Safety and Security Extensions to CMMI and iCMM

1
Safety and Security Extensions to CMMI and iCMM
Matt Ashford Directorate of Process
Improvement Defence Materiel Organisation Joe
Jarzombek, PMP Deputy Director for Software
Assurance Information Assurance
Directorate Office of Assistant Secry of
Defense Linda Ibrahim, PhD Chief Engineer for
Process Improvement U.S. Federal Aviation
Administration
Presented to 9th Australian Workshop on Safety
Related Programmable Systems 19 August 2004
Capability Maturity Model, CMM, and CMMI are
registered in the U.S. Patent and Trademark
Office by Carnegie Mellon University
2
Topics

• Background
• Whats Been Done
• The Way Ahead

3
Background

• Criticality Safety and security are critical to
  both DoD and FAA, as well as other government and
  industry organizations
• E.g., UK MOD sponsoring integration of safety and
  security accreditation/certification (SafSec)
• Common Interest iCMM and CMMI interest in
  safety/security
• FAA approved project to include both safety and
  security in FAA integrated CMM (iCMM)
• CMMI Steering Group discussed addressing safety
  and security yet decided to stabilize CMMI at
  v1.1 for a few years
• Frameworks Both CMMI and iCMM provide frameworks
  in which safety and security activities can take
  place

4
Background (continued)

• Collaboration DoD and FAA decided to
  collaborate on developing safety/security
  extensions to both iCMM and CMMI
• Joint FAA/DoD sponsored project launched with
  broad participation
• government, industry, SEI team members from UK
  and Australia
• Objectives
• identify and harmonize best standards-based
  safety and security practices
• include as common content in both iCMM and CMMI

5
Background (continued)

• Intended usage safety and security practices
  intended for process improvement in several
  contexts
• Strategically to support enterprise-wide safety
  and security work
• Program-level in any program/organization that
  deals with safety and security of products and
  services
• including development, maintenance, operation and
  support
• Work Environment by those groups responsible for
  a safe and secure work environment
• Acquisition by acquisition programs in
  evaluating the capability of suppliers to deliver
  safe and secure products and services.

6
Whats Been Done Current Status

• Source standards selected
• Practices synthesized and harmonized
• Practices aligned with reference models
• Two external reviews performed
• Pilot appraisals completed or in progress

7
Source Documents Selected

• Safety Sources Three standards selected
• MIL-STD-882C System Safety Program Requirements
• IEC 61508 Functional Safety of Electrical/
  Electronic/ Programmable Electronic Systems
• DEF STAN 00-56 Safety Mgmt Requirements for
  Defence Systems
• Security Sources Four standards selected
• ISO 17799 Information Technology - Code of
  practice for information security management
• ISO 15408 The Common Criteria (v 2.1) Mapping of
  Assurance Levels and Families
• ISO/IEC 21827 SSE-CMM Systems Security
  Engineering CMM (v2.0)
• NIST 800-30 Risk Mgmt Guide for Information
  Technology Systems
• Traceability required between extension and
  source documents
• Mapping tables demonstrate coverage of source
  documents and the sources for each practice

8
Best Practices Synthesized, Harmonized and
Reviewed

• Synthesis Safety practices and security
  practices synthesized
• Source documents for each area mapped together at
  high-level
• Practices synthesized from similar practices/
  clauses/activities pertaining to common outcomes
• Practice level mappings to source material
  retained
• Harmonization Practices harmonized
• Safety and security practices harmonized
  resulting in common set of practices and
  harmonized terminology when possible
• Review Harmonized practices distributed for
  first external review
• Community agreement on selected source standards
• Over 200 comments received from reviewers in US,
  Australia, and various European countries
• Revision Comments dispositioned by team
  practices revised

