achieving system and software assurance through cmmi complia
TRANSCRIPT
Achieving System andSoftware Assurance ThroughCMMI-Compliant Processes
Paul R. CrollChair, IEEE Software and SystemsEngineering Standards Committee
Convener, ISO/IEC JTC1/SC7 WG9, Systemand Software Integrity
Computer Sciences [email protected]
CMMI Technology Conference, Track 6, Thursday, 18 November 2004, 0855 Copyright ©2004 Paul R. Croll
CMMI Technology Conference, Track 6, Thursday, 18 November 2004, 0855 Paul R. Croll Slide 2
Topics
� The Scope of System and Software Assurance� Achieving System and Software Assurance Through
CMMI-Compliant Processes� The CMMI and Assurance� Assurance in the Context of the Life Cycle� Standards Supporting System and Software
Assurance� Implementing Assurance Processes
CMMI Technology Conference, Track 6, Thursday, 18 November 2004, 0855 Paul R. Croll Slide 3
System and software assurancefocuses on the management of riskand assurance of safety, security,and dependability within the contextof system and software life cycles.Terms of Reference: ISO/IEC JTC1/SC7 WG9, System and Software Integrity
System and software assurancefocuses on the management of riskand assurance of safety, security,and dependability within the contextof system and software life cycles.Terms of Reference: ISO/IEC JTC1/SC7 WG9, System and Software Integrity
Slide 3
The Scope of System andSoftware Assurance
CMMI Technology Conference, Track 6, Thursday, 18 November 2004, 0855 Paul R. Croll Slide 4
Achieving System and Software AssuranceThrough CMMI-Compliant Processes
2. Look to theCMMI for
Assurance-RelatedProcess Capability
Expectations
3. Look toStandards for
AssuranceProcess Detail
1. Understand YourBusiness
Requirements forAssurance
4. Build or Refineand Execute Your
AssuranceProcesses
CMMI Technology Conference, Track 6, Thursday, 18 November 2004, 0855 Paul R. Croll Slide 5
1. Understand YourBusiness Requirements for
Assurance
Business Requirements forAssurance
What are your business requirementsfor System and Software Assurance?• Business process requirements• Legal and regulatory requirements• Marketplace requirements• Customer-specific requirements• Product-specific requirements
CMMI Technology Conference, Track 6, Thursday, 18 November 2004, 0855 Paul R. Croll Slide 6
How does the CMMIsupport System and
Software Assurance?
How does the CMMIsupport System and
Software Assurance?
2. Look to the CMMI forAssurance-Related Process
Capability Expectations
The CMMI and Assurance
CMMI Technology Conference, Track 6, Thursday, 18 November 2004, 0855 Paul R. Croll Slide 7
CMMI Assurance Shortfalls
� Inconsistent treatment ofsafety and securityconcerns
� Insufficient assurance detailin required and expectedcomponents� Specific goals� Specific practices
� Insufficient traceability toassurance source standards
CMMI Technology Conference, Track 6, Thursday, 18 November 2004, 0855 Paul R. Croll Slide 8
CMMI –Process Areasand Assurance
Process Area Explicit Implicit Supporting
Process ManagementOPF �OPD �
OT �OPP �OID �
Project ManagementPP �
PMC �SAM �IPM �
RSKM �IT �
ISM �QPM �
EngineeringREQM �
RD �TS �PI �
VER �VAL �
SupportCM �
PPQA �MA �
DAR �OEI �
CAR �
CMMI Technology Conference, Track 6, Thursday, 18 November 2004, 0855 Paul R. Croll Slide 9
CMMI – Project ManagementProcess Areas and Assurance
� Project Planning (PP)� Project Monitoring and Control (PMC)� Supplier Agreement Management
(SAM)� Risk Management (RSKM)
CMMI Technology Conference, Track 6, Thursday, 18 November 2004, 0855 Paul R. Croll Slide 10
CMMI – Project ManagementAssurance Objectives - PP
Project Planning
� Determine the technical approach for the project,including the functionality expected in the final products,such as safety and security
� Estimate effort and cost using models and/or historicaldata including inputs related to level of securityrequired for tasks, work products, hardware, software,personnel, and work environment.
� Plan for the management of project data including datasupporting safety.
� Establish requirements and procedures to ensure privacyand security of the data.
Source: CMMI -SE/SW/IPPD/SS, V1.1, Continuous Representation, © CMU SEI,2002.
