An official website of the United States government
A .gov website belongs to an official government organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Press Release | Jan. 16, 2025

NSA Jointly Releases Recommendations for Closing the Software Understanding Gap

FORT MEADE, Md. – A report released by the National Security Agency (NSA), the Cybersecurity and Infrastructure Agency (CISA), the Defense Advanced Research Projects Agency (DARPA), and the Office of the Under Secretary of Defense for Research and Engineering (OUSD R&E) urges a national effort to better understand the behavior of software underpinning national security and critical infrastructure systems.

The Cybersecurity Information Sheet (CSI), “Closing the Software Understanding Gap,” points to the need for policy action, technical innovation, and resources to help systems owners and operators better construct and assess their software-controlled systems across all conditions – normal, abnormal, and hostile.

“A lack of understanding of software imposes risks on many critical systems that are dependent on software to run properly and as intended,” said Neal Ziring, NSA Research Technical Director. “This report is a national call for the government and private sectors to work together to prioritize understanding software as a national effort critical to the nation’s success in the future.”

Currently, the nation’s ability to build software outstrips its ability to understand it, leaving systems vulnerable to exploitation, the CSI states. Undiscovered behavior in software has exposed critical vulnerabilities in aircraft, military systems, and supply chains and impacted national security objectives, with the CSI citing numerous examples.

The CSI outlines a call to action to address gaps in software understanding through:

  • Policy action – As technical capabilities mature, policy needs to evolve to require and formalize processes for characterizing software behavior before it is introduced into critical systems.
  • Technical innovation – Technical capabilities for measuring software and reasoning about its behavior need to be developed to reduce risk. All suitable techniques, including formal methods and artificial intelligence, should be leveraged to develop rigorous, reliable, rapid, and inexpensive capabilities.
  • ​Resources – Significant sustained investments in research, development, and engineering are needed to support a unified set of software understanding capabilities. Public and private partnerships with industry should also be explored to ensure practical and efficient solutions that can be leveraged across missions and diverse systems.

Read the full report here.

Visit our full library for more cybersecurity information and technical guidance.
 

NSA Media Relations
MediaRelations@nsa.gov
443-634-0721

Related Documents

CSI: Closing the Software Understanding Gap
cybersecurity software understanding software gap Cybersecurity Information Sheet CSI
Hosted by Defense Media Activity - WEB.mil Veterans Crisis Line number. Dial 988 then Press 1