9
Relation of practices to iCMM and CMMI

• Analysis Revised harmonized practices analyzed
  with respect to reference models
• Need new process areas? Just need to amplify/
  elaborate whats already there? Need new
  practices?
• Coverage Most harmonized safety and security
  practices already addressed to varying extents in
  existing Process Areas (PAs)
• They can be implemented by performing existing
  practices of iCMM and/or CMMI, in the context of
  safety and security
• Need more focused coverage Some CMMI or iCMM
  practices need more focused coverage/interpretatio
  n for safety and security
• There is some guidance, additional emphasis
  desirable
• Need visibility currently no easy mechanism to
  identify which practices are required for
  appraisal or process improvement purposes

10
Packaging of Practices

• Conclusion
• A Safety and Security Application Area is
  proposed, has been drafted, and distributed in
  second external review
• A Work Environment Process Area is proposed, has
  been drafted, and distributed in second external
  review

11
Whats an Application Area?

• An Application Area (AA) looks like a PA
• Has a purpose and goals (outcomes) particular to
  the application, and practices considered
  essential for achieving the purpose and outcomes
• Application Practices An AA identifies and
  describes best practices (application practices)
  associated with the application, drawn from
  source standards and documents
• Provides practice description, typical work
  products, informative material, notes,
  interpretative guidance
• BUT uses existing process areas and practices
• Identifies existing implementing practices in one
  or both reference models that would be performed
  to implement application practices to achieve
  purpose and outcomes
• Draws on breadth and depth of reference models
  for details of application practices avoids
  needless redundancy

12
Whats an Application Area? (continued)

• Visibility and Usability Keeps application
  practices visible, for both process improvement
  and appraisal purposes
• Provides a guide for identifying selected process
  areas and practices in a reference model that
  need to be implemented in application context
• Appraisal Is appraised by appraising associated
  implementing practices in the reference models,
  as interpreted by the application
• Generic practices apply
• An application area can be at any capability
  level

13
The Safety and Security Application Area

• Note This is work in progress!
• Purpose To establish and maintain a safety and
  security capability, define and manage
  requirements based on risks attributable to
  threats, hazards and vulnerabilities, and assure
  that products and services are safe and secure.
• The Safety and Security Application Area has 4
  goals and 16 application practices.

14
Safety and Security Application Practices

• Goal 1 An infrastructure for safety and security
  is established and maintained.
• Ensure Safety and Security Competency Ensure
  safety and security awareness, guidance and
  competency.
• Establish Qualified Work Environment Establish
  and maintain a qualified work environment that
  meets safety and security needs.
• Control Information Establish and maintain
  storage, protection and access and distribution
  control to assure the integrity of information.
• Monitor Incidents Monitor, report, and analyze
  safety and security incidents and identify
  potential corrective actions.
• Ensure Business Continuity Plan and provide for
  continuity of activities with contingencies for
  threats and hazards to operations and the
  infrastructure.

15
Safety and Security Application Practices
(continued)

• Goal 2 Safety and security risks are identified
  and managed.
• Identify Safety and Security Risks Identify
  risks and sources of risks attributable to
  vulnerabilities, security threats, and safety
  hazards.
• Analyze and Prioritize Risks For each risk
  associated with safety or security, determine the
  causal factors, estimate the consequence and
  likelihood of an occurrence and determine
  relative priority.
• Determine, Implement and Monitor Risk Mitigation
  Plan For each risk associated with safety or
  security, determine, implement and monitor the
  risk mitigation plan to achieve an acceptable
  level of risk.

16
Safety and Security Application Practices
(continued)

• Goal 3 Safety and security requirements are
  satisfied.
• Identify Regulatory Requirements, Laws and
  Standards Identify and document applicable
  regulatory requirements, laws, standards,
  policies, and acceptable levels of safety and
  security.
• Establish Safety and Security Requirements and
  Design Establish and maintain safety and
  security requirements, including integrity
  levels, and design the product or service to meet
  them.
• Objectively Evaluate Products Objectively verify
  and validate work products and delivered products
  and services to assure safety and security
  requirements have been achieved and services
  fulfill intended use.
• Establish Safety and Security Assurance Argument
  Establish and maintain safety and security
  assurance arguments and supporting evidence
  throughout the lifecycle.

