Experience with the System Security Engineering Capability Maturity ModelTM Presented to INCOSE 96

1
Experience with theSystem Security
EngineeringCapability Maturity
ModelTMPresented to INCOSE 96
Rick Hefner TRW One Space Park - R2/1104 Redondo
Beach, CA 90278
David Hsiao GRC International, Inc. 1900 Gallows
Road Vienna, VA 22182
Warren Monroe Hughes Aircraft Bldg. 675, M/S
P343 Fullerton, CA 92634
2
SSE-CMM Project Background

• Government acquisition agencies are driven to
• Lower the cost of developing and maintaining
  systems
• Improve consistency in meeting project schedule
  and budget
• Select capable contractors
• Few standards exist to judge corporate security
  engineering capabilities
• Many engineering companies provide secure
  products, systems, and services
• Wide variety in capabilities
• Excessive time needed for product/system
  certification
• Effort initiated to establish a commonly-accepted
  security engineering standard through a joint
  government/industry effort

3
SSE-CMM Project Participants (as of July 1996)

• Air Force Information Warfare Center
• Arca Systems, Inc.
• BDM International Inc.
• Booz-Allen-Hamilton, Inc.
• Canadian Communications Security Establishment
• Computer Sciences Corp.
• Defense Information Systems Agency
• E-Systems
• Fuentez Systems Concepts
• GRC International, Inc.
• Harris Corp.
• Hughes Aircraft
• ITT
• Loral Federal Systems
• MITRE

• National Center for Supercomputing Applications
• National Security Agency
• Naval Research Laboratory
• National Institute for Standards and Technology
• Office of the Secretary of Defense
• San Antonio Air Logistics Center
• Science Applications International Corp.
• SPARTA, Inc.
• Systems Research Applications Corp.
• The Sachs Groups
• TRW
• Trusted Information Systems

4
SSE-CMM Project Structure
Steering Group

Chair
ProjectLeader
Committees
TechnicalSupport
Author Group
Applications Group
Chair
Chair
Committees
Committees
TechnicalSupport
TechnicalSupport
KeyReviewers
KeyReviewers
CommunityReviewers
5
SSE-CMM Model Structure

• A model of fundamental security practices, based
  on the SPICE architecture

Domain
Capability
Continuously Improving
Quantitatively Controlled
Well Defined Capability Levels
Organization Process Area Categories
Planned Tracked
Project Process Area Categories
Performed
Engineering Process Area Categories
Initial Capability Levels
ProcessAreas
CommonFeatures
BasePractices
GenericPractices
6
Domain Dimension

• Based on the System Engineering Capability
  Maturity Model

• System Engineering
• Provide Security Input
• Verify and Validate Security
• Attack Security
• Assess Operational Security Risk
• Build Assurance Argument
• Monitor System Security Posture
• Administer Security Controls
• Coordinate Security
• Determine Security Vulnerabilities

• Security Engineering
• Specify Security Needs
• Provide Security Input
• Verify and Validate Security
• Attack Security
• Assess Operational Security Risk
• Build Assurance Argument
• Monitor System Security Posture
• Administer Security Controls
• Coordinate Security
• Determine Security Vulnerabilities

• Project
• Ensure Quality
• Manage Configurations
• Manage Risk
• Monitor and Control Technical Effort
• Plan Technical Effort

• Organization
• Coordinate with Suppliers
• Define Organization's Systems Engineering Process
• Improve Organization's Systems Engineering
  Processes
• Manage Product Line Evolution
• Manage Systems Engineering Support Environment
• Provide Ongoing Knowledge and Skills

7
Capability Dimension

• Six levels of maturity, measured by increasing
  support for the practices

8
SSE-CMM Appraisal Process

• An appraisal rates the capability of each process
  area

Continuously Improving
Process Areas
Derive and Allocate Requirements Process Areas
Quantitatively Controlled
Process Areas
Well Defined Capability Levels
Derive and Allocate Requirements Process Areas
Process Areas
Planned Tracked
Derive and Allocate Requirements Process Areas
Process Areas
Performed
Derive and Allocate Requirements Process Areas
Initial Capability Levels
Analyze Candidate Solutions Process Areas
Capability Level
PA
0
1
2
3
4
5
1
2
3
4
5
6
7
18

9
Approach to Community Adoption

• Encourage industry-wide participation
• Recruit project participants
• Publicize to security engineers and systems
  engineers through conferences and WWW
• Promote the SSE-CMM as a standard process within
  NSA, DISA, and NIST engineering and development
  organizations
• Identify candidate procurements
• Develop / document approach for use in
  accreditation
• Investigate impacts on the INFOWAR community
• Promote the SSE-CMM as a standard process within
  SSE-CMM member engineering and development
  organizations
• Conduct pilots
• Interface with other CMM efforts

10
Current SSE-CMM Status

• Draft model defined
• SE-CMM appraisal method selected for use in
  initial pilot appraisals
• First SE-CMM pilot appraisal completed at TRW
• Additional pilot appraisals scheduled for summer
  of 1996
• Computer Science Corporation
• Hughes

11
First Pilot Appraisal Results

• The first SSE-CMM pilot appraisal was on
  conducted at TRW in June 1996
• 3 days, 10 member appraisal team from TRW,
  government, and industry
• Security-specific portions of the model
• Results
• The SSE-CMM project identified possible
  improvements in the model and appraisal method
• TRW identified improvement activities to further
  strengthen their security engineering practices

12
Next Actions

• Update model and appraisal method based on
  initial pilot appraisal results
• Public release
• SSE-CMM Model Description Version 1.0
• SSE-CMM Appraisal Methodology Version 1.0
• Explore full pilot appraisals
• Stand-alone security aspects only
• Add-on adjunct to a completed SE-CMM appraisal
• Integrated joint SE/SSE-CMM appraisal

13
Points of Contact

• Sponsor
• John Adams
• Department of Defense
• 9800 Savage Road
• Ft. Meade, MD 20755-6000
• 410-859-6091
• Project Leader
• Victoria Thompson
• Arca Systems, Inc.
• 8229 Boone Boulevard
• Vienna, VA 22182
• 703-734-5611

Steering Group Leader Rick Hefner TRW One Space
Park - R2/1104 Redondo Beach, CA
90278 310-812-7290 Author Group Leader Karen
Ferraiolo Arca System, Inc. 10320 Little Patuxent
Pkwy Suite 1005 Columbia, MD 21044 410-715-0500
Application Group Leader Warren Monroe Hughes
Aircraft Bldg. 618 Fullerton, CA
92634-3310 714-732-2887
SSE-CMM Web Sitehttp//www.ssecmm.ashton.csc.com
TMCapability Maturity Model is a service mark of
Carnegie Mellon University