SW-enabled capabilities requires supply chain security skills / new awareness of SW risks IT Risk Operational Risk

Loss of data or capability Loss of safety or reliability Loss of property or lives

Scratch Built Software Assembled Software

Majority of products built with Use of open source and 3rd party libraries, no 3rd Party dependencies modules, frameworks, and services Multi-party software updating/patching Traditional Computers Software Enabled Everything

Servers databases Healthcare Implantable Medical Smart Munitions Desktops office apps Aeronautics Smart Manufacturing Intelligent Vehicles Laptops e-mail Smart Energy Water Treatment Intelligent Shipping Tablets browsers Oil & Gas Hydro Power Dam Management Switches Routers Microgrids Smart Cities Building Management Autonomous Systems

Tracking details for SW & HW components Services • SW & HW Part numbers/names • SW & HW versions • Libraries & Frameworks Used • Tool Chain Used/Flags/Options Applications • Languages & versions used

Source Code Operating System

Libraries & Firmware Frameworks

Compilers MicroElectronics

Language Specifications

Tier 4 Manufacturer/ ? Supplier ? ? ? ? Tier 2 Manufacturer/ Tier 3 Manufacturer/ Tier 4 Manufacturer/ ? Customer Supplier Supplier Supplier ? Tier 3 Manufacturer/ Supplier Contractor ? Tier 2 Manufacturer/ ? Integrating Supplier Manufacturer/ US ? Supplier Tier 3 Manufacturer/ Global ? Supplier

Tier 2 Manufacturer/ Tier 2 Manufacturer/ Foreign Supplier Supplier

Off-shore Foreign Supplier Location Software COTS US Foreign Developers

Supplier Reuse Acquire

Develop Outsource In-house ? ? ? ? ? © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Market Transparency through “Software Bill of Materials” • Third party components are a known systemic risk. • Transparency can drive tools and behavior to document risk, support mitigations, and drive better SW development practices. • NTIA at Commerce launched an open, community-driven, cross- sector “multistakeholder process” to promote software component transparency. • Understand the problem and define basics of SBOM • Develop use cases across sectors on how such data can be used, today and in the future. • Guidance on how to use existing standards to implement SBOM • Software ID tags (SWID) • Software Package Data Exchange (SPDX) • First phase deliverable mid-November 2019 • More info or to join: [email protected]

• Water • Agriculture and Food • Public Health • Energy • Telecommunications • Transportation • Banking and Finance • Chemical Industry • Key Assets • Postal and Shipping

End Users in Industry, Government, and Commerce

• Medical Devices • Merchandise • Automobiles • Trains • Vessels/Boats • Building Mngt Sys • Software

Product & Service Suppliers

INTEGRATED DEVELOPMENT CLOUD TOOLS ENVIRONMENTS (IDES) Tool-to-Tool FRAMEWORKS BUILD CHOREOGRAPHY SOURCE CODE & SBOM Exchange PACKAGE Standard effort REPOSITORIES SOFTWARE COMPOSITION ANALYSIS Tools & Capabilities for Software

Vulnerability Information

Licensing Package Repos Information (Public & Private)

Test

Source Code Repos (Public & Private) Operations

Build choreography Software Composition Analysis Capabilities Developer “Desktops”

© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 SW Development, Integration, and Management Tools Source Code & Package Repositories Amazon ECR, Assembla, Azure Container Registry, Beanstalk, Bitbucket, Codebase, Docker, GitHub, GitLab, Glitch, Google Container Registry, JFrog Artifactory, JFrog Xray, inedo, Kubernetes, Launchpad, Maven, Nexus (Sonatype), Phabricator, ProjectLocker, Repository Hosting, Savannah, SourceForge, SourceRepo, Subversion, and Unfuddle

Build & Build Choreography Capabilities Ansible, Autorabit, Bamboo, Bitrise, Buildkite, Buildroot, CircleCI, CMake, CruiseControl, Final builder, GCC, Gitlab CI, GoCD, Integrity, Jenkins, Strider CD, TeamCity, Terraform, Travis CI, Urbancode, and Vagrant

