achieving system and software assurance through cmmi complia

Achieving System andSoftware Assurance ThroughCMMI-Compliant Processes

Paul R. CrollChair, IEEE Software and SystemsEngineering Standards Committee

Convener, ISO/IEC JTC1/SC7 WG9, Systemand Software Integrity

Computer Sciences [email protected]

CMMI Technology Conference, Track 6, Thursday, 18 November 2004, 0855 Copyright ©2004 Paul R. Croll

CMMI Technology Conference, Track 6, Thursday, 18 November 2004, 0855 Paul R. Croll Slide 2

Topics

� The Scope of System and Software Assurance� Achieving System and Software Assurance Through

CMMI-Compliant Processes� The CMMI and Assurance� Assurance in the Context of the Life Cycle� Standards Supporting System and Software

Assurance� Implementing Assurance Processes


System and software assurancefocuses on the management of riskand assurance of safety, security,and dependability within the contextof system and software life cycles.Terms of Reference: ISO/IEC JTC1/SC7 WG9, System and Software Integrity

System and software assurancefocuses on the management of riskand assurance of safety, security,and dependability within the contextof system and software life cycles.Terms of Reference: ISO/IEC JTC1/SC7 WG9, System and Software Integrity

Slide 3

The Scope of System andSoftware Assurance


Achieving System and Software AssuranceThrough CMMI-Compliant Processes

2. Look to theCMMI for

Assurance-RelatedProcess Capability

Expectations

3. Look toStandards for

AssuranceProcess Detail

1. Understand YourBusiness

Requirements forAssurance

4. Build or Refineand Execute Your

AssuranceProcesses


1. Understand YourBusiness Requirements for

Assurance

Business Requirements forAssurance

What are your business requirementsfor System and Software Assurance?• Business process requirements• Legal and regulatory requirements• Marketplace requirements• Customer-specific requirements• Product-specific requirements


How does the CMMIsupport System and

Software Assurance?

How does the CMMIsupport System and

Software Assurance?

2. Look to the CMMI forAssurance-Related Process

Capability Expectations

The CMMI and Assurance


CMMI Assurance Shortfalls

� Inconsistent treatment ofsafety and securityconcerns

� Insufficient assurance detailin required and expectedcomponents� Specific goals� Specific practices

� Insufficient traceability toassurance source standards


CMMI –Process Areasand Assurance

Process Area Explicit Implicit Supporting

Process ManagementOPF �OPD �

OT �OPP �OID �

Project ManagementPP �

PMC �SAM �IPM �

RSKM �IT �

ISM �QPM �

EngineeringREQM �

RD �TS �PI �

VER �VAL �

SupportCM �

PPQA �MA �

DAR �OEI �

CAR �


CMMI – Project ManagementProcess Areas and Assurance

� Project Planning (PP)� Project Monitoring and Control (PMC)� Supplier Agreement Management

(SAM)� Risk Management (RSKM)


CMMI – Project ManagementAssurance Objectives - PP

Project Planning

� Determine the technical approach for the project,including the functionality expected in the final products,such as safety and security

� Estimate effort and cost using models and/or historicaldata including inputs related to level of securityrequired for tasks, work products, hardware, software,personnel, and work environment.

� Plan for the management of project data including datasupporting safety.

� Establish requirements and procedures to ensure privacyand security of the data.

Source: CMMI -SE/SW/IPPD/SS, V1.1, Continuous Representation, © CMU SEI,2002.


Project Monitoring and Control

� Monitor resources provided and used, including thesecurity environment

� Collect and analyze issues and determine thecorrective actions necessary to address the issues,including security issues.

CMMI – Project ManagementAssurance Objectives - PMC



Supplier Agreement Management

� Evaluate the impact of candidate COTS products onthe project's plans and commitments, includingsecurity requirements

CMMI – Project ManagementAssurance Objectives - SAM



Risk Management

� Identify the risks associated with cost, schedule, andperformance in all appropriate product life-cyclephases, including risks associated with maintainingsafety and security performance.

