Security Policy Enforcement and Compliance System (SPECS)

While the advantages of the Global Information Grid (GIG) cannot be overstated, the challenge of maintaining security policies effectively is a daunting task. This huge network incorporates a diverse array of components and is designed to be highly dynamic and mobile. Asserting control over the GIG is critical to operational success yet is often too cumbersome via traditional means. Although systems exist for managing security policy on enterprise-scale networks, they tend to assume relatively static network configurations in which updates are deployed largely manually. Along with being lengthy, labor-intensive operations, such reconfigurations can misinterpret or overlook governing security policies and controls, leaving portions of the network vulnerable to attack. We propose the Security Policy Enforcement and Compliance System (SPECS), a framework for managing security policy on super-sized, diverse and dynamic networks. SPECS automates policy management by encoding policies in an ontology to facilitate automated enforcement given operational requirements. By linking policies to the controls that enforce them, SPECS can rapidly deploy existing policies into new or changing operational environments, and it can update existing environments in response to changes in the policies themselves. This end-to-end modeling also enables SPECS to quickly assess compliance for assured levels of network security.