Director for Software Assurance,
National Cyber Security Division,
Department of Homeland Security

Serves as Director for Software Assurance in the Policy and Strategic Initiatives Branch of the National Cyber Security Division (NCSD) within the Department of Homeland Security (DHS) to provide the focal point on software integrity issues.

• Leads collaboration efforts in analyzing software lifecycle components including people, processes, and technology and identifies areas for software quality and security improvement with a focus on development, acquisition, and support.
• Guides DHS initiatives in analyzing and resolving software challenges; supports evolution of policy and guidance on software assurance, including assessment of federal policies, procedures and evaluation schemes, such as the National Information Assurance Partnership (NIAP).
• Functions as DHS coordinator for software quality and acquisition initiatives; working with other federal agencies, state agencies, and international allies to focus on identifying and specifying organizational software-related processes and software-enabled technologies to mitigate risks attributable to software.
• Works with federally-funded research and development centers (FFRDCs), consortiums, foundations, universities, and standards groups to coordinate relevant initiatives and leverage organizational resources to share best practices, tools, processes, and research to improve software assurance.

• Serves as DHS liaison on government/industry working groups and serves on NIST, IEEE and ISO/IEC standards committees and advisory groups, and other executive groups to ensure software assurance needs are addressed in standards, best practices, process models and product lifecycle initiatives.
• Publishes best practices relating to software security via the web site https://buildsecurityin.us-cert.gov/portal/ as information for developers and acquisition managers.
• Working with government/academic/industry groups, leads team efforts to develop the Software Assurance Common Body of Knowledge to provide a framework to recommend updates in curriculum to enhance IT acquisition and software-related education and training across the federal acquisition workforce curricula, within universities and colleges, and within industrial training programs.
• Works with government/academic groups, such as the National Science Foundation (NSF), University Affiliated Research Centers (UARCs), and IA Centers of Academic Excellence (CAEs), to prioritize research consistent with software assurance needs.
• Provides requisite interfaces with other federally-sponsored software related initiatives, such as the National Science Foundation (NSF) Cyber Trust Initiative, DoD Software Protection and Software Assurance Initiatives, National Institute of Standards and Technology (NIST) computer security projects and initiatives, and interagency Information Assurance initiatives.

• Leads interagency and international collaboration efforts engaging industry and measurement bodies, such as the Practical Software and Systems Measurement Support Center, NIST, and FFRDCs to develop software assurance measurement practices and support.
• Provides support for special projects and DHS initiatives and studies relating to software assurance, and support of DHS’s response to Congressional inquiries, Government Accountability Office (GAO) reviews, and audit reports and studies related to software assurance.

The DHS Software Assurance (SwA) Program is based on the National Strategy to Secure Cyberspace that specifies: "DHS will facilitate a national public-private effort to promulgate best practices and methodologies that promote integrity, security, and reliability in software code development, including processes and procedures that diminish the possibilities of erroneous code, malicious code, or trap doors that could be introduced during development."

As a strategic initiative of the DHS National Cyber Security Division, the SwA Program also guides the SwA Forum and SwA Working Groups under auspices of the Critical Infrastructure Partnership Advisory Council (CIPAC) providing venues for government and the private sector to collaborate in addressing SwA issues associated with: Processes and Practices, Workforce Education and Training, Acquisition and Outsourcing, Technology, Tools and Product Evaluation, Malware Countermeasures, Measurement, and Business Case.

Scoped to address mechanisms to achieve software trustworthiness, predictable execution, and conformance, the DHS SwA Program collaborates with other agencies, industry, and academia to develop, publish and update relevant information via:

1. "Build Security In" web portal (https://buildsecurityin.us-cert.gov)
2. SwA Common Body of Knowledge from which to assist curriculum development,
3. Developers' Guide on Security Enhancing the Software Development Lifecycle,
4. SwA-related standards of IEEE CS, ISO/IEC, OMG, NIST,
5. CMM-based Security/Assurance extensions,
6. Practical Measurement Guidance for SwA and Information Security,
7. SwA Metrics and Tool Evaluation (with NIST),
8. Common Weaknesses Enumeration (CWE) dictionary,
9. Common Attack Pattern Enumeration and Classification,
10. Due-diligence questionnaires and sample procurement language in "SwA in Acquisition: Mitigating Risks to the Enterprise."