By navigating our site, you agree to allow us to use cookies, in accordance with our Privacy Policy.

Researchers To Industry – Need New T&M For System Risk in Software Assurance

Officials of the U.S. Defense Advanced Research Projects Agency (DARPA) in Arlington, Va. lately released a solicitation (HR001119S0057) for the Automated Rapid Certification Of Software (ARCOS) project.


The goal of ARCOS is to automate the evaluation of software assurance evidence to enable certifiers to determine rapidly that system risk is acceptable. The process of determining that a system’s risk is acceptable is referred to as certification, DARPA officials say.

Current certification practices are antiquated and unable to scale with the amount of software deployed by the U.S. Department of Defense (DOD), researchers say. Two factors prevent scaling: human evaluators to determine if the system meets certification criteria; and little way to decompose evaluations.

Using humans to evaluate software assurance evidence, moreover, results in superficial, incomplete, and unacceptably long evaluations, DARPA researchers say.

The amount of evidence necessary fromtest and measurement to determine software conformance to certification can be overwhelming to human subject matter experts, who have biases that influence their approach to evaluations. Because certification requirements may be vague or poorly written, evaluators often must interpret what is intended. Combined, these factors result in inconsistencies over time and across evaluations. In addition, there is no means today to compose principled and trustworthy evaluations.

Current practice requires re-evaluation of components and their assurance evidence in every system that employs them. The inability to use a divide-and-conquer approach to certification of large systems increases wastes money and time.

Two factors can help speed software certification through the automation of evaluations. First, DOD leaders they want their contractors to modernize their engineering processes in the DOD Digital Engineering Strategy, which seeks to move away from document-based engineering processes and towards design models that are to be the authoritative source of truth for systems.

Such a future does not lend itself to current certification practices, but it will facilitate the automated evaluation of assurance, DARPA officials say.

Second, advances in several technologies suggest that automated evaluation of assurance evidence for software certification is possible. Model-based design technology, including probabilistic model checking, may help software certifiers quantify uncertainty.

So-called big code analytics can help apply semantic-based analytics to software and its artifacts. Mathematically rigorous analysis and verification can help develop software that demonstrably is correct and sound. Assurance-case languages help produce machine-readable arguments on how software fulfills its certification goals.

If successful, ARCOS technologies will move to military program offices that need to reduce certification costs, improve their software evaluations, and better understand their software risks. This technology also should be of interest to contractors who write software for program offices that have adopted ARCOS.

The project seeks to enable an app store approach to outfitting platforms for missions by assurance composition of apps that are added to a baseline platform.

The ultimate goal: continuous certification and mission risk evaluation; a compositional certification is a necessary first step.

ARCOS seeks develop the capability to automatically evaluate evidence that software systems meet their certification criteria and generate assurance case arguments. Substantiation of these arguments comes from analysis of four types of evidence: test; simulation and emulation; analytical; and software quality assurance.

The ARCOS program has four technical areas (TAs): evidence generation; evidence curation; assurance generation; and quantitative assessment. Companies selected for TA4 cannot work in any other technical area.

ARCOS is a four-year program, divided into three phases. The first and second phases will be 18 months each, and the third phase will be 12 months long for a total program length of four years. DARPA anticipates several awards for TA1 and TA3, as well as single awards for TA2 and TA4.

Companies interested should submit abstracts no later than 24 May 2019 to the DARPA BAA:

Submit full proposals no later than 9 July 2019 at the DARPA BAA:

To Get The Full Information: Click here


Niloy Banerjee

A generic movie-buff, passionate and professional with print journalism, serving editorial verticals on Technical and B2B segments, crude rover and writer on business happenings, spare time playing physical and digital forms of games; a love with philosophy is perennial as trying to archive pebbles from the ocean of literature. Lastly, a connoisseur in making and eating palatable cuisines.

Related Articles

Upcoming Events