INTEGRITY ASSURANCE: Safety/Security Extensions to CMMI and icmm

Similar documents
Synergies of the Common Criteria with Other Standards

Service Extensions to the CMMI

ITIL V3.0 Compliance Benchmarking with CMMI-SVC SCAMPI A

CMMI Version 1.2. Josh Silverman Northrop Grumman

Engineering for System Assurance Legacy, Life Cycle, Leadership

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Cyber Hygiene: A Baseline Set of Practices

DISA CLOUD CLOUD SYMPOSIUM

Software Test & Evaluation Summit/Workshop Review

Joint Federated Assurance Center (JFAC): 2018 Update. What Is the JFAC?

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Using CERT-RMM in a Software and System Assurance Context

The Perfect Storm Cyber RDT&E

Advancing the Role of DT&E in the Systems Engineering Process:

Introduction to the Federal Risk and Authorization Management Program (FedRAMP)

Systems Engineering: MITRE & SERC D r. J. P r o v i d a k e s D i r e c t o r, S E Te c h C e n t e r

INFORMATION ASSURANCE DIRECTORATE

REPORT 2015/149 INTERNAL AUDIT DIVISION

Defense Logistics Agency Environmental Management System

ISTQB Advanced Level (CTAL)

ISA99 - Industrial Automation and Controls Systems Security

EXIN Expert in IT Service Management based on ISO/IEC Preparation Guide

Re-Forming the DoD Acquisition Process. A Systems Engineering Approach

ISO TC46/SC11 Archives/records management

Julia Allen Principal Researcher, CERT Division

Roles and Responsibilities on DevOps Adoption

Assurance through the ISO27002 Standard and the US NIST Cybersecurity Framework. Keith Price Principal Consultant

Security Metrics Establishing unambiguous and logically defensible security metrics. Steven Piliero CSO The Center for Internet Security

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

Enterprise GRC Implementation

Software, Security, and Resiliency. Paul Nielsen SEI Director and CEO

Information technology Security techniques Requirements for bodies providing audit and certification of information security management systems

MEETING: RSSB Board Meeting DATE: 03 November 2016 SUBJECT: Rail Industry Cyber Security Strategy SPONSOR: Mark Phillips AUTHOR: Tom Lee

Greg Garcia President, Garcia Cyber Partners Former Assistant Secretary for Cyber Security and Communications, U.S. Department of Homeland Security

I. Contact Information: Lynn Herrick Director, Technology Integration and Project Management Wayne County Department of Technology

NDIA SE Conference 2016 System Security Engineering Track Session Kickoff Holly Dunlap NDIA SSE Committee Chair Holly.

Engineering Improvement in Software Assurance: A Landscape Framework

Office of Acquisition Program Management (OAPM)

Systems and software engineering Requirements for managers of information for users of systems, software, and services

Assessing the impacts of Amended Toxic Substances Control Act (TSCA) to the DoD Mission and the Defense Industrial Base (DIB)

Cybersecurity Risk Management Guide for Voluntary Use of the NIST Cybersecurity Framework

How to supply to Defence (The 20 minute version)

Defining Computer Security Incident Response Teams

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

A TSP SM Roadmap to CMMI SM Implementation

ISO/IEC overview

Goal-Based Assessment for the Cybersecurity of Critical Infrastructure

Building an Assurance Foundation for 21 st Century Information Systems and Networks

Acquisition and Intelligence Community Collaboration

ISO/IEC JTC1/SC7 /N3040

Certified Software Quality Engineer Preparation On Demand, Web-Based Course Offered by The Westfall Team

An Accelerated Approach to Business Capability Acquisition for the Montgomery IT Summit. Presented by: Mr. Paul Ketrick May 19, 2009

Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018

ISO INTERNATIONAL STANDARD. Information and documentation Records management Part 1: General

Larry Clinton President Internet Security Alliance

ISO/IEC TR TECHNICAL REPORT. Information technology Security techniques A framework for IT security assurance Part 2: Assurance methods

Back-up Slides. MTS Technologies, Inc.

