Improving Security in Software Acquisition with Data Retention Specifications
Abstract
The Department of Defense (DoD) Risk Management Framework (RMF) for IT systems is aligned with the National Institute for Standards and Technology (NIST) guidance for federal IT architectures, including emergent mobile and cloud-based platforms. This guidance serves as a prescriptive lifecycle for IT engineers to recognize, understand, and mitigate security risks. However, integrators are left with the challenge - during acquisition, and during runtime integration with external services - to reason about the actions on data inherent in their system designs that may have confidentiality risks. These risks may lead to data spills; loss of confidentiality for mission data, and/or revelations about private data related to service members and their families. Solutions are needed to assist acquisition professionals to align system data practices with the RMF and NIST guidance, as well as DoD IA directives - particularly with respect to the collection, usage, transfer, and retention of data. To provide support to this end, we extended our initial automation framework, to support reasoning over data retention actions using a formal language. We propose an evaluation method for these extensions, carried out through simulations of real-world IT systems using imitation but statistically accurate synthetic data. Our language aims to address dynamically composable, multi-party systems that preserve security properties and address incipient data privacy concerns. Software developers and certification authorities can use these profiles expressed in first-order logic with an inference engine to advance the RMF, express data retention actions that promote confidentiality, and re-evaluate risk mitigation and compliance as IT systems evolve over time.
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.NPS Report Number
CMU-AM-17-036Collections
Related items
Showing items related by title, author, creator and subject.
-
Commercial mobile device technology implementation implications in United States Marine Corps processes: a case study approach
Ellis, Buddy J. (Monterey, California: Naval Postgraduate School, 2016-09);The United States Marine Corps is operating in an increasingly resource-limited and fiscally constrained environment while simultaneously becoming more dependent on information technology systems to efficiently train and ... -
The effect of stem degrees on the performance and retention of junior officers in the U.S. Navy
Maugeri, William V., III (Monterey, California: Naval Postgraduate School, 2016-03);The Navy has long operated under the Rickover hypothesis, stressing the importance of recruiting and retaining Science Technology Mathematics and Engineering (STEM) background officers to man the increasingly technologically ... -
Secure local area network services for a high assurance multilevel network
BryerJoyner, Susan; Heller, Scott D. (Monterey, California. Naval Postgraduate School, 1999-03);To reduce the cost and complexity of the current DoD information infrastructure, a Multilevel Secure (MLS) network solution eliminating hardware redundancies is required. Implementing a high assurance MLS LAN requires the ...