CMMI Technology Conference, Track 6, Thursday, 18 November 2004, 0855 Paul R. Croll Slide 11
Project Monitoring and Control
� Monitor resources provided and used, including thesecurity environment
� Collect and analyze issues and determine thecorrective actions necessary to address the issues,including security issues.
CMMI – Project ManagementAssurance Objectives - PMC
Source: CMMI -SE/SW/IPPD/SS, V1.1, Continuous Representation, © CMU SEI,2002.
CMMI Technology Conference, Track 6, Thursday, 18 November 2004, 0855 Paul R. Croll Slide 12
Supplier Agreement Management
� Evaluate the impact of candidate COTS products onthe project's plans and commitments, includingsecurity requirements
CMMI – Project ManagementAssurance Objectives - SAM
Source: CMMI -SE/SW/IPPD/SS, V1.1, Continuous Representation, © CMU SEI,2002.
CMMI Technology Conference, Track 6, Thursday, 18 November 2004, 0855 Paul R. Croll Slide 13
Risk Management
� Identify the risks associated with cost, schedule, andperformance in all appropriate product life-cyclephases, including risks associated with maintainingsafety and security performance.
CMMI – Project ManagementAssurance Objectives - RSKM
Source: CMMI -SE/SW/IPPD/SS, V1.1, Continuous Representation, © CMU SEI,2002.
CMMI Technology Conference, Track 6, Thursday, 18 November 2004, 0855 Paul R. Croll Slide 14
CMMI – EngineeringProcess Areas and Assurance
� Requirements Development(RD)
� Technical Solution (TS)� Product Integration (PI)� Verification* (VER)� Validation* (VAL)
*Implicit
CMMI Technology Conference, Track 6, Thursday, 18 November 2004, 0855 Paul R. Croll Slide 15
Requirements Development
� Analyze needs and requirements for each productlife-cycle phase, including factors that reflect overallcustomer and end-user expectations and satisfaction,such as safety, security, and affordability.
� Ensure that the design adheres to applicable designstandards and criteria, including safety standards.
CMMI – EngineeringAssurance Objectives - RD
Source: CMMI -SE/SW/IPPD/SS, V1.1, Continuous Representation, © CMU SEI,2002.
CMMI Technology Conference, Track 6, Thursday, 18 November 2004, 0855 Paul R. Croll Slide 16
Technical Solution
� Design comprehensive product-componentinterfaces in terms of established and maintainedcriteria, including safety and security.
� Adhere to applicable standards and criteria,including safety standards.
� Train the people performing or supporting thetechnical solution process as needed, includingsafety standards.
CMMI – EngineeringAssurance Objectives - TS
Source: CMMI -SE/SW/IPPD/SS, V1.1, Continuous Representation, © CMU SEI,2002.
CMMI Technology Conference, Track 6, Thursday, 18 November 2004, 0855 Paul R. Croll Slide 17
Product Integration
� Satisfy the applicable requirements and standardsfor packaging and delivering the product, includingthose for safety and security.
CMMI – EngineeringAssurance Objectives - PI
Source: CMMI -SE/SW/IPPD/SS, V1.1, Continuous Representation, © CMU SEI,2002.
CMMI Technology Conference, Track 6, Thursday, 18 November 2004, 0855 Paul R. Croll Slide 18
Verification*� Establish and maintain the environment needed to
support verification. For example, a product test mayrequire simulators, emulators, scenario generators,data reduction tools, environmental controls, andinterfaces with other systems.
� Establish and maintain verification procedures andcriteria for the selected work products.
CMMI – EngineeringAssurance Objectives - VER
Source: CMMI -SE/SW/IPPD/SS, V1.1, Continuous Representation, © CMU SEI,2002.
*Implicit
CMMI Technology Conference, Track 6, Thursday, 18 November 2004, 0855 Paul R. Croll Slide 19
Validation*� Establish and maintain the environment needed to
support validation.� Establish and maintain procedures and criteria for
validation to ensure that the product or productcomponent will fulfill its intended use when placed inits intended environment.
CMMI – EngineeringAssurance Objectives - VAL
Source: CMMI -SE/SW/IPPD/SS, V1.1, Continuous Representation, © CMU SEI,2002.
*Implicit
CMMI Technology Conference, Track 6, Thursday, 18 November 2004, 0855 Paul R. Croll Slide 20
CMMI – SupportProcess Areas and Assurance
� Configuration Management (CM)� Product and Process Quality Assurance*
(PPQA)� Measurement and Analysis* (MA)� Decision Analysis and Resolution (DAR)� Organization Environment for
Integration (OEI)� Causal Analysis and Resolution (CAR)
*Implicit
CMMI Technology Conference, Track 6, Thursday, 18 November 2004, 0855 Paul R. Croll Slide 21
Configuration Management
� Perform reviews to ensure that changes have notcompromised the safety and/or security of thesystem.