Developer Desktops (Embedded, Web, Cloud, Desktops/Servers) IDEs: Android Studio, AppCode, Atom, BlueJ, CLion, Cloud9 IDE, Code Blocks, CodeCharge Studio, CodeLobster, CodePen, DataGrip, Eclipse, GoLand, IDLE, IntelliJ IDEA, LINX, Microsoft Visual Studio, Software Composition Analysis: MPLAB, NetBeans, PhpStorm, Pycharm, Rider, RubyMine, Spiralogics Application Architecture, Black Duck Software Composition Analysis (Synopsys), WebStorm, Xcode, and Zend Studio CAST Highlight (CAST Software), Finate State, FlexNet Frameworks: .NET, Angular, Ansible, Apache Spark, ASP.NET, Bootstrap, Chef, Cordova, CryEngine, Code Insite (Flexera), Ion Channel, Insignary, Django, Drupal, Express, Flask, Flutter, Hadoop, HTML5 Builder, Laravel, Node.js, Pandas, Puppet, SourceClear, Sonatype, Snyk, and WhiteSource React Native, React.js, Ruby on Rails, Spring, TensorFlow, Torch/PyTorch, Unity D, Unreal Engine, Visual Online, Vue.js, and Xamarin Cloud Tools: Azure, AWS CodeBuild, Cloud Foundry, Google Cloud Build, Kwatee, Pivotal, and Red Hat

Refer, Transfer or Purchase Proper and Legal (definition of what it is) (conditions about its use) Pedigree Known Sw Vulns (history of how it was produced) (known fixes are applied to it) Provenance Assurance (chain of custody of it) (safe-secure-resilient) Integrity SBoM of a SW Service (cryptographic basis of unalteredness) (SBoM of sw delivering service) Supply Chain Sequence Integrity

© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Usage Scenarios and Tool-to-Tool SBOM candidate elements Usages SBoM elements Correlated Info Refer, Transfer or Purchase Author of SBoM (definition of what it is) 1 SBoM population method Pedigree •------SBoM Time-Stamp 2 (history of how it was produced) •------Supplier Provenance •------3 (chain of custody of it) Components •------(sources, executables, patches) Integrity •------4 (cryptographic basis of unalteredness) •------Version Intellectual Property •------Notes Constraints 5 •------Licenses SBoM Hash/Signature SBoM Known SW Vulns 6 (known fixes are applied to it) Created Using Created By Assurance 7 (secure-safe-resilient) Item Hash/Signature SBoM of a SW Service 8 (SBoM of sw delivering service) Supply Chain Sequence 9 Integrity

© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Usages SBoM elements Correlated Info Refer, Transfer or Purchase Author of SBoM (definition of what it is) 1 SBoM population method Pedigree •------SBoM Time-Stamp None 2 (history of how it was produced) •------Supplier Provenance •------3 (chain of custody of it) Components •------(sources, executables, patches) Integrity •------4 (cryptographic basis of unalteredness) •------Version Intellectual Property •------Notes Constraints 5 •------Licenses SBoM Hash/Signature SBoM Known SW Vulns 6 (known fixes are applied to it) Created Using Created By Assurance 7 (secure-safe-resilient) Item Hash/Signature SBoM of a SW Service 8 (SBoM of sw delivering service) Supply Chain Sequence 9 Integrity

© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 SBoM elements Usages Correlated Info Refer, Transfer or Purchase Author of SBoM (definition of what it is) 1 SBoM population method Pedigree •------SBoM Time-Stamp None 2 (history of how it was produced) •------Supplier Provenance •------3 (chain of custody of it) Components •------(sources, executables, patches) Integrity •------4 (cryptographic basis of unalteredness) •------Version Intellectual Property •------Notes Constraints 5 •------Licenses SBoM Hash/Signature SBoM Known SW Vulns 6 (known fixes are applied to it) Created Using Created By Assurance 7 (secure-safe-resilient) Item Hash/Signature SBoM of a SW Service 8 (SBoM of sw delivering service) Supply Chain Sequence 9 Integrity

