Please use this identifier to cite or link to this item:
https://dair.nps.edu/handle/123456789/1071
Full metadata record
DC Field | Value | Language |
---|---|---|
dc.contributor.author | Travis Breaux | |
dc.contributor.author | Ashwini Rao | |
dc.date.accessioned | 2020-03-16T17:50:07Z | - |
dc.date.available | 2020-03-16T17:50:07Z | - |
dc.date.issued | 2013-04-30 | |
dc.identifier.citation | Published--Unlimited Distribution | |
dc.identifier.uri | https://dair.nps.edu/handle/123456789/1071 | - |
dc.description | Software Acquisition / Defense Acquisition Community Contributor | |
dc.description.abstract | Department of Defense (DoD) acquisition requires information technology (IT) to undergo the DoD information assurance certification and accreditation process (DIACAP), which makes strong architecture-dependent assumptions. Emerging IT architectures, such as mobile computing platforms, invalidate these assumptions and prevent the DoD from acquiring commercial technologies that are readily available to adversaries. To address this problem, we introduce a preliminary framework in which an application profile is expressed in a formal language and scaled with evolving architectural assumptions. This profile aims to incorporate information assurance (IA) requirements that are commensurate with risk and scalable based on an application's changing external dependencies. Information assurance risk levels that account for changing user identities and IA parameters (confidentiality, integrity, and availability) will result from dynamic recombination of mobile applications during runtime. The language is expressed in first-order logic and includes an evolvable lexicon to describe changing system configurations. We envision that software developers and certification authorities can use these formal profiles with an inference engine to complete the DIACAP and maintain compliance as IT systems evolve over time. The framework has been evaluated using existing DoD acquisition and DIACAP policy and a case study in a popular mobile application ecosystem. | |
dc.description.sponsorship | Acquisition Research Program | |
dc.language | English (United States) | |
dc.publisher | Acquisition Research Program | |
dc.relation.ispartofseries | Information Technology | |
dc.relation.ispartofseries | SYM-AM-13-069 | |
dc.subject | Information Technology | |
dc.subject | DIACAP | |
dc.subject | IT Architectures | |
dc.subject | Mobile Computing Platforms | |
dc.subject | Commercial Technology | |
dc.subject | Net-Centric Warfare | |
dc.subject | RITE | |
dc.title | Managing Risk in Mobile Applications With Formal Security Policies | |
dc.type | Article | |
Appears in Collections: | Annual Acquisition Research Symposium Proceedings & Presentations |
Files in This Item:
File | Size | Format | |
---|---|---|---|
SYM-AM-13-069.pdf | 317.28 kB | Adobe PDF | View/Open |
Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.