Information Asymmetry in Classified Cross Domain System Security Accreditation

Abstract

The difficulty of cross domain systems security accreditation lies inherent in the fact that, by definition, such systems always span at least one boundary between security domains controlled by different data owners. Consequently, approved solutions regularly encounter security testing criteria that represent the duplicated responsibility for residual risk of multiple security accreditors. Each data owner perceives a site-specific set of risks that would be desirable to mitigate, a technology-dependent set of risks that it is possible to mitigate, and a residual risk it is felt acceptable not to mitigate. Time and cost inefficiency in cross domain system accreditation are shown to originate f