Pedigree •------SBoM Time-Stamp None 2 (history of how it was produced) •------Supplier Provenance •------3 (chain of custody of it) Components •------(sources, executables, patches) Integrity •------4 (cryptographic basis of unalteredness) •------Version Intellectual Property •------Notes Constraints 5 •------Licenses SBoM Hash/Signature SBoM Known SW Vulns 6 (known fixes are applied to it) Created Using Created By Assurance 7 (secure-safe-resilient) Item Hash/Signature SBoM of a SW Service 8 (SBoM of sw delivering service) Supply Chain Sequence 9 Integrity

© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Usages SBoM elements Correlated Info Refer, Transfer or Purchase Author of SBoM (definition of what it is) 1 SBoM population method Pedigree •------SBoM Time-Stamp 2 (history of how it was produced) •------Vulnerability Knowledge Bases Supplier Vulnerability Management Systems Provenance •------3 (chain of custody of it) Components •------(sources, executables, patches) Integrity •------4 (cryptographic basis of unalteredness) •------Version Intellectual Property •------Notes Constraints 5 •------Licenses SBoM Hash/Signature SBoM Known SW Vulns 6 (known fixes are applied to it) Created Using Created By Assurance 7 (secure-safe-resilient) Item Hash/Signature SBoM of a SW Service 8 (SBoM of sw delivering service) Supply Chain Sequence 9 Integrity

© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Usages SBoM elements Correlated Info Refer, Transfer or Purchase Author of SBoM (definition of what it is) 1 SBoM population method Pedigree •------SBoM Time-Stamp 2 (history of how it was produced) •------Notes on exploitability of vulns Supplier Vulnerability Knowledge Bases Provenance •------Weakness Knowledge Bases 3 (chain of custody of it) Components •------(sources, executables, patches) Assessment Results Integrity •------Design Review 4 (cryptographic basis of unalteredness) •------Version Code Review Attack Surface Analysis Intellectual Property •------Notes Constraints Static Analysis 5 •------Licenses

SBoM Hash/Signature SBoM Dynamic Analysis Known SW Vulns Created Using Fuzz Testing 6 (known fixes are applied to it) Pen Testing Created By Assurance Blue Teaming Red Teaming 7 (secure-safe-resilient) Item Hash/Signature Organized as an Assurance Case SBoM of a SW Service 8 (SBoM of sw delivering service) Supply Chain Sequence 9 Integrity

© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Usages SBoM elements Correlated Info Refer, Transfer or Purchase Author of SBoM (definition of what it is) 1 SBoM population method Pedigree •------SBoM Time-Stamp 2 (history of how it was produced) •------Logging SBOMs of Services Used Supplier Provenance •------3 (chain of custody of it) Components •------(sources, executables, patches) Integrity •------4 (cryptographic basis of unalteredness) •------Version Intellectual Property •------Notes Constraints 5 •------Licenses SBoM Hash/Signature SBoM Known SW Vulns 6 (known fixes are applied to it) Created Using Created By Assurance 7 (secure-safe-resilient) Item Hash/Signature SBoM of a SW Service 8 (SBoM of sw delivering service) Supply Chain Sequence 9 Integrity

© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Usages SBoM elements Correlated Info Refer, Transfer or Purchase Author of SBoM (definition of what it is) 1 SBoM population method Pedigree •------SBoM Time-Stamp Desired sequence of ordered software 2 (history of how it was produced) •------supply chain steps, and requirements for Supplier Provenance •------each step for a specific project of interest 3 (chain of custody of it) Components •------(sources, executables, patches) Integrity •------4 (cryptographic basis of unalteredness) •------Version Intellectual Property •------Notes Constraints 5 •------Licenses SBoM Hash/Signature SBoM Known SW Vulns 6 (known fixes are applied to it) Created Using Created By Assurance 7 (secure-safe-resilient) Item Hash/Signature SBoM of a SW Service 8 (SBoM of sw delivering service) Supply Chain Sequence 9 Integrity

