Closing software-understanding gap is critical to national security, CISA says | CyberScoop<\/title> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/cisa-darpa-software-understanding-gap-report\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Closing software-understanding gap is critical to national security, CISA says\"> <meta property=\"og:description\" content=\"In a joint report with DARPA and others, the cyber agency said that knowledge gap \u201cexacerbates\u201d risks posed by threat actors in U.S. critical infrastructure.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/cisa-darpa-software-understanding-gap-report\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2025-01-17T17:11:16+00:00\"> <meta property=\"article:modified_time\" content=\"2025-01-17T17:11:19+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/closing-software-understanding-gap-is-critical-to-national-security-cisa-says-2.jpg?resize=1024,725\"> <meta property=\"og:image:width\" content=\"1024\"> <meta property=\"og:image:height\" content=\"725\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"mbracken\"> <meta name=\"twitter:card\" content=\"summary_large_image\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1732206022g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1736472020g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1737070850g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=cc5cb8dd0a9ba2b865c4\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/83184\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.7.1\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=83184\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcisa-darpa-software-understanding-gap-report%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcisa-darpa-software-understanding-gap-report%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-83184 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/cisa-darpa-software-understanding-gap-report\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--event js-stickybar\">\n<div class=\"stickybar__details\" readability=\"5.12\">\n<div class=\"stickybar__info js-sticky-bar-content\" readability=\"32\">\n<p>Nominations can be submitted for the 2025 CyberScoop 50 awards!<\/p>\n<\/div>\n<p> <a class=\"stickybar__link button button-tertiary\" href=\"https:\/\/cyberscoop.com\/cyberscoop50\/\">Click here!<\/a> <\/div>\n<p> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.519736842105\">\n<div class=\"single-article__header-content\" readability=\"34.902494331066\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/cisa-darpa-software-understanding-gap-report\/\"> <span>Cybersecurity<\/span> <\/a> <\/li>\n<\/ul>\n<p> In a joint report with DARPA and others, the cyber agency said that knowledge gap \u201cexacerbates\u201d risks posed by threat actors in U.S. critical infrastructure. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/83184\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"453\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/closing-software-understanding-gap-is-critical-to-national-security-cisa-says.jpg?resize=640%2C453&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt=\"PHP\" decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/closing-software-understanding-gap-is-critical-to-national-security-cisa-says-2.jpg 2831w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/closing-software-understanding-gap-is-critical-to-national-security-cisa-says-2.jpg?resize=300,212 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/closing-software-understanding-gap-is-critical-to-national-security-cisa-says-2.jpg?resize=768,544 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/closing-software-understanding-gap-is-critical-to-national-security-cisa-says-2.jpg?resize=1024,725 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/closing-software-understanding-gap-is-critical-to-national-security-cisa-says-2.jpg?resize=1536,1088 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/closing-software-understanding-gap-is-critical-to-national-security-cisa-says-2.jpg?resize=2048,1450 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/closing-software-understanding-gap-is-critical-to-national-security-cisa-says-2.jpg?resize=600,425 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/closing-software-understanding-gap-is-critical-to-national-security-cisa-says-2.jpg?resize=237,168 237w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/closing-software-understanding-gap-is-critical-to-national-security-cisa-says-2.jpg?resize=476,337 476w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/closing-software-understanding-gap-is-critical-to-national-security-cisa-says-2.jpg?resize=953,675 953w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/closing-software-understanding-gap-is-critical-to-national-security-cisa-says-2.jpg?resize=1190,843 1190w\" sizes=\"(max-width: 953px) 100vw, 953px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"46.267525337838\"><body readability=\"93.697674418605\"><\/p>\n<p>With Chinese-sponsored hackers <a href=\"https:\/\/cyberscoop.com\/us-telecom-infrastructure-chinese-cyberattack-salt-typhoon-security-strategy\/\">lingering in the IT systems<\/a> of various U.S. critical infrastructure networks, potentially imminent threats to the country\u2019s national security abound. The Cybersecurity and Infrastructure Security Agency and federal partners hope to lessen that threat by closing a so-called \u201csoftware understanding gap.\u201d<\/p>\n<p>In a <a href=\"https:\/\/www.cisa.gov\/sites\/default\/files\/2025-01\/joint-guidance-closing-the-software-understanding-gap-508c.pdf\">document released Thursday<\/a> with the Defense Advanced Research Projects Agency, the Office of the Under Secretary of Defense for Research and Engineering and the National Security Agency, CISA said \u201cdecisive and coordinated\u201d government action is needed to get a more comprehensive understanding of software-controlled systems.<\/p>\n<p>Those systems, CISA said, must be properly assessed to \u201cverify functionality, safety, and security across all conditions.\u201d <\/p>\n<p>Chris Butera, technical director at CISA, said in a statement that the current software understanding gap \u201cexacerbates\u201d national security risks posed by state-sponsored activity in U.S. critical infrastructure \u2014 particularly in <a href=\"https:\/\/cyberscoop.com\/feds-chinese-hacking-operations-have-been-in-critical-infrastructure-networks-for-five-years\/\">energy<\/a>, <a href=\"https:\/\/therecord.media\/cybercriminals-target-transportation-logistics-companies-north-america-malware\">transportation<\/a>, <a href=\"https:\/\/cyberscoop.com\/salt-typhoon-national-security-council-chinese-spying\/\">telecom<\/a>, and <a href=\"https:\/\/cyberscoop.com\/pro-russia-hacktivists-attacking-vital-tech-in-water-and-other-sectors-agencies-say\/\">water and wastewater<\/a> systems.