Please use this identifier to cite or link to this item:
Title: Improving Security in Software Acquisition with Data Retention Specifications
Authors: Daniel Smullen
Travis Breaux
Keywords: Security
Data Retention Specifications
Risk Management Framework
National Institute for Standards and Technology
Issue Date: 30-Mar-2017
Publisher: Acquisition Research Program
Citation: Published--Unlimited Distribution
Series/Report no.: Information Technology
Abstract: The Department of Defense (DoD) Risk Management Framework (RMF) for IT systems is aligned with the National Institute for Standards and Technology (NIST) guidance for federal IT architectures, including emergent mobile and cloud-based platforms. This guidance serves as a prescriptive lifecycle for IT engineers to recognize, understand, and mitigate security risks. However, integrators are left with the challenge - during acquisition, and during runtime integration with external services - to reason about the actions on data inherent in their system designs that may have confidentiality risks. These risks may lead to data spills; loss of confidentiality for mission data, and/or revelations about private data related to service members and their families. Solutions are needed to assist acquisition professionals to align system data practices with the RMF and NIST guidance, as well as DoD IA directives - particularly with respect to the collection, usage, transfer, and retention of data. To provide support to this end, we extended our initial automation framework, to support reasoning over data retention actions using a formal language. We propose an evaluation method for these extensions, carried out through simulations of real-world IT systems using imitation but statistically accurate synthetic data. Our language aims to address dynamically composable, multi-party systems that preserve security properties and address incipient data privacy concerns. Software developers and certification authorities can use these profiles expressed in first-order logic with an inference engine to advance the RMF, express data retention actions that promote confidentiality, and re-evaluate risk mitigation and compliance as IT systems evolve over time.
Description: Acquisition Management / Grant-funded Research
Appears in Collections:Sponsored Acquisition Research & Technical Reports

Files in This Item:
File SizeFormat 
CMU-AM-17-036.pdf1.7 MBAdobe PDFView/Open

Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.