Title: Experience with the System Security Engineering Capability Maturity ModelTM Presented to INCOSE 96
1Experience with theSystem Security
EngineeringCapability Maturity
ModelTMPresented to INCOSE 96
Rick Hefner TRW One Space Park - R2/1104 Redondo
Beach, CA 90278
David Hsiao GRC International, Inc. 1900 Gallows
Road Vienna, VA 22182
Warren Monroe Hughes Aircraft Bldg. 675, M/S
P343 Fullerton, CA 92634
2SSE-CMM Project Background
- Government acquisition agencies are driven to
- Lower the cost of developing and maintaining
systems - Improve consistency in meeting project schedule
and budget - Select capable contractors
- Few standards exist to judge corporate security
engineering capabilities - Many engineering companies provide secure
products, systems, and services - Wide variety in capabilities
- Excessive time needed for product/system
certification - Effort initiated to establish a commonly-accepted
security engineering standard through a joint
government/industry effort
3SSE-CMM Project Participants (as of July 1996)
- Air Force Information Warfare Center
- Arca Systems, Inc.
- BDM International Inc.
- Booz-Allen-Hamilton, Inc.
- Canadian Communications Security Establishment
- Computer Sciences Corp.
- Defense Information Systems Agency
- E-Systems
- Fuentez Systems Concepts
- GRC International, Inc.
- Harris Corp.
- Hughes Aircraft
- ITT
- Loral Federal Systems
- MITRE
- National Center for Supercomputing Applications
- National Security Agency
- Naval Research Laboratory
- National Institute for Standards and Technology
- Office of the Secretary of Defense
- San Antonio Air Logistics Center
- Science Applications International Corp.
- SPARTA, Inc.
- Systems Research Applications Corp.
- The Sachs Groups
- TRW
- Trusted Information Systems
4SSE-CMM Project Structure
Steering Group
Chair
ProjectLeader
Committees
TechnicalSupport
Author Group
Applications Group
Chair
Chair
Committees
Committees
TechnicalSupport
TechnicalSupport
KeyReviewers
KeyReviewers
CommunityReviewers
5SSE-CMM Model Structure
- A model of fundamental security practices, based
on the SPICE architecture
Domain
Capability
Continuously Improving
Quantitatively Controlled
Well Defined Capability Levels
Organization Process Area Categories
Planned Tracked
Project Process Area Categories
Performed
Engineering Process Area Categories
Initial Capability Levels
ProcessAreas
CommonFeatures
BasePractices
GenericPractices
6Domain Dimension
- Based on the System Engineering Capability
Maturity Model
- System Engineering
- Provide Security Input
- Verify and Validate Security
- Attack Security
- Assess Operational Security Risk
- Build Assurance Argument
- Monitor System Security Posture
- Administer Security Controls
- Coordinate Security
- Determine Security Vulnerabilities
- Security Engineering
- Specify Security Needs
- Provide Security Input
- Verify and Validate Security
- Attack Security
- Assess Operational Security Risk
- Build Assurance Argument
- Monitor System Security Posture
- Administer Security Controls
- Coordinate Security
- Determine Security Vulnerabilities
- Project
- Ensure Quality
- Manage Configurations
- Manage Risk
- Monitor and Control Technical Effort
- Plan Technical Effort
- Organization
- Coordinate with Suppliers
- Define Organization's Systems Engineering Process
- Improve Organization's Systems Engineering
Processes - Manage Product Line Evolution
- Manage Systems Engineering Support Environment
- Provide Ongoing Knowledge and Skills
7Capability Dimension
- Six levels of maturity, measured by increasing
support for the practices
8SSE-CMM Appraisal Process
- An appraisal rates the capability of each process
area
Continuously Improving
Process Areas
Derive and Allocate Requirements Process Areas
Quantitatively Controlled
Process Areas
Well Defined Capability Levels
Derive and Allocate Requirements Process Areas
Process Areas
Planned Tracked
Derive and Allocate Requirements Process Areas
Process Areas
Performed
Derive and Allocate Requirements Process Areas
Initial Capability Levels
Analyze Candidate Solutions Process Areas
Capability Level
PA
0
1
2
3
4
5
1
2
3
4
5
6
7
18
9Approach to Community Adoption
- Encourage industry-wide participation
- Recruit project participants
- Publicize to security engineers and systems
engineers through conferences and WWW - Promote the SSE-CMM as a standard process within
NSA, DISA, and NIST engineering and development
organizations - Identify candidate procurements
- Develop / document approach for use in
accreditation - Investigate impacts on the INFOWAR community
- Promote the SSE-CMM as a standard process within
SSE-CMM member engineering and development
organizations - Conduct pilots
- Interface with other CMM efforts
10Current SSE-CMM Status
- Draft model defined
- SE-CMM appraisal method selected for use in
initial pilot appraisals - First SE-CMM pilot appraisal completed at TRW
- Additional pilot appraisals scheduled for summer
of 1996 - Computer Science Corporation
- Hughes
11First Pilot Appraisal Results
- The first SSE-CMM pilot appraisal was on
conducted at TRW in June 1996 - 3 days, 10 member appraisal team from TRW,
government, and industry - Security-specific portions of the model
- Results
- The SSE-CMM project identified possible
improvements in the model and appraisal method - TRW identified improvement activities to further
strengthen their security engineering practices
12Next Actions
- Update model and appraisal method based on
initial pilot appraisal results - Public release
- SSE-CMM Model Description Version 1.0
- SSE-CMM Appraisal Methodology Version 1.0
- Explore full pilot appraisals
- Stand-alone security aspects only
- Add-on adjunct to a completed SE-CMM appraisal
- Integrated joint SE/SSE-CMM appraisal
13Points of Contact
- Sponsor
- John Adams
- Department of Defense
- 9800 Savage Road
- Ft. Meade, MD 20755-6000
- 410-859-6091
- Project Leader
- Victoria Thompson
- Arca Systems, Inc.
- 8229 Boone Boulevard
- Vienna, VA 22182
- 703-734-5611
Steering Group Leader Rick Hefner TRW One Space
Park - R2/1104 Redondo Beach, CA
90278 310-812-7290 Author Group Leader Karen
Ferraiolo Arca System, Inc. 10320 Little Patuxent
Pkwy Suite 1005 Columbia, MD 21044 410-715-0500
Application Group Leader Warren Monroe Hughes
Aircraft Bldg. 618 Fullerton, CA
92634-3310 714-732-2887
SSE-CMM Web Sitehttp//www.ssecmm.ashton.csc.com
TMCapability Maturity Model is a service mark of
Carnegie Mellon University