Microsoft Visual Studio Jenkins

NetBeans GitHub

CycloneDX

• Socialize at Mar19 OMG meeting • Draft SBoM as a Whitepaper in 3-day CISQ SBoM working session at Sep OMG meeting • Prototype draft format in tool ecosystem, revise and draft RFC based on prototype results • Co-submit draft RFC w/CISQ to OMG at Dec19 or Mar20 meeting • Mar20/Jun20 OMG meeting – charter FTF • Jun20/Sep20 OMG meeting - approve as OMG Standard • Sep20/Dec20 Fast Track to ISO

Software Tools

Software Software Tools Tools Software Software Software Tools Tools Tools

Multiple Software Bill of Marketplaces Materials (SBoM) ENTERPRISE MEDICAL FINANCIAL SOFTWARE INDUSTRY RETAIL MINING … ENERGY

© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Exploitable Weaknesses, Vulnerabilities & Exposures • Weakness: mistake or flaw condition in ICT architecture, design, code, or process that, if left unaddressed, could under the proper conditions contribute to a cyber-enabled capability being 2005 vulnerable to exploitation; represents potential WEAKNESSES source vectors for zero-day exploits -- Common 2012 Weakness Enumeration (CWE) VULNERABILITIES Uncharacterized https://cwe.mitre.org/ Weaknesses CVEs Unreported or • Vulnerability: mistake in software that can be 1999 undiscovered directly used by a hacker to gain access to a (reported, CWEs publicly Vulnerabilities (characterized, system or network; configuration known Exposure: Zero-Day Vulnerabilities discoverable, vulnerabilities possibly exploitable issue of a mistake in logic that allows (previously unmitigated unauthorized access or exploitation – Common and weaknesses with 2002 exposures) weaknesses that are mitigations) Vulnerability and Exposure (CVE) exploited with little https://cve.mitre.org/ or no warning) • Exploit: take advantage of a weakness (or 2005 multiple weaknesses) to achieve a negative technical impact -- attack approaches from the set of known exploits are used in the Common Attack Pattern Enumeration and Classification (CAPEC) https://capec.mitre.org

The existence (even if only theoretical) of an exploit designed to take advantage of a weakness (or multiple weaknesses) and achieve a negative technical impact is what makes a weakness a vulnerability. © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Assurance needs to address the Hazards & Attacks that can impact SW-Based Mission Functions Known Hazard/Attack Weaknesses Counter Technical Mission/Business Threats Activation (CWEs) Measures Impacts to Impacts & Hazards Patterns - Actions* Mission (CAPECs) Capabilities

Hazard Weakness Item Impact /Attack

Asset

Hazard Weakness Item /Attack Impact

Function System & Hazard/ System Security Attack Weakness Engineering Impact Trades Asset

Weakness Item

“Counter Measures - Actions” include: choices about architecture, design, physical decomposition, and operational approaches; adding/changing security/safety functions, protection schemes, activities & processes; use of static & dynamic code assessments, dynamic testing, physical testing, and pen testing; attack surface & fault-tree analysis, architecture and design reviews

© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Assurance needs to address the Hazards & Attacks that can impact SW-Based Mission Functions Known Hazard/Attack Weaknesses Counter Technical Mission/Business Threats Activation (CWEs) Measures Impacts to Impacts & Hazards Patterns - Actions* Mission (CAPECs) Capabilities

Hazard Weakness Item Impact /Attack

Asset

Hazard Weakness Item /Attack Impact

Function System & Hazard/ System Security Attack Weakness Engineering Impact Trades Asset

Weakness Item Most “Counter Measures - Actions” include: Important choices about architecture, design, physical decomposition, and operational approaches; ? Weakness adding/changing security/safety functions, protection schemes, activities & processes; use of static & dynamic code assessments, dynamic testing, physical testing, and pen testing; attack surface & fault-tree analysis, architecture and design reviews

Environment of System Pen Testing

Use of Mission Software Blue Teaming

Red Teaming © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Multiple Sources of Assurance Evidence from Throughout the Lifecycle of the item(s) needing Assurance. CONOPS evaluation

Red Teaming Attack Surface Analysis

Blue Teaming Architecture Analysis Evidence

Penetration Testing Design Analysis/Review

Dynamic Runtime Analysis Static Analysis

Malformed Input Testing (Fuzzing)

© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Different Perspectives on Assurance of Trust Insurer How do I Operator underwrite? • How do I use this? • Can I trust it? • Am I responsible if it makes a mistake? Researcher What technology is needed to ensure trust? Commander/ Manager • Can I reliably use in operations? • What changes operationally? Creator • How should I design and build? Regulator • Will I be liable for problems? Is it safe? Acquirer • How do I express Community requirements? Patron • Do I want this in my • Will it work they way • Is it safe? it should? backyard? • Should I use it? • Can I count on it? • Can I count on it?

© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Financial Health Reputation Basis of Trust Ownership Agreements Partners Facilities Security Leadership Cyber Security Personnel Software Assurance Training Hardware Assurance History External Influences Shipping Container Firmware/Bitstream Financial Stability Pallet Software Quality Maliciousness Box Software Composition Device Software Pedigree Organizational Security Hygiene Boards Software Provenance Quality Culture Counterfeit Chips (FPGA/ASIC) Updates Malicious Taint Suppliers

Physical Access/Touch Remote/Virtual Access/Touch Facilities Security Reputation Cyber Security History Software Assurance Ownership Hardware Assurance Personnel Training

© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Need Standards to Drive Consistency in Discussing and Conveying Assurance due to the Sector-2-Sector linkages

Solar

Nuclear Electricity Generation Hydro

Wind Energy Rejected Residential Geothermal

Natural Gas Commercial Energy Services

Coal Industrial

Biomass

Transportation Petroleum

Verification & Evidence Related standards: While Assurance does not provide Validation ISO/IEC 15026; additional security services or SACM, GSN/CAE Engineering safeguards, it does serve to reduce Evidence the uncertainty associated with Process vulnerabilities resulting from Architecture Assurance – Bad practices Evidence Assessment Argument – Incorrect & inefficient safeguards

Implementation Evidence The result of System Assurance is Assessment justified confidence delivered in Assurance the form of an Assurance Case Other Areas Evidence Case

TYPES OF EVIDENCE FOR AN ASSURANCE CASE Confidence demands objectivity, scientific method and cost-effectiveness

• Claims are assertions put forward for general acceptance

• The justification for claim based is on some grounds, the Stephen Toulmin, 1958 “specific facts about a precise situation that clarify and make good for a claim” • The basis of the reasoning from the grounds (the facts) to the Backing claim is articulated. • Toulmin coined the term “warrant” for “substantial argument”. • These are statements indicating the general ways of argument being applied in a particular case and implicitly relied on and Warrant whose trustworthiness is well established”. (probably) • The basis of the warrant might be questioned, so “backing” for the warrant may be introduced. grounds Backing might be the validation of the scientific and Modality claim engineering laws used.

Assumptions & Preconditions Claim = Claim assertion to be proven Sub-Claim Sub-Claim

Argument = Argument Argument how evidence supports claim

Evidence = Evidence Evidence required documentation

© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 The Assurance Case Medical Space Aeronautics Rail Automotive Shipping Autonomous Critical Infrastructure Cyber Physical Systems…

Dependability Engineering Innovation for Cyber Physical Systems

ISO/IEC 15026-2 Assurance Case OMG Structured Assurance Case Metamodel (SACM)

© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 https://www.ida.org/-/media/feature/publications/a/as/a-sample-security-assurance-case-pattern/p-9278.ashx © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Tornado Operational Safety Case

Apportionment of Ownership: White = Generic, Green = Air Command, Orange = DE&S, Red = Contractors © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 The Assurance Case for a System Builder using Assured Components

Exchange and Composition of Assurance Cases between tools and programs

Assurance Case

© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Questions? IIC Journal of Innovation – September 2018 issue on Trustworthiness https://www.iiconsortium.org/journal-of-innovation.htm “Assuring Trustworthiness in an Open Global Market of IIoT Systems via Structured Assurance Cases” https://www.iiconsortium.org/news/joi-articles/2018-Sept-JoI_Assuring_Trustworthiness-FINAL2.pdf