Improving Security in Software Acquisition and Runtime Integration With Data Retention Specifications

The Department of Defense (DoD) Risk Management Framework (RMF) for IT systems is aligned with the National Institute for Standards and Technology (NIST) guidance for federal IT architectures, including emergent mobile and cloud-based platforms. This guidance serves as a prescriptive lifecycle for IT engineers to recognize, understand, and mitigate security risks. However, integrators are left with the challengeduring acquisition and during runtime integration with external servicesto reason about the actions on data inherent in their system designs that may have confidentiality risks. These risks may lead to data spills, loss of confidentiality for mission data, and/or revelations about private data related to service members and their families. Solutions are needed to assist acquisition professionals to align system data practices with the RMF and NIST guidance, as well as DoD IA directivesparticularly with respect to the collection, usage, transfer, and retention of data. To provide support to this end, we extended our initial automation framework to support reasoning over data retention actions using a formal language. We propose an evaluation method for these extensions, carried out through simulations of real-world IT systems using imitation but statistically accurate synthetic data. Our language aims to address dynamically composable, multi-party systems that preserve security properties and address incipient data privacy concerns. Software developers and certification authorities can use these profiles expressed in first-order logic with an inference engine to advance the RMF, express data retention actions that promote confidentiality, and re-evaluate risk mitigation and compliance as IT systems evolve over time. Thirteenth Annual Acquisition Research Symposium , 04 May 2016, 05 May 2016,