CMMI – SupportAssurance Objectives - CM
Source: CMMI -SE/SW/IPPD/SS, V1.1, Continuous Representation, © CMU SEI,2002.
CMMI Technology Conference, Track 6, Thursday, 18 November 2004, 0855 Paul R. Croll Slide 22
Product and Process Quality Assurance*� Objectively evaluate the designated work products
and services against the applicable processdescriptions, standards, and procedures.
CMMI – SupportAssurance Objectives - PPQA
Source: CMMI -SE/SW/IPPD/SS, V1.1, Continuous Representation, © CMU SEI,2002.
*Implicit
CMMI Technology Conference, Track 6, Thursday, 18 November 2004, 0855 Paul R. Croll Slide 23
Measurement and Analysis*� Establish and maintain measurement objectives that
are derived from identified information needs andobjectives. The sources for measurement objectivesmay be management, technical, project, product, orprocess implementation needs.
� Specify measures to address the measurementobjectives. Measurement objectives are refined intoprecise, quantifiable measures.
CMMI – SupportAssurance Objectives - MA
Source: CMMI -SE/SW/IPPD/SS, V1.1, Continuous Representation, © CMU SEI,2002.
*Implicit
CMMI Technology Conference, Track 6, Thursday, 18 November 2004, 0855 Paul R. Croll Slide 24
Decision Analysis and Resolution
� Establish and maintain guidelines to determinewhich issues are subject to a formal evaluationprocess. For example, on design-implementationdecisions when technical performance failure maycause a catastrophic failure (e.g., safety of flightitem).
CMMI – SupportAssurance Objectives - DAR
Source: CMMI -SE/SW/IPPD/SS, V1.1, Continuous Representation, © CMU SEI,2002.
CMMI Technology Conference, Track 6, Thursday, 18 November 2004, 0855 Paul R. Croll Slide 25
Organizational Environment for Integration
� Plan, design, and implement an integrated workenvironment, including tradeoff of safety andsecurity costs and benefits.
CMMI – SupportAssurance Objectives - OEI
Source: CMMI -SE/SW/IPPD/SS, V1.1, Continuous Representation, © CMU SEI,2002.
CMMI Technology Conference, Track 6, Thursday, 18 November 2004, 0855 Paul R. Croll Slide 26
Causal Analysis and Resolution
� Determine which defects and other problems will beanalyzed further, including safety impactconsiderations.
CMMI – SupportAssurance Objectives - CAR
Source: CMMI -SE/SW/IPPD/SS, V1.1, Continuous Representation, © CMU SEI,2002.
CMMI Technology Conference, Track 6, Thursday, 18 November 2004, 0855 Paul R. Croll Slide 27
Beyond The CMMI
CMMI
CMMI Technology Conference, Track 6, Thursday, 18 November 2004, 0855 Paul R. Croll Slide 28
Safety and Security Extensions forIntegrated Capability Maturity Models
Source: United States Federal Aviation Administration, Safety and SecurityExtensions for Integrated Capability Maturity Models, September 2004
1. Ensure Safety and Security Competency2. Establish Qualified Work Environment3. Ensure Integrity of Safety and Security Information4. Monitor Operations and Report Incidents5. Ensure Business Continuity6. Identify Safety and Security Risks7. Analyze and Prioritize Risks8. Determine, Implement, and Monitor Risk
Mitigation Plan9. Determine Regulatory Requirements, Laws, and
Standards10. Develop and Deploy Safe and Secure Products and
Services11. Objectively Evaluate Products12. Establish Safety and Security Assurance
Arguments13. Establish Independent Safety and Security
Reporting14. Establish a Safety and Security Plan15. Select and Manage Suppliers, Products, and
Services16. Monitor and Control Activities and Products
www.faa.gov/ipgwww.faa.gov/ipg
CMMI Technology Conference, Track 6, Thursday, 18 November 2004, 0855 Paul R. Croll Slide 29
What StandardsSupport System andSoftware Assurance?
What StandardsSupport System andSoftware Assurance?
