Numerous interdependent quality requirements imposed by regulatory Certification and Accreditation (C&A) processes enable a rich context to gather compliance evidences for promoting software assurance. The goal of the r-AnalytiCA workbench is to make sense out of the large collection of available evidences for a complex software system though multidimensional requirements-driven problem domain analysis. The requirements analytics employed in the workbench support C&A activities by leveraging the expressiveness of ontologies used to model C&A requirements and their interdependencies. 1.

In this paper we outline our approach to discover and understand multi-dimensional correlations among regulatory security certification requirements in the context of a complex software system. A thorough understanding of these correlations is necessary to assure that diverse constraints imposed by numerous certification requirements are adequate for collectively contributing to emergent security properties in a highly interconnected socio-technical environment. We elaborate on methodological support to discover an exhaustive set of applicable certification requirements in a given operational scenario of the target software system. We then describe techniques to systematically understand the multi-dimensional correlations among these requirements with application to security risk assessment. The case study of applying our approach to a regulatory certification process of The United States Department of Defense (DoD) is presented.

Security certification activities for software systems rely heavily on requirements mandated by regulatory documents and their compliance evidences to support accreditation decisions. Therefore, the design of a workbench to support these activities should be grounded in a thorough understanding of the characteristics of certification requirements and their relationships with certification activities. To this end, we utilize our findings from the case study of a certification process of The United States Department of Defense (DoD) to identify the design objectives of a requirements-driven workbench for supporting certification analysts. The primary contributions of this paper are: identifying key areas of automation and tool support for requirements-driven certification activities; an ontology-driven dynamic and flexible workbench architecture to address process variability; and a prototype implementation. 1.

Services as abstractions of functionality have enabled the engineering of systems that support welldefined processes with relative ease. This success leads to aspirations for achieving greater complexity with the service-oriented paradigm. In particular, we address the case where the process definition is tailored differently in each instantiation based on negotiations among stakeholders of a socio-technical context. For such cases the process definition invariably crosscuts the architecture of a process-support system that composes available services. However, use of pre-defined process variations may bias the tailoring effort and thus, act against the original motivation of having a flexible definition. On the other hand, the characteristics of process complexity and tailorability introduce differences between stakeholder understanding of the process activities and their manifestation in tool support. We encounter these issues while developing a service-oriented process-support system for a security Certification and Accreditation (C&A) process. In this paper, we present our approach to effectively separate the C&A process definition from the architecture of its process-support system. We employ ontological modeling techniques to explicitly model the process definition and later expose it as a service to provide weaving rules for dynamically composing the process-support system architecture at runtime. The feasibility of our approach has been demonstrated in the design of a service-oriented architecture for a prototype workbench that

Numerous interdependent quality requirements imposed by regulatory Certification and Accreditation (C&A) processes enable a rich context to gather compliance evidences for promoting software assurance. The goal of the r-AnalytiCA workbench is to make sense out of the large collection of available evidences for a complex software system though multidimensional requirements-driven problem domain analysis. The requirements analytics employed in the workbench support C&A activities by leveraging the expressiveness of ontologies used to model C&A requirements and their interdependencies. 1.

Security breaches most often occur due to a cascading effect of failure among security constraints that collectively contribute to overall secure system behavior in a socio-technical environment. Therefore, during security certification activities, analysts must systematically take into account the nexus of causal chains that exist among security constraints imposed by regulatory requirements. Numerous regulatory requirements specified in natural language documents or listed in spreadsheets/databases do not facilitate such analysis. The work presented in this paper, outlines a step-wise methodology to discover and understand the multidimensional correlations among regulatory requirements for the purpose of understanding the potential for risk due to non-compliance during system operation. Our lattice algebraic computational model helps estimate the collective adequacy of diverse security constraints imposed by regulatory requirements and their interdependencies with each other in a bounded scenario of investigation. Abstractions and visual metaphors combine human intuition with metrics available from the methodology to improve the understanding of risk based on the level of compliance with regulatory requirements. In addition, a problem domain ontology that classifies and categorizes regulatory requirements from multiple dimensions of a socio-technical environment promotes a common understanding among stakeholders during certification and accreditation activities. A preliminary empirical investigation of our theoretical propositions has been conducted in the domain of The

Process artifacts identified from a process description often implicitly bias and cross-cut the definition of generic services from various tools that assist/automate process activities. The resulting toolsupport is tightly coupled with the process definition it supports, leading to poor adaptability when the required artifacts or process activities evolve/change. This issue is of further concern while providing toolsupport for assisting knowledge-intensive process activities through an interactive exploration of related knowledge-bases. Therefore, our focus is on early separation of process related cross-cutting concerns from generic tool-support services for creating, browsing, accessing, querying, inferencing, and visualizing associated knowledge-bases. We discuss our approach in the context of designing tool support for a system security Certification and Accreditation (C&A) process automation based on service-oriented and aspect-oriented design paradigms. 1.

Infrastructure safety affects millions of U.S citizens in many ways. Among all the infrastructures, the bridge plays a significant role in providing substantial economy and public safety. Nearly 600,000 bridges across the U.S are mandated to be inspected every twenty-four months. Although these inspections could generate great amount of rich data for bridge engineers to make critical maintenance decisions, processing these data has become challenging due to the low efficiency from those traditional bridge management systems. In collaboration with North Carolina Department of Transportation (NCDOT) and other regional DOT collaborators, we present our knowledge integrated visual analytics bridge management system. Our system aims to provide bridge engineers a highly interactive data exploration environment as well as knowledge pools for corresponding bridge information. By integrating the knowledge structure with visualization system, our system could provide comprehensive understandings of the bridge assets and enables bridge engineers to investigate potential bridge safety issues and make maintenance decisions.

Infrastructure management (and its associated processes) is complex to understand, perform and thus, hard to make efficient and effective informed decisions. The management involves a multi-faceted operation that requires the most robust data fusion, visualization and decision making. In order to protect and build sustainable critical assets, we present our on-going multi-disciplinary large-scale project that establishes the Integrated Remote Sensing and Visualization (IRSV) system with a focus on supporting bridge structure inspection and management. This project involves specific expertise from civil engineers, computer scientists, geographers, and real-world practitioners from industry, local and federal government agencies. IRSV is being designed to accommodate the essential needs from the following aspects: 1) Better understanding and enforcement of complex inspection process that can bridge the gap between evidence gathering and decision making through the implementation of ontological knowledge engineering system; 2) Aggregation, representation and fusion of complex multi-layered heterogeneous data (i.e. infrared imaging, aerial photos and ground-mounted LIDAR etc.) with domain application knowledge to support machine understandable recommendation system; 3) Robust visualization techniques with large-scale analytical and interactive visualizations that support users ’ decision making; and 4) Integration of these needs through the flexible Service-oriented

Risk assessment is a complex decision making process during Certification and Accreditation (C&A) activities. It requires to understand the multidimensional correlations among numerous C&A requirements to reason about their collective and adequate behavior to minimize risks to a software system. Also, diverse stakeholders in the organizational hierarchy should be able to comprehend and utilize the risk assessment artifacts to agree upon an acceptable level of risks and justify the criticality and cost of mitigation strategies related to C&A requirements. We believe requirements visualization plays an important role in providing rich contextual information for understanding and analyzing risk assessment artifacts and present our initial experiences in using intuitive visual metaphors and their explanations for requirements-driven risk assessment [8] [11]. 1.