The recently released report Closing the Software Understanding Gap, published by the Cybersecurity and Infrastructure Security Agency (CISA), highlights the widening divide between the rapid pace at which modern software is developed and the much slower pace at which it can be rigorously understood, verified and assured. This gap presents major risks to national security and critical infrastructure and has direct relevance to NASA’s missions, systems and software assurance responsibilities.

Credit: Dr. Douglas Ghormley and Dr. Christopher Harrison, Sandia National Laboratories, July 9, 2025

What Is the Software Understanding Gap?

The report defines software understanding as the rigorous ability to characterize software behavior—its functionality, safety and security—across normal, abnormal and hostile conditions. Today, mission owners lack adequate capability to understand software because developers produce software far faster than it can be analyzed, verified or secured.

This lack of understanding prevents organizations from reliably

• Creating software that is secure by design
• Identifying defects or vulnerabilities quickly
• Assessing supply‑chain risks
• Ensuring mission safety in the presence of unexpected or emergent behaviors

Why This Matters for NASA

NASA depends heavily on complex software across human spaceflight, planetary missions, aviation safety, launch vehicles, ground systems, science payloads and enterprise operations. Critical software‑controlled systems identified in the report include spacecraft, satellites, launch vehicles, guidance systems and manufacturing and test infrastructure—domains directly aligned with NASA’s portfolio.

Failure to understand software deeply has historically caused major aerospace and space‑system anomalies and continues to present risk today. The report cites numerous aerospace software failures leading to loss of vehicles, mission degradation or safety impacts.

Threat and Supply‑Chain Considerations

Adversaries are investing aggressively in software understanding technologies and policy structures, gaining superior insight into the behavior of software—foreign and domestic. The People's Republic of China (PRC) and other actors use this advantage to position themselves within critical systems and potentially subvert or manipulate them.

Supply‑chain compromises such as SolarWinds, XZ Utils and PRC‑targeted infrastructure intrusions illustrate how limited software understanding can produce systemic risk in national‑level missions. NASA’s increasing reliance on commercial off‑the‑shelf (COTS), open‑source, vendor‑supplied and partner‑developed software heightens exposure to these issues.

Mission Risk

Insufficient software understanding leads to

• Latent safety hazards
• Unexpected behavior during critical operations
• Vulnerabilities in flight and ground systems
• Delays in fielding mission capabilities
• Costly life cycle operations and rework

For NASA, this directly affects flight assurance, safety of crew and hardware, schedule performance and mission success.

Desired Future State

The report envisions a future where mission organizations can

• Ask mission‑relevant questions of software and obtain rapid, reliable, evidence‑based answers
• Fully characterize software risk before deployment
• Reduce life cycle cost through early detection of issues
• Achieve justified confidence in software across critical missions

Relevance for NASA Software Assurance

The report’s findings reinforce and expand core software assurance expectations, such as the following:

• Rigorous verification of safety, security and functionality
• Deep analysis of both NASA‑developed and third‑party software
• Formal methods and advanced analysis as essential, not optional
• Evidence‑based assessment of mission risk before operations
• Improved capability to detect emergent behaviors and supply‑chain compromises
• Adoption of standards, tools and repeatable processes for measurable software assurance

Call to Action for Agencies Like NASA

The report urges decisive action requiring national‑level coordination, research and development investment, modernization of policy and acquisition approaches and advancement of the science and engineering foundations necessary for software measurement at scale.

For NASA, this aligns with

• Advancing software assurance capabilities for increasingly autonomous and AI‑based systems
• Updating assurance methods to address modern complexity
• Improving insight into third‑party and supply‑chain software
• Leveraging formal methods and AI‑assisted verification
• Integrating software understanding early and continuously in life cycle processes