Page:United States Statutes at Large Volume 124.djvu/4362

 124 STAT. 4336 PUBLIC LAW 111–383—JAN. 7, 2011 (C) Inclusion of software assurance in milestone reviews and milestone approvals. (D) Rigorous test and evaluation of software assurance in development, acceptance, and operational tests. (E) Certification and accreditation requirements for software assurance for new systems and for updates for legacy systems, including mechanisms to monitor and enforce reciprocity of certification and accreditation proc- esses among the military departments and Defense Agen- cies. (F) Remediation in legacy systems of critical software assurance deficiencies that are defined as critical in accord- ance with the Application Security Technical Implementa- tion Guide of the Defense Information Systems Agency. (2) Allocation of adequate facilities and other resources for test and evaluation and certification and accreditation of software to meet applicable requirements for research and development, systems acquisition, and operations. (3) Mechanisms for protection against compromise of information systems through the supply chain or cyber attack by acquiring and improving automated tools for— (A) assuring the security of software and software applications during software development; (B) detecting vulnerabilities during testing of software; and (C) detecting intrusions during real-time monitoring of software applications. (4) Mechanisms providing the Department of Defense with the capabilities— (A) to monitor systems and applications in order to detect and defeat attempts to penetrate or disable such systems and applications; and (B) to ensure that such monitoring capabilities are integrated into the Department of Defense system of cyber defense-in-depth capabilities. (5) An update to Committee for National Security Systems Instruction No. 4009, entitled ‘‘National Information Assurance Glossary’’, to include a standard definition for software security assurance. (6) Either— (A) mechanisms to ensure that vulnerable Mission Assurance Category III information systems, if penetrated, cannot be used as a foundation for penetration of protected covered systems, and means for assessing the effectiveness of such mechanisms; or (B) plans to address critical vulnerabilities in Mission Assurance Category III information systems to prevent their use for intrusions of Mission Assurance Category I systems and Mission Assurance Category II systems. (7) A funding mechanism for remediation of critical soft- ware assurance vulnerabilities in legacy systems. (d) REPORT.—Not later than October 1, 2011, the Secretary of Defense shall submit to the congressional defense committees a report on the strategy required by subsection (a). The report shall include the following: (1) A description of the current status of the strategy required by subsection (a) and of the implementation of the