Why you should adopt the NIST Cybersecurity Framework

AMRDEC CYBER Capabilities

Breakout Session. James Martin Kevin Kreitman Jeff Diehl Scott Bernard

ISA99 - Industrial Automation and Controls Systems Security

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency

Information Security Continuous Monitoring (ISCM) Program Evaluation

Quality Assurance and IT Risk Management

Data Governance Central to Data Management Success

Australian Standard. Records Management. Part 1: General AS ISO ISO

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

ISO/ IEC (ITSM) Certification Roadmap

ISO/IEC/ IEEE Systems and software engineering Content of life-cycle information items (documentation)

Final Project Report. Abstract. Document information

Deployment Explained: DREN IPv6 Pilot

Quality Assurance and esecurity

Security Policy Guidelines

DOD Medical Device Cybersecurity Considerations

Don t Be the Developer Whose Rocket Crashes on Lift off LDRA Ltd

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Contents. List of figures. List of tables. 5 Managing people through service transitions 197. Preface. Acknowledgements.

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION

NIST Security Certification and Accreditation Project

AIA Update 2018 S1000D User Forum

Integrated Consortium of Laboratory Networks (ICLN)

This document is a preview generated by EVS

Advisory Circular. Subject: INTERNET COMMUNICATIONS OF Date: 11/1/02 AC No.: AVIATION WEATHER AND NOTAMS Initiated by: ARS-100

The CIS Security Metrics & Benchmarking Service. Clint Kreitner The Center for Internet Security

Information Security and Service Management. Security and Risk Management ISSM and ITIL/ITSM Interrelationship

Conformity assessment Requirements for bodies providing audit and certification of management systems. Part 6:

Framework for Improving Critical Infrastructure Cybersecurity

The U.S. Government s Role in Standards and Conformity Assessment

DFARS Cyber Rule Considerations For Contractors In 2018

Systems Engineering Division

ISO/IEC Information technology Security techniques Code of practice for information security controls

The Software Assurance Ecosystem: OMG s Approach to Systems & Software Assurance

SAMPLE REPORT. Business Continuity Gap Analysis Report. Prepared for XYZ Business by CSC Business Continuity Services Date: xx/xx/xxxx

ISO/IEC INTERNATIONAL STANDARD

ISO/IEC TR TECHNICAL REPORT. Information technology Security techniques Information security management guidelines for financial services

Government Resolution No of February 15, Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security

Manchester Metropolitan University Information Security Strategy

The exida. IEC Functional Safety and. IEC Cybersecurity. Certification Programs

REPORT 2015/186 INTERNAL AUDIT DIVISION

Transcription:

INTEGRITY ASSURANCE: Safety/Security Extensions to CMMI and icmm Dr. Linda Ibrahim Chief Engineer for Process Improvement Federal Aviation Administration Capability Maturity Model, CMM, and CMMI are registered in the U.S. Patent and Trademark Office by Carnegie Mellon University

Topics Background and Motivation Strategy What s been done The Way Ahead Contact Information Integrity Assurance: Extending the CMMI & icmm for Safety and Security Slide 2

Background CMMI and icmm interest in safety/security In December 2001, Australian Defence Materiel Organization, with the support of US DoD, developed +SAFE A Safety Extension to CMMI FAA approved a project to include both safety and security in FAA integrated CMM (icmm) CMMI Steering Group has discussed addressing safety and security; yet decided to stabilize CMMI at v1.1 for 3 years DoD and FAA decided to collaborate on developing safety/security extensions to both icmm and CMMI Joint FAA/DoD project launched in May 2002 Broad participation from government and industry Integrity Assurance: Extending the CMMI & icmm for Safety and Security Slide 3

Motivation - 1 Safety and security are critical to both DoD and FAA, as well as other government and industry organizations Both CMMI and icmm provide a framework in which safety and security activities can take place Australian pilots concluded that safety is not adequately covered in CMMI Risk that an organization appraised as capable under CMMI might be found lacking in safety process capability Analysis of current safety and security standards highlighted potential gaps in CMMI/iCMM coverage Integrity Assurance: Extending the CMMI & icmm for Safety and Security Slide 4

Motivation - 2 CMMI: CMMI-SE/SW/IPPD/SS, V1.1 mentions: Safety : in 9 PAs Project Planning, Risk Management, Requirements Development, Technical Solution, Product Integration, Configuration Management, Decision Analysis and Resolution, Organizational Environment for Integration, Causal Analysis and Resolution Security : in 10 PAs Project Planning, Project Monitoring and Control, Supplier Agreement Management, Risk Management, Requirements Development, Technical Solution, Product Integration, Configuration Management, Measurement and Analysis, Organizational Environment for Integration Safety and security are only mentioned in informative components of the CMMI Not in required or expected components The source material for CMMI did not include any specific safety or security references Integrity Assurance: Extending the CMMI & icmm for Safety and Security Slide 5

