Establishing trustworthiness in services of the critical infrastructure through certification and accreditation

Abstract

Trustworthiness in services provided by the Critical Infrastructure (CI) is essentially dependent on the quality of underlying software, systems, practice and environment, as which the software information infrastructures are becoming increasingly a major component of business, industry, government and defense. The level of trustworthiness required from services that are operational in such critical software information infrastructures is often established based on standardized infrastructure-wide evaluation criteria - Certification and Accreditation (C&A) - through the identification of operational risks and the determination of conformance with established security standards and best practices. In order to effectively establish such levels of trustworthiness for services in the CI, we identify the need for a structured and comprehensive C&A framework with appropriate tool support that combines its theoretical and practical aspects. In this paper, we present our efforts in developing such a framework that leverages novel techniques from software requirements engineering and knowledge engineering to support the automation of the Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP), which is a standard for certifying and accrediting the information networks that support the Defense Information Infrastructure (DII). Through the examples derived from our case study, we further motivate the applicability and appropriateness of our framework.