Author_Institution :
Dept. of Comput. Sci., Univ. of Oxford, Oxford, UK
Abstract :
From direct observation of the certification (post-software-development) and accreditation (pre-installation) testing of cross domain systems used for the interconnection of classified security domains in U.S. and U.K. defence and intelligence community systems, certain characteristic behavioural patterns have been noted. The savvy developer can use these to exert a measure of control over the duration and cost of certification testing and to predict the likely direction and magnitude of the residual risk calculation performed by security accreditors in multi-lateral, multi-level, collateral, and compartmented site accreditations. DCID 6/3, Common Criteria, DIACAP, and ICD 503 testing efforts across the evolution of a long-lived cross domain software development programme were examined using grounded theory methodology. Whilst discovered through investigation of classified cross domain system testing inefficiencies, it is believed that the principles are applicable more widely to privacy-sensitive areas such as electronic health care, financial, and law enforcement record keeping systems. The first thing found was a syndrome of pathological regressive interactions amongst software developers, managers, independent verification and validation contractors, penetration testers, and certification authorities that resulted in schedule slippage during the certification testing phase and, in the accreditation phase, ineffective duplication of testing with no corresponding improvement in residual risk. To understand why these problems occurred, an abstract model of how security accreditors agree upon the true level of residual risk in multi-level cross domain system installations was developed. The model is powerful enough to handle collateral, SCI, and international cross domain systems with any number of endpoints. It works by establishing the visibility of threats, vulnerabilities, and mitigations from each data owner´s perspective according to the associated accredito- ´s clearance over the space of all possible multilevel configurations, then identifying the smallest set of covert-channel-like information flows necessary to reach a concord about residual risk without violating the global security policy. Conventional wisdom holds that security rules should be strictly enforced, but it is shown that under present regulations, some desirable information flows are inhibited and other undesirable information flows are forced. Paradoxically, it is sometimes the case that relaxing the rules actually improves security.
Keywords :
accreditation; certification; data privacy; program testing; program verification; risk management; security of data; software development management; DCID 6/3; DIACAP; ICD 503 testing; UK; US; accreditation phase; accreditor clearance; accreditor risk calculation; behavioural patterns; certification authorities; certification testing; certifier; classified cross domain system testing; collateral accreditations; common criteria; compartmented site accreditations; cross domain software development programme; defence community systems; electronic health care; financial record keeping systems; global security policy; grounded theory methodology; information flows; intelligence community systems; law enforcement record keeping systems; multilateral accreditations; multilevel accreditations; multilevel cross domain system installations; multilevel systems; pathological regressive interactions; penetration testers; post-software-development; preinstallation testing; privacy-sensitive areas; residual risk calculation; schedule slippage; security accreditors; security domains; security rules; validation contractors; verification contractors; Accreditation; Documentation; Government; Medical services; Security; Software; Testing; certification and accreditation; certification test and evaluation; cross domain system; security test and evaluation;
