Brief

"On January 16, 2025, the National Security Agency (NSA) issued an update regarding NSA Jointly Releases Recommendations for Closing the Software Understanding Gap. The report, titled "Closing the Software Understanding Gap," highlights the need for a national effort to better understand software behavior in critical infrastructure systems and calls for policy action, technical innovation, and resources to address the gap."

Press Release | Jan. 16, 2025

NSA Jointly Releases Recommendations for Closing the Software Understanding Gap

FORT MEADE, Md. – A report released by the National Security Agency (NSA), the Cybersecurity and Infrastructure Agency (CISA), the Defense Advanced Research Projects Agency (DARPA), and the Office of the Under Secretary of Defense for Research and Engineering (OUSD R&E) urges a national effort to better understand the behavior of software underpinning national security and critical infrastructure systems.

The Cybersecurity Information Sheet (CSI), “Closing the Software Understanding Gap,” points to the need for policy action, technical innovation, and resources to help systems owners and operators better construct and assess their software-controlled systems across all conditions – normal, abnormal, and hostile.

“A lack of understanding of software imposes risks on many critical systems that are dependent on software to run properly and as intended,” said Neal Ziring, NSA Research Technical Director. “This report is a national call for the government and private sectors to work together to prioritize understanding software as a national effort critical to the nation’s success in the future.”

Currently, the nation’s ability to build software outstrips its ability to understand it, leaving systems vulnerable to exploitation, the CSI states. Undiscovered behavior in software has exposed critical vulnerabilities in aircraft, military systems, and supply chains and impacted national security objectives, with the CSI citing numerous examples.

The CSI outlines a call to action to address gaps in software understanding through:

Policy action – As technical capabilities mature, policy needs to evolve to require and formalize processes for characterizing software behavior before it is introduced into critical systems.
Technical innovation – Technical capabilities for measuring software and reasoning about its behavior need to be developed to reduce risk. All suitable techniques, including formal methods and artificial intelligence, should be leveraged to develop rigorous, reliable, rapid, and inexpensive capabilities.
​Resources – Significant sustained investments in research, development, and engineering are needed to support a unified set of software understanding capabilities. Public and private partnerships with industry should also be explored to ensure practical and efficient solutions that can be leveraged across missions and diverse systems.

Read the full report here.
Visit our full library for more cybersecurity information and technical guidance.

NSA Media Relations
MediaRelations@nsa.gov

443-634-0721

SHARE

PRINT

Related Documents

CSI: Closing the Software Understanding Gap

cybersecurity
software understanding
software gap
Cybersecurity Information Sheet
CSI

Highlights content goes here...

Purpose
The National Security Agency (NSA), Cybersecurity and Infrastructure Agency (CISA), Defense Advanced Research Projects Agency (DARPA), and Office of the Under Secretary of Defense for Research and Engineering (OUSD R&E) jointly released a report titled “Closing the Software Understanding Gap” to address the national security implications of software understanding gaps. The report emphasizes the need for policy action, technical innovation, and resources to improve software understanding in critical infrastructure systems.

Effects on Industry
The report highlights the risks associated with a lack of software understanding, including vulnerabilities in aircraft, military systems, and supply chains, which have impacted national security objectives. The industry’s ability to build software outstrips its ability to understand it, leaving systems vulnerable to exploitation. This has severe consequences for organizations reliant on software-controlled systems.

Relevant Stakeholders
The report affects various stakeholders, including system owners and operators, government agencies, private sectors, researchers, and engineers working in fields related to software development, cybersecurity, and critical infrastructure protection. The report’s call to action requires a unified effort from these groups to prioritize software understanding as a national effort critical to the nation’s success.

Next Steps
The report outlines three key areas for addressing software understanding gaps: policy action, technical innovation, and resource investment. To comply with or respond to this update, stakeholders should:

  1. Review the report and its recommendations.
  2. Engage in policy discussions to formalize processes for characterizing software behavior before introducing it into critical systems.
  3. Invest in research, development, and engineering efforts to develop rigorous software understanding capabilities.
  4. Collaborate with industry partners to explore practical and efficient solutions that can be leveraged across missions and diverse systems.

Any Other Relevant Information
The report provides numerous examples of the consequences of software understanding gaps, including:

  1. Exposed vulnerabilities in aircraft and military systems.
  2. Disruptions to supply chains.
  3. Impact on national security objectives.

These examples underscore the importance of addressing software understanding gaps through a national effort that prioritizes policy action, technical innovation, and resource investment.

National Security Agency (NSA)

Quick Insight
RADA.AI
RADA.AI
Hello! I'm RADA.AI - Regulatory Analysis and Decision Assistance. Your Intelligent guide for compliance and decision-making. How can i assist you today?
Suggested

Form successfully submitted. One of our GRI rep will contact you shortly

Thanking You!

Enter your Email

Enter your registered username/email id.

Enter your Email

Enter your email id below to signup.

Enter your Email

Enter your email id below to signup.
Individual Plan
$125 / month OR $1250 / year
Features
Best for: Researchers, Legal professionals, Academics
Enterprise Plan
Contact for Pricing
Features
Best for: Law Firms, Corporations, Government Bodies