System Assurance

From SEBoK
Jump to: navigation, search

Systems are subject to attacks for a multitude of reasons. System Assurance is the discipline that identifies and mitigates or removes exploitable vulnerabilities. This is increasingly important for both commercial and governmental activities.

System Assurance

NATO AEP-67 (Edition 1), Engineering for System Assurance in NATO Programs, defines system assurance as:

…the justified confidence that the system functions as intended and is free of exploitable vulnerabilities, either intentionally or unintentionally designed or inserted as part of the system at any time during the life cycle... This confidence is achieved by system assurance activities, which include a planned, systematic set of multi-disciplinary activities to achieve the acceptable measures of system assurance and manage the risk of exploitable vulnerabilities. (NATO 2010, 1)

The NATO document is organized based on the life cycle processes in ISO/IEC 15288:2008 and provides process and technology guidance to improve system assurance.

Software Assurance

Since most modern systems derive a good portion of their functionality from software, software assurance becomes a primary consideration in systems assurance. The Committee on National Security Systems (CNSS) (2010, 69) defines software assurance as a “level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at anytime during its lifecycle and that the software functions in the intended manner.”

Goertzel, et. al (2008, 8) point out that “the reason software assurance matters is that so many business activities and critical functions—from national defense to banking to healthcare to telecommunications to aviation to control of hazardous materials—depend on the on the correct, predictable operation of software.”

Web-based Resource

A good online resource for system and software assurance is the US Department of Homeland Security’s Build Security In web site (DHS 2010), which provides resources for best practices, knowledge, and tools for engineering secure systems.


Works Cited

CNSS. 2010. National Information Assurance Glossary", Committee on National Security Systems Instruction (CNSSI) no. 4009". Fort Meade, MD, USA: The Committee on National Security Systems.

DHS. 2010. Build Security In. Washington, DC, USA: US Department of Homeland Security (DHS). Accessed September 11, 2011. Available:

Goertzel, K., et al. 2008. Enhancing the Development Life Cycle to Produce Secure Software: A Reference Guidebook on Software Assurance. Washington, DC, USA: Data and Analysis Center for Software (DACS)/US Department of Homeland Security (DHS).

NATO. 2010. Engineering for System Assurance in NATO programs. Washington, DC, USA: NATO Standardization Agency. DoD 5220.22M-NISPOM-NATO-AEP-67.

Primary References

Anderson, Ross J. 2008. Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd ed. New York, NY, USA: John Wiley & Sons.

Additional References

MITRE. 2011. "Systems Engineering for Mission Assurance." System Engineering Guide. Accessed March 7, 2012. Available:

< Previous Article | Parent Article | Next Article >
SEBoK v. 1.6 released 25 March 2016

SEBoK Discussion

Please provide your comments and feedback on the SEBoK below. You will need to log in to DISQUS using an existing account (e.g. Yahoo, Google, Facebook, Twitter, etc.) or create a DISQUS account. Simply type your comment in the text field below and DISQUS will guide you through the login or registration steps. Feedback will be archived and used for future updates to the SEBoK. If you provided a comment that is no longer listed, that comment has been adjudicated. You can view adjudication for comments submitted prior to SEBoK v. 1.0 at SEBoK Review and Adjudication. Later comments are addressed and changes are summarized in the Letter from the Editor and Acknowledgements and Release History.

If you would like to provide edits on this article, recommend new content, or make comments on the SEBoK as a whole, please see the SEBoK Sandbox.

blog comments powered by Disqus