CMMI – Project ManagementAssurance Objectives - RSKM



CMMI – EngineeringProcess Areas and Assurance

� Requirements Development(RD)

� Technical Solution (TS)� Product Integration (PI)� Verification* (VER)� Validation* (VAL)

*Implicit


Requirements Development

� Analyze needs and requirements for each productlife-cycle phase, including factors that reflect overallcustomer and end-user expectations and satisfaction,such as safety, security, and affordability.

� Ensure that the design adheres to applicable designstandards and criteria, including safety standards.

CMMI – EngineeringAssurance Objectives - RD



Technical Solution

� Design comprehensive product-componentinterfaces in terms of established and maintainedcriteria, including safety and security.

� Adhere to applicable standards and criteria,including safety standards.

� Train the people performing or supporting thetechnical solution process as needed, includingsafety standards.

CMMI – EngineeringAssurance Objectives - TS



Product Integration

� Satisfy the applicable requirements and standardsfor packaging and delivering the product, includingthose for safety and security.

CMMI – EngineeringAssurance Objectives - PI



Verification*� Establish and maintain the environment needed to

support verification. For example, a product test mayrequire simulators, emulators, scenario generators,data reduction tools, environmental controls, andinterfaces with other systems.

� Establish and maintain verification procedures andcriteria for the selected work products.

CMMI – EngineeringAssurance Objectives - VER


*Implicit


Validation*� Establish and maintain the environment needed to

support validation.� Establish and maintain procedures and criteria for

validation to ensure that the product or productcomponent will fulfill its intended use when placed inits intended environment.

CMMI – EngineeringAssurance Objectives - VAL


*Implicit


CMMI – SupportProcess Areas and Assurance

� Configuration Management (CM)� Product and Process Quality Assurance*

(PPQA)� Measurement and Analysis* (MA)� Decision Analysis and Resolution (DAR)� Organization Environment for

Integration (OEI)� Causal Analysis and Resolution (CAR)

*Implicit


Configuration Management

� Perform reviews to ensure that changes have notcompromised the safety and/or security of thesystem.

CMMI – SupportAssurance Objectives - CM



Product and Process Quality Assurance*� Objectively evaluate the designated work products

and services against the applicable processdescriptions, standards, and procedures.

CMMI – SupportAssurance Objectives - PPQA


*Implicit


Measurement and Analysis*� Establish and maintain measurement objectives that

are derived from identified information needs andobjectives. The sources for measurement objectivesmay be management, technical, project, product, orprocess implementation needs.

� Specify measures to address the measurementobjectives. Measurement objectives are refined intoprecise, quantifiable measures.

CMMI – SupportAssurance Objectives - MA


*Implicit


Decision Analysis and Resolution

� Establish and maintain guidelines to determinewhich issues are subject to a formal evaluationprocess. For example, on design-implementationdecisions when technical performance failure maycause a catastrophic failure (e.g., safety of flightitem).

CMMI – SupportAssurance Objectives - DAR



Organizational Environment for Integration

� Plan, design, and implement an integrated workenvironment, including tradeoff of safety andsecurity costs and benefits.

CMMI – SupportAssurance Objectives - OEI



Causal Analysis and Resolution

� Determine which defects and other problems will beanalyzed further, including safety impactconsiderations.

CMMI – SupportAssurance Objectives - CAR



Beyond The CMMI

CMMI


Safety and Security Extensions forIntegrated Capability Maturity Models

Source: United States Federal Aviation Administration, Safety and SecurityExtensions for Integrated Capability Maturity Models, September 2004

1. Ensure Safety and Security Competency2. Establish Qualified Work Environment3. Ensure Integrity of Safety and Security Information4. Monitor Operations and Report Incidents5. Ensure Business Continuity6. Identify Safety and Security Risks7. Analyze and Prioritize Risks8. Determine, Implement, and Monitor Risk

Mitigation Plan9. Determine Regulatory Requirements, Laws, and

Standards10. Develop and Deploy Safe and Secure Products and

Services11. Objectively Evaluate Products12. Establish Safety and Security Assurance

Arguments13. Establish Independent Safety and Security

Reporting14. Establish a Safety and Security Plan15. Select and Manage Suppliers, Products, and

Services16. Monitor and Control Activities and Products

www.faa.gov/ipgwww.faa.gov/ipg


What StandardsSupport System andSoftware Assurance?

