Security certification establishes that a given system satisfies properties and constraints as specified in the system security profile. Mechanisms and techniques have been developed to assess if and how well the system complies with the properties, thereby providing a degree of confidence in the security certification. Generally, certification of security controls defined by NIST SP800-53 is performed at design time to provide confidence in a system’s trustworthiness to achieve the organization’s mission and business requirements. Assuring confidence in a self-adaptive system’s security profile is challenging when both functional and security conditions may change at run time. Static security solutions are insufficient, given that dynamic application of defense mechanisms often needs to dynamically adapt security functionality at run time as part of self-protection. This security adaptation may hinder maintaining functional constraints or vice versa. In addition, adaptation capabilities may give rise to the need for dynamic certification, which can be a difficult procedure given the complexity of the security dependencies. Confidence in an information system’s compliance with security constraints can be expressed using security assurance cases (SACs). NIST security controls are defined with a hierarchical structure that makes them amenable to being specified in terms of SACs. A collection of SACs for related security controls form a network that can be used to measure the confidence of security compliance through certification-based evidence. Once the system is deployed, environmental and functional uncertainties may require the coordination of functional and security adaptations. This paper introduces the MAPE-SAC, a security-focused feedback control loop, and its interaction with a MAPE-K, function and performance-focused control loop, to dynamically manage run-time adaptations in response to changes in functional and security conditions. We illustrate the use of both control loops and their interaction with an example of two independent systems that need to cooperate to facilitate autonomous search and rescue in the aftermath of a natural disaster.

安全认证确定给定系统满足系统安全配置文件中指定的属性和约束。已经开发了机制和技术来评估系统是否以及如何符合特性，从而在安全认证方面提供了一定的信心。通常，由NIST SP800-53定义的安全控制认证是在设计时执行的，目的是使人们对系统的可信赖性充满信心，以达到组织的使命和业务要求。当功能和安全条件在运行时都可能发生变化时，要确保对自适应系统的安全配置文件的信心就很困难。静态安全解决方案是不够的，鉴于防御机制的动态应用通常需要在运行时动态调整安全功能，作为自我保护的一部分。这种安全性适配可能会妨碍维持功能约束，反之亦然。另外，适应能力可能引起对动态认证的需求，鉴于安全依赖性的复杂性，这可能是一个困难的过程。可以使用安全保证案例（SAC）来表达对信息系统遵守安全约束的信心。NIST安全控件是用分层结构定义的，因此可以根据SAC进行指定。一组用于相关安全控制的SAC形成了一个网络，该网络可用于通过基于证书的证据来衡量安全合规性的置信度。部署系统后，环境和功能的不确定性可能需要协调功能和安全性调整。本文介绍了以安全为中心的反馈控制环路MAPE-SAC，以及它与以功能和性能为中心的MAPE-K的交互，以动态管理运行时适应以响应功能和安全条件的变化。我们以两个独立系统的示例为例，说明了两个控制环的使用以及它们的交互作用，这两个系统需要合作以促进自然灾害后的自主搜索和救援。功能和性能为中心的控制回路，以响应功能和安全条件的变化动态管理运行时适应。我们以两个独立系统的示例为例，说明了两个控制环的使用以及它们的交互作用，这两个系统需要合作以促进自然灾害后的自主搜索和救援。功能和性能为重点的控制回路，以响应功能和安全条件的变化动态管理运行时适应。我们以两个独立系统的示例为例，说明了两个控制环的用法以及它们的交互作用，这两个系统需要合作以促进自然灾害后的自主搜索和救援。