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cMission owners and operators have an enormous and accelerating dependence on the software underwriting U.S. critical infrastructure,\u201d Butera said. \u201cWith our partners, we urge the USG to close this gap before other nations and urge software manufactures [sic] to align to Secure by Design principles.\u201d <\/p>\n<p>The report argues that U.S. security interests are undercut due to a \u201cdisparity of technical investment,\u201d defined by CISA as an investment in software production that outpaces investment in improved software understanding. This decades-long trend in the country has made it especially vulnerable to \u201cstrategic competitors,\u201d most notably China.<\/p>\n<p>China \u201chas achieved an elevated position through decisive national policy and sustained, multi-pronged investments in technology over the last decade to close their technology gap, enhancing not only their defensive capabilities but also their offensive capabilities to manipulate software and exploit vulnerabilities,\u201d the report stated. <\/p>\n<p>China, CISA noted, \u201chas a robust policy and legal regime to reduce its dependency on foreign software that comprises its supply chain.\u201d And Russia, meanwhile, has reportedly \u201cdemanded access to software details in exchange for access to its markets.\u201d<\/p>\n<p>The report\u2019s recognition of these issues isn\u2019t the federal government\u2019s first salvo in the fight against the software-understanding gap. CISA noted several ongoing federal efforts aimed at fixing the issue, including a joint National Science Foundation and Department of Energy initiative, several DARPA programs that leverage \u201cmathematically provable methods\u201d to support software understanding and the cyber <a href=\"https:\/\/cyberscoop.com\/cisa-secure-by-design-software-bad-practices\/\">agency\u2019s own secure-by-design initiative<\/a>. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cWe have the tools today to greatly reduce the number of software vulnerabilities that plague our software infrastructure,\u201d Kathleen Fisher, director of DARPA\u2019s Information Innovation Office, said in a statement. \u201cRapid action to implement these tools in legacy and future systems can dramatically reduce the United States\u2019 cyber vulnerabilities ahead of future global conflicts.\u201d<\/p>\n<p>The report offered a variety of additional technical and policy solutions to build on current efforts; changes to technology procurement and broad recognition of the evolving nature threat environments were among the suggestions.<\/p>\n<p>Additional callouts were made in the report for expanded federal research and engineering investments aimed at creating \u201cthe foundations for a unified set of software understanding capabilities,\u201d public-private partnerships to explore cost-effective solutions, brokering international partnerships, and developing talent pipelines.<\/p>\n<p>\u201cBy closing the gap before other nations and obtaining a deep, scalable understanding of software-controlled systems, including AI-based systems, the United States will secure an advantage in geopolitics for the foreseeable future,\u201d the report said, \u201cand will help harden U.S. critical infrastructure against state-sponsored activity.\u201d <\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"4.3262411347518\">\n<div class=\"author-card\" readability=\"15\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/closing-software-understanding-gap-is-critical-to-national-security-cisa-says-1.jpg?w=640&ssl=1\" alt=\"Matt Bracken\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Bracken<\/h4>\n<p> Matt Bracken is the managing editor of FedScoop and CyberScoop, overseeing coverage of federal government technology policy and cybersecurity. Before joining Scoop News Group in 2023, Matt was a senior editor at Morning Consult, leading data-driven coverage of tech, finance, health and energy. He previously worked in various editorial roles at The Baltimore Sun and the Arizona Daily Star. You can reach him at matt.bracken@scoopnewsgroup.com. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/cisa-darpa-software-understanding-gap-report\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Closing software-understanding gap is critical to national security, CISA says<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[271,78,452,2465,272,2968],"tags":[277,86,454,2466,278,2970],"class_list":["post-6973","post","type-post","status-publish","format-standard","hentry","category-china","category-cybersecurity","category-cybersecurity-and-infrastructure-security-agency-cisa","category-darpa","category-nsa","category-software","tag-china","tag-cybersecurity","tag-cybersecurity-and-infrastructure-security-agency-cisa","tag-darpa","tag-nsa","tag-software"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/china\/\" rel=\"category tag\">China<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity-and-infrastructure-security-agency-cisa\/\" rel=\"category tag\">Cybersecurity and Infrastructure Security Agency (CISA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/darpa\/\" rel=\"category tag\">DARPA<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/nsa\/\" rel=\"category tag\">nsa<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/software\/\" rel=\"category tag\">software<\/a>","tag_info":"software","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6973","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=6973"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6973\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=6973"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=6973"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=6973"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":6973,"date":"2025-01-17T11:11:16","date_gmt":"2025-01-17T17:11:16","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=83184"},"modified":"2025-01-17T11:11:16","modified_gmt":"2025-01-17T17:11:16","slug":"closing-software-understanding-gap-is-critical-to-national-security-cisa-says","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/01\/17\/closing-software-understanding-gap-is-critical-to-national-security-cisa-says\/","title":{"rendered":"Closing software-understanding gap is critical to national security, CISA says"},"content":{"rendered":"