What StandardsSupport System andSoftware Assurance?


Assurance ProcessDetail

Standards Supporting Systemand Software Assurance


Dependability Standards

Adapted from James W. Moore, Software EngineeringStandards: A User's Road Map, IEEE Computer SocietyPress, Los Alamitos, CA, 1997

Risk Management

IEC 812Failure mode andeffects analysis

IEC 1025Fault tree analysis

IEC 300-2Programme

elements & tasks

ISO/IEC 15026Integrity levels

IEC 300-3-9Risk analysis of

technological sys

IEC 300-3-6SW aspects ofdependability

IEC 300-1Programme

management

AchievingConfidenceRisk Analysis Risk Control

IEC 50-191Dependability

vocabulary

ISO/IEC 16085Risk Management

ISO/IEC NWI 61720Tech. & tools for

confidence

ISO/IEC 15288System life cycle

processes ISO/IEC 12207SW life cycle

processes

ISO

IEC


Safety and Security Standards

IEC 61508Functional Safety

Sector-SpecificStandards

ISO/IEC 9796Digital Security

Schemes

ISO/IEC 10181Security

frameworks foropen systems

ISO/IEC 15408Common Criteria for

IT Security Evaluation

ISO/IEC 21827Systems SecurityEngineering CMM

IEEE P1619Standard

Architecture forEncrypted Shared

Storage Media

IEEE P2200Baseline Operating

System Security

IEEE 1228SW safety plans

Safety

Security

IEEE P1700Security Architecturefor Certification and

Accreditation ofInformation

Military

IEC

IEEE CS

ISO

IEEE CS

IEC 60880SW in nuclearpower safety

systems

MIL-STD-882DStandard Practice for

System Safety

DO 178BSW considerations in

airborne equipcertification

ISO/IEC 17799Code of Practicefor Information

SecurityManagement

RTCA

Military Standards

DEF STAN 00-56Safety Management

Requirements forDefence Systems


FISMA Legislation

“Each Federal agency shall develop, document, andimplement an agency-wide information securityprogram to provide information security for theinformation and information systems that support theoperations and assets of the agency, including thoseprovided or managed by another agency, contractor,or other source…”

� - Federal Information Security Management Act of 2002

Source: FISMA Implementation Project, Dr. Ron Ross, NIST, April 2004


NIST FISMA ImplementationProject Standards and Guidelines

� FIPS Publication 199 (Security Categorization)� NIST Special Publication 800-37 (Certification &

Accreditation)� NIST Special Publication 800-53 (Security Controls)� NIST Special Publication 800-53A (Assessment)� NIST Special Publication 800-59 (National Security)� NIST Special Publication 800-60 (Category Mapping)� FIPS Publication 200 (Minimum Security Controls)

Source: FISMA Implementation Project, Dr. Ron Ross, NIST, April 2004



AssuranceProcesses


requirements forassurance

Have you addressed the assuranceimplications of your CMMI-compliantprocesses?

Do your assurance processes meet yourbusiness requirements?

• Business process requirements• Legal and regulatory requirements• Marketplace requirements• Customer-specific requirements• Product-specific requirements

Use CMMI-Compliant Processes toAchieve System and Software Assurance


Achieving System and Software AssuranceThrough CMMI-Compliant Processes

2. Look to theCMMI for

Assurance-RelatedProcess Capability

Expectations


AssuranceProcess Detail


Requirements forAssurance


AssuranceProcesses


For More Information . . .

Paul R. CrollComputer Sciences Corporation5166 Potomac DriveKing George, VA 22485-5824

Phone: +1 540.644.6224Fax: +1 540.663.0276e-mail: [email protected]

For IEEE Standards:http://computer.org/standards/sesc/http://ieeeia.org/iasc/http://computer.org/cspress/CATALOG/st01110.htm

For ISO/IEC Standards:http://saturne.info.uqam.ca/Labo_Recherche/Lrgl/sc7/

http://saturne.info.uqam.ca/Labo_Recherche/Lrgl/sc7/

http://computer.org/cspress/CATALOG/st01110.htm

http://ieeeia.org/iasc/

http://computer.org/standards/sesc/

achieving system and software assurance through cmmi complia

Documents