Abstract

Information system security certification involves guaranteeing that mechanisms are deployed to comply with selected security controls, such as those in the NIST SP800-53, at acceptable levels of confidence and risk. When a system can self-adapt at runtime, it may alter its functional behavior to address a defect or anomaly. This functional change can impact associated security controls, potentially making the adapted system vulnerable to security threats. Performing security control assurance adaptation along with functional adaptation would allow both compliance confidence and risk analysis to accompany functional adaptation analysis. The need for this dual assessment implies security control compliance should be expressed such that an adaptation can be reflected as part of its compliance status. In this paper, we represent security controls and their deployed mechanisms in terms of security assurance cases. We define a template using Goal Structuring Notation (GSN) that follows the NIST SP800-53 control statement structure. We define three adaptation operators to dictate how and where a change impacts relevant assurance cases. The objective is to express and manage the controls and adaptation operators so that changes to a security assurance case can be embedded and traced within the executing system to make it security aware. We illustrate the approach using a small case study and a security control for systems and communications protection, taken from the NIST SP800-53.