GGrantIndex
← Search

SaTC: CORE: Small: Collaborative: Enabling Regulatory Compliance for Software Engineering

$560,541FY2020CSENSF

University Of Maryland Baltimore County, Baltimore MD

Investigators

Abstract

Software systems are ubiquitous in modern society, but engineering systems that are demonstrably compliant with relevant laws and regulations remains both theoretically and practically challenging. Unfortunately, assessing a system for regulatory compliance is challenging and expensive, which ensures existing laws and regulations have low enforcement rates. Further, organizations have no standard approach they can use to document their due diligence and compliance efforts, and the number and types of regulations applicable to software is expected to increase, as software becomes more integrated and central to traditionally non-software domains. This proposed research seeks to create a software development methodology for regulatory compliance. Software engineering professionals using this methodology will be able to both manage the regulatory compliance aspects of their systems under development and also to demonstrate to an outside auditor, to customers, and to the public, their approach towards compliance at each stage of the software development lifecycle (SDLC). This research has the potential to affect every software system developed for use in a regulated domain. In general, society regulates domains first and considers software second. For non-software domains that nevertheless depend on software (e.g., healthcare, automotive, finance, etc.), organizations are left measuring inputs and outputs, and they have no insight into the full engineering process used to develop the software that controls potentially critical elements of the system. This work will transform how organizations think about liability and compliance by providing organizations the tools needed to demonstrate that they attempted to do the right thing, even if a failure occurs. The results of this work will be incorporated in graduate and undergraduate courses on topics such as security and privacy, systems analysis, software testing and software maintenance. The core research problem this award addresses is: How can software engineers incorporate and demonstrate compliance with security and privacy laws, regulations, guidelines, and standards throughout the design, development, and maintenance of software systems? The goal of this project is to develop a full-lifecycle methodology, based on current practice and research, to help software engineers, policy makers, and regulators build and assess software systems. This goal is organized into three phases: (1) the development of a comprehensive core framework of definitions, concepts, models, and templates for security and privacy regulatory compliance based on current practices and new research; (2) the identification and mitigation of gaps in particular phases of the SDLC that research and practice have not fully addressed (in particular testing and maintenance); and (3) a longitudinal mixed-method interaction with a variety of stakeholders to continuously explore current practices of organizations building software in regulated domains, identify gaps between research and practice, and iteratively evaluate this methodology. Upon completion, this framework will address management of intentional and unintentional regulatory ambiguity, improve communication between stakeholders from disparate domains, (e.g., lawyers, policy makers, regulatory agencies, developers, managers, and testers), and ameliorate the dearth of methods for testing and maintaining regulatory compliance of software. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

View original record on NSF Award Search →