17
Safety and Security Application Practices
(continued)

• Goal 4 Activities and products are managed to
  achieve safety and security requirements and
  objectives.
• Establish Independent Safety and Security
  Reporting Establish and maintain independent
  reporting of safety and security status and
  issues.
• Establish a Safety and Security Assurance Plan
  Establish and maintain a plan to achieve safety
  and security assurance requirements and
  objectives.
• Select and Manage Suppliers, Products and
  Services Select and manage products and
  suppliers using safety and security criteria.
• Monitor and Control Activities and Products
  Measure, monitor and review safety and security
  activities against plans, control products, take
  corrective action, and improve processes.

18
Safety and Security draws on Practices from the
following PAs
19
Work Environment Process Area

• Note This is work in progress!
• Purpose To ensure people have working procedures
  and infrastructure to meet stakeholder needs.
• Goal A work environment that meets stakeholder
  needs is established and maintained.  
• Practices
• Determine work environment needs Establish and
  maintain the needs and requirements to implement,
  operate and sustain work environments.
• Establish work environment standards Establish
  and maintain a description of work environment
  standards and tailoring guidelines that meet
  identified needs and requirements.
• Establish work environment Establish and
  maintain a work environment, tailored from the
  work environment standards, to meet the specific
  needs.

20
Work Environment Process Area (continued)

• Practices (continued)
• Maintain the qualification of components
  Maintain the required qualification of work
  environment components.
• Maintain the qualification of personnel Ensure
  that personnel have the required competencies and
  qualifications to access, use, and maintain the
  work environment.
• Maintain technology awareness Monitor,
  evaluate and insert, as appropriate, new
  technology for improving the work environment.
• Ensure continuity of work environment Plan and
  provide for continuity of the work environment.

21
Reviews and Pilot Appraisals

• Second review package distributed for
  international review
• Included introduction and overview, safety and
  security assurance application area (with
  glossary), work environment process area
• About 400 comments received from reviewers in US,
  UK, Australia, Canada, and France
• Comments being dispositioned by team, to be
  incorporated as appropriate in final product
• Pilot appraisals
• Two completed in FAA, one in progress in a
  company, one in progress in another government
  agency
• These are ARC Class C appraisals, for validation
  of practices
• Appraisal feedback will be incorporated

22
The Way Ahead

• Revision based on review and pilot appraisals
• Final packaging, to include
• Front matter
• Safety and Security Application Area
• Work Environment Process Area
• Guidance material
• Consolidated Glossary
• Mapping to source material
• Publication and Use !!

23
What about SAFE?

• SAFE is a DMO initiative to develop a safety
  extension for the CMMI
• Version 1 released for comment and use (Dec 01)
• Safety and Security Extensions and SAFE are
  independent efforts, however
• Safety co-lead was also on SAFE development team
• The 2 efforts are more similar than dissimilar
• Majority of safety source standards are common
• Primary differences of Safety and Security
  Extension
• Integration of security practices
• Documented mapping to source standards
• Applicable to both CMMI and iCMM
• Application Area concept Vs additional Process
  Areas

24
What about SAFE? (cont)

• Safety and Security Extensions are not yet mature
  enough for DMO use
• DMO is committed to continued use and update of
  SAFE
• More than 15 SAFE appraisals already conducted
  within defence industry and DMO
• External usage has been reported
• SAFE Version 2 due for release Dec 04
• No structural changes anticipated
• Future of SAFE will be, and should be,
  influenced by outcome of Safety and Security
  Extension effort

25
Contact Information

• For more information, please contact
• matt.ashford_at_defence.gov.au
• or
• linda.ibrahim_at_faa.gov
• or
• joe.jarzombek_at_osd.mil
• Information available on-line at
• http//www.faa.gov/ipg