3. Look toStandards for
Assurance ProcessDetail
Standards Supporting Systemand Software Assurance
CMMI Technology Conference, Track 6, Thursday, 18 November 2004, 0855 Paul R. Croll Slide 30
Dependability Standards
Adapted from James W. Moore, Software EngineeringStandards: A User's Road Map, IEEE Computer SocietyPress, Los Alamitos, CA, 1997
Risk Management
IEC 812Failure mode andeffects analysis
IEC 1025Fault tree analysis
IEC 300-2Programme
elements & tasks
ISO/IEC 15026Integrity levels
IEC 300-3-9Risk analysis of
technological sys
IEC 300-3-6SW aspects ofdependability
IEC 300-1Programme
management
AchievingConfidenceRisk Analysis Risk Control
IEC 50-191Dependability
vocabulary
ISO/IEC 16085Risk Management
ISO/IEC NWI 61720Tech. & tools for
confidence
ISO/IEC 15288System life cycle
processes ISO/IEC 12207SW life cycle
processes
ISO
IEC
CMMI Technology Conference, Track 6, Thursday, 18 November 2004, 0855 Paul R. Croll Slide 31
Safety and Security Standards
IEC 61508Functional Safety
Sector-SpecificStandards
ISO/IEC 9796Digital Security
Schemes
ISO/IEC 10181Security
frameworks foropen systems
ISO/IEC 15408Common Criteria for
IT Security Evaluation
ISO/IEC 21827Systems SecurityEngineering CMM
IEEE P1619Standard
Architecture forEncrypted Shared
Storage Media
IEEE P2200Baseline Operating
System Security
IEEE 1228SW safety plans
Safety
Security
IEEE P1700Security Architecturefor Certification and
Accreditation ofInformation
Military
IEC
IEEE CS
ISO
IEEE CS
IEC 60880SW in nuclearpower safety
systems
MIL-STD-882DStandard Practice for
System Safety
DO 178BSW considerations in
airborne equipcertification
ISO/IEC 17799Code of Practicefor Information
SecurityManagement
RTCA
Military Standards
DEF STAN 00-56Safety Management
Requirements forDefence Systems
CMMI Technology Conference, Track 6, Thursday, 18 November 2004, 0855 Paul R. Croll Slide 32
FISMA Legislation
“Each Federal agency shall develop, document, andimplement an agency-wide information securityprogram to provide information security for theinformation and information systems that support theoperations and assets of the agency, including thoseprovided or managed by another agency, contractor,or other source…”
� - Federal Information Security Management Act of 2002
Source: FISMA Implementation Project, Dr. Ron Ross, NIST, April 2004
CMMI Technology Conference, Track 6, Thursday, 18 November 2004, 0855 Paul R. Croll Slide 33
NIST FISMA ImplementationProject Standards and Guidelines
� FIPS Publication 199 (Security Categorization)� NIST Special Publication 800-37 (Certification &
Accreditation)� NIST Special Publication 800-53 (Security Controls)� NIST Special Publication 800-53A (Assessment)� NIST Special Publication 800-59 (National Security)� NIST Special Publication 800-60 (Category Mapping)� FIPS Publication 200 (Minimum Security Controls)
Source: FISMA Implementation Project, Dr. Ron Ross, NIST, April 2004
CMMI Technology Conference, Track 6, Thursday, 18 November 2004, 0855 Paul R. Croll Slide 34
4. Build or Refineand Execute Your
AssuranceProcesses
1. Understand YourBusiness
requirements forassurance
Have you addressed the assuranceimplications of your CMMI-compliantprocesses?
Do your assurance processes meet yourbusiness requirements?
• Business process requirements• Legal and regulatory requirements• Marketplace requirements• Customer-specific requirements• Product-specific requirements
Use CMMI-Compliant Processes toAchieve System and Software Assurance
CMMI Technology Conference, Track 6, Thursday, 18 November 2004, 0855 Paul R. Croll Slide 35
Achieving System and Software AssuranceThrough CMMI-Compliant Processes
2. Look to theCMMI for
Assurance-RelatedProcess Capability
Expectations
3. Look toStandards for
AssuranceProcess Detail
1. Understand YourBusiness
Requirements forAssurance
4. Build or Refineand Execute Your
AssuranceProcesses
CMMI Technology Conference, Track 6, Thursday, 18 November 2004, 0855 Paul R. Croll Slide 36
For More Information . . .
Paul R. CrollComputer Sciences Corporation5166 Potomac DriveKing George, VA 22485-5824
Phone: +1 540.644.6224Fax: +1 540.663.0276e-mail: [email protected]
For IEEE Standards:http://computer.org/standards/sesc/http://ieeeia.org/iasc/http://computer.org/cspress/CATALOG/st01110.htm
For ISO/IEC Standards:http://saturne.info.uqam.ca/Labo_Recherche/Lrgl/sc7/