Motivation - 3 icmm: icmm v2.0 includes: For SECURITY Normative material in 1 PA Information Management For SECURITY - Expected material in 6 PAs Needs; Requirements; Deployment, Transition, and Disposal; Project Management; Configuration Management; Information Management For SECURITY - Informative material in 11 PAs Integrated Enterprise Management; Needs; Requirements; Design; Outsourcing; Evaluation; Deployment, Transition, and Disposal; Project Management; Integrated Teaming; Configuration Management; Information Management; Measurement and Analysis For SAFETY no Normative material For SAFETY Expected material in 4 PAs Needs; Requirements; Integration; Deployment, Transition, and Disposal For SAFETY- Informative material in 13 PAs Integrated Enterprise Management; Needs; Requirements; Design; Alternatives Analysis; Integration; Evaluation; Deployment, Transition, and Disposal; Project Management; Integrated Teaming; Configuration Management; Training; Innovation icmm v2.0 integrates 10 sources; some safety/security content None of these sources are specific to safety or security Integrity Assurance: Extending the CMMI & icmm for Safety and Security Slide 6

Overall Strategy to Develop Extension 1) Form Teams 2) Decide Source Material and Map Together at High Level 3) Develop/Synthesize Best Practice from Sources 4) Harmonize Safety and Security Practices 5) Review/Revise (external review) 6) Integrate/Align with the Reference Models 7) Perform Pilot Appraisals 8) Generate/Provide Training/Guidance 9) Review and Publish Integrity Assurance: Extending the CMMI & icmm for Safety and Security Slide 7

Form Teams Over 30 participants from FAA, OSD, Army, Navy, Air Force, NASA, DOE, Australian DMO, SEI and industry Team structure: Project Management co-leads with overall project responsibility Safety Team co-leads, authors, and buddies responsible for safety best practices Security Team co-leads, authors, and buddies responsible for security best practices Model Team responsible for model knowledge, model placement, editing Harmonization Team responsible for harmonization and vocabulary Pilot Team responsible for planning pilot appraisals Integrity Assurance: Extending the CMMI & icmm for Safety and Security Slide 8

Source Documents - 1 Source documents are major, essential, widely recognized documents (3 to 5) Source documents used to synthesize best practice Bi-directional traceability required between new extension and source documents Demonstrate coverage of source documents Reference documents also identified Useful in developing best practices in certain areas, but full coverage and detailed mapping not required E.g., +SAFE was used extensively as input to the safety component of the extension Integrity Assurance: Extending the CMMI & icmm for Safety and Security Slide 9

Source Documents - 2 Three Source Documents for safety: MIL-STD-882C: System Safety Program Requirements IEC 61508: Functional Safety of Electrical/Electronic/Programmable Electronic Systems DEF STAN 00-56: Safety Management Requirements for Defence Systems Four Source Documents for security: ISO 17799: Information Technology - Code of practice for information security management ISO 15408: The Common Criteria (v 2.1) Mapping of Assurance Levels and Families SSE-CMM: Systems Security Engineering CMM (v2.0) NIST 800-30: Risk Management Guide for Information Technology Systems Integrity Assurance: Extending the CMMI & icmm for Safety and Security Slide 10

Synthesizing Best Practice Source documents mapped together at high-level Natural groupings of subject matter identified Common objectives/outcomes identified Practices synthesized from similar practices/ clauses/activities pertaining to common outcomes Practice level mappings to source material retained Integrity Assurance: Extending the CMMI & icmm for Safety and Security Slide 11

Harmonization and Initial Review Initial harmonization of the safety and security components occurred in October 02 Safety and security harmonized into a single set of practices titled Integrity Assurance Mapping maintained to the original safety and security source documents Important to demonstrate full coverage of the source documents Common terms proposed for adoption Endeavor to use standard ISO terminology where possible Review package released in November 2002, for broad review containing 26 harmonized integrity assurance practices Integrity Assurance: Extending the CMMI & icmm for Safety and Security Slide 12

Integrity Assurance Practices (Review Package) - 1 1. Establishing the Integrity Assurance Program 1.1 Determine Regulatory Requirements, Legal Requirements and Standards 1.2 Establish Integrity Assurance Objectives 1.3 Establish an Integrity Assurance Organization Structure 1.4 Establish an Integrity Assurance Plan 2. Managing the Integrity Assurance Program 2.1 Conduct Reviews of Integrity Assurance Activities 2.2 Monitor Integrity Assurance Incidents 2.3 Establish and Control