Show simple item record

dc.contributor.authorSmullen, Daniel
dc.contributor.authorBreaux, Travis
dc.date2017-03
dc.date.accessioned2018-06-13T17:10:26Z
dc.date.available2018-06-13T17:10:26Z
dc.date.issued2017-03
dc.identifier.urihttp://hdl.handle.net/10945/58892
dc.description.abstractThe Department of Defense (DoD) Risk Management Framework (RMF) for IT systems is aligned with the National Institute for Standards and Technology (NIST) guidance for federal IT architectures, including emergent mobile and cloud-based platforms. This guidance serves as a prescriptive lifecycle for IT engineers to recognize, understand, and mitigate security risks. However, integrators are left with the challenge - during acquisition, and during runtime integration with external services - to reason about the actions on data inherent in their system designs that may have confidentiality risks. These risks may lead to data spills; loss of confidentiality for mission data, and/or revelations about private data related to service members and their families. Solutions are needed to assist acquisition professionals to align system data practices with the RMF and NIST guidance, as well as DoD IA directives - particularly with respect to the collection, usage, transfer, and retention of data. To provide support to this end, we extended our initial automation framework, to support reasoning over data retention actions using a formal language. We propose an evaluation method for these extensions, carried out through simulations of real-world IT systems using imitation but statistically accurate synthetic data. Our language aims to address dynamically composable, multi-party systems that preserve security properties and address incipient data privacy concerns. Software developers and certification authorities can use these profiles expressed in first-order logic with an inference engine to advance the RMF, express data retention actions that promote confidentiality, and re-evaluate risk mitigation and compliance as IT systems evolve over time.en_US
dc.description.sponsorshipNaval Postgraduate School Acquisition Research Programen_US
dc.publisherMonterey, California. Naval Postgraduate Schoolen_US
dc.rightsThis publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.en_US
dc.titleImproving Security in Software Acquisition with Data Retention Specificationsen_US
dc.typeReporten_US
dc.identifier.npsreportCMU-AM-17-036


Files in this item

Thumbnail

This item appears in the following Collection(s)

Show simple item record