390 likes | 1.31k Views
Page 2. Overview. Project Status - Ron KnodeNSA - Mary SchankenCSE - Steve BoothFAA - Ron KnodeCSIS - Ron ThompsonE
E N D
1. Page 1 System Security Engineering - Capability Maturity Model(SSE-CMM) Project Status Report
Ron Knode, Computer Sciences Corporation
SSE-CMM Project Steering Group Chair
4 June 1998
2. Page 2 Overview Project Status - Ron Knode
NSA - Mary Schanken
CSE - Steve Booth
FAA - Ron Knode
CSIS - Ron Thompson
E&Y Canada - Chris Pick
EWA Canada - Jim Robbins
CSC - Ron Knode
Others
3. Page 3 Topics SSE-CMM Project Goals
Accomplishments
Current Activities
Reflections of the SSE-CMM
Future Plans
Project Schedule
4. Page 4 Why was the SSE-CMM developed?History Objective
advance security engineering as a defined, mature, and measurable discipline
Project Goal
Develop a mechanism to enable:
selection of appropriately qualified security engineering providers
focused investments in security engineering practices
capability-based assurance
Why the CMM approach?
accepted way of improving process capability
increasing use in acquisition as indicator of process capability
5. Page 5 Envisioned Uses Engineering Organizations
Define processes / practices
Use for competitive edge (in source selections)
Focus improvement efforts
Acquirers
Standard RFP language and bidder evaluation
Understanding programmatic risks
Avoid protests (uniform assessments)
Greater level of confidence in end results
Security Evaluation Organizations
Alternative to extensive evaluation/re-evaluation
confidence in integration of security engineering with other disciplines
confidence in end results
6. Page 6 Project Structure2nd Phase
7. Page 7 Points of Contact Project Sponsor:
Mary Schanken
NSA, V243
410-859-6094
schanken@romulus.ncsc.mil
Steering Group:
Ron Knode
Computer Sciences Corporation
410-691-6580
rknode@csc.com
Model Maintenance:
Jeff Williams
Arca Systems, Inc.
703-734-5611
williams@arca.com
Appraisal Method:
Mal Fordham
IIT Research Institute
301-918-1022
mfordham@atg.iitri.com
8. Page 8 Project Participants45 pioneers
9. Page 9 Project History/Accomplishments April 93-December 94 Initial R&D
January 95 1st Public Workshop
Working Groups Formed
Summer/Fall 96 SSE-CMM Pilot Program
October 96 SSE-CMM v1.0
Early SSE-CMM Pilot Results
Spring 97 Appraisal Method v1.0
Summer 97 SSE-CMM v1.1
Appraisal Method v1.1
Pilot Results
14-17 July 97 2nd Public Workshop
10. Page 10 Pilot Sites TRW: System Integrator
CSC: Service Provider - Risk Assessment
Hughes: System Integrator
GTIS (Canada): Service Provider - Certification Authority
Data General: Product Vendor
11. Page 11 Current Activities The Project
pursuing ISO standard
planning for transition to new support organization (July 1999)
seeking more commitments of intended use by acquisition organizations
The Model
updating risk-related process areas
reviewing SEI CMM Integration Project results
12. Page 12 Current Activities (cont.) The Appraisal Method
updating to accommodate 3rd party capability evaluations (available May 1999)
Assurance
researching security metrics
Support Activities
developing plan for qualification of SSE-CMM appraisers
researching approaches for uniformity of appraisals
designing SSE-CMM data repository
13. Page 13 Reflections of the SSE-CMMWhere is it taking hold? US National Security Agency (NSA)
Canadian Communications Security Establishment (CSE)
US Federal Aviation Administration (FAA)
(Draft) FAA Order 1600.69 (FAA Information Systems Security Program)
14. Page 14 Reflections of the SSE-CMMMore applications and opportunities Canadian Security Intelligence Service (CSIS)
Ernst & Young
Electronic Warfare Associates (EWA)
Computer Sciences Corporation (CSC)
Others ...
15. Page 15 Working Group ScheduleThis is your chance!! Join now! Meetings are held the 2nd week of each month:
Monday Profiles, Assurance, and Metrics
Life Cycle Support
Tuesday Model Maintenance
Wednesday Sponsorship, Planning, and Adoption
Thursday Steering Group
Friday Appraisal Method
16. Page 16 Future Plans Oct 98 Model v2.0
Appraisal Method v2.0 (Draft)
Oct 98 ISO submission - Project transition phase
Oct 98 - Feb 99 Conduct Appraisal Method beta testing (?)
May 99 Appraisal Method v2.0 published
July 99 SSE-CMM “Project” phase ends - new support organizations begins operations
17. SSE-CMM
Overview
18. Page 18 SSE-CMM Model Architecture(based on SE-CMM Architecture)
19. Page 19 Security Engineering Process Areas Administer System Security Controls
Assess Impacts
Assess Risk
Assess Threats
Assess Vulnerabilities
Build Assurance Argument
Coordinate Security
Monitor System Security Posture
Provide Security Input
Specify Security Needs
Verify and Validate Security Reference the SSE-CMM - review goals of the PAs.Reference the SSE-CMM - review goals of the PAs.
20. Page 20 Basis for Engineering Process Areas(Security Engineering Providers) The Security Engineering PAs were developed from the perspective of what providers provide and what people want to “buy” with respect to security engineering services.The Security Engineering PAs were developed from the perspective of what providers provide and what people want to “buy” with respect to security engineering services.
21. Page 21 Project/Organization PAs(based on SE-CMM with Security Considerations) Project
Ensure Quality
Manage Configurations
Manage Program Risk
Monitor and Control Technical Effort
Plan Technical Effort Organization
Define Organization’s Security Engineering Process
Improve Organization’s Security Engineering Process
Manage Security Product Line Evolution
Manage Security Engineering Support Environment
Provide Ongoing Skills and Knowledge
Coordinate with Suppliers The Project and Organization PAs were adopted from the SE-CMM and interpreted for the security engineering domain, where needed.The Project and Organization PAs were adopted from the SE-CMM and interpreted for the security engineering domain, where needed.
22. Using the
SSE-CMM
23. Page 23 Appraisal Results: a Rating Profile
24. Page 24 The Appraisal Process(based on the SE-CMM Appraisal Method)
25. Page 25 Using the SSE-CMM