Towards Rapid Recertification Using Formal Analysis
Abstract
Department of Defense (DoD) acquisition requires IT to undergo the DoD information assurance certification and accreditation process (DIACAP), which makes architecture-dependent assumptions. Emerging IT architectures, such as mobile and cloud-based platforms, invalidate these assumptions and prevent the DoD from acquiring commercial technologies that are readily available to adversaries. To address this problem, we extended our initial automation framework, wherein an application profile is expressed in a formal language and scaled with evolving architectural assumptions. These profiles will help ensure that information assurance requirements are commensurate with risk and scalable based on an application s changing external dependencies. Information assurance risk levels must account for changing environmental and IA parameters (confidentiality, integrity, and availability) that result from dynamic recombination of applications during runtime. Our proposed language aims to address dynamically composable, multi-party systems that preserve security properties. Software developers and certification authorities can use these profiles expressed in first-order logic with an inference engine to advance the DIACAP and re-check compliance as IT systems evolve over time.
Document Details
- Document Type
- Technical Report
- Publication Date
- Apr 30, 2015
- Accession Number
- ADA623140
Entities
People
- Daniel Smullen
- Travis Breaux
Organizations
- Carnegie Mellon University