Certification process artifacts defined as measurable units for software assurance

Certification and Accreditation (C&A) process artifacts for software-intensive systems are characterized by the metrics and measures required to be produced from their units of analysis for assessing system behaviour. Software-intensive systems are complex clusters of closely interdependent system of systems that include underlying software, systems, people, processes, and operational environments. Naturally, such systems require carefully designed C&A artifacts that consider metrics and measures from multiple dimensions at different levels of abstraction in the Universe of Discourse (UoD) in order to understand, predict, and control their emergent behaviour. Hence, C&A artifacts defined as measurable units for software assurance should be the result of an aggregated reasoning of evidences from various dimensions, while maintaining traceability and alignment to real world goals/objectives in all stages of the system lifecycle. To address these research objectives, we present a novel integration framework that promotes cohesion and traceability among metrics and measures from multiple dimensions in the problem domain on the basis of the definition of a common language. By applying our framework to automate the Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP), we also motivate the design principles and modelling techniques necessary to generalize a course of action to conduct C&A processes with appropriate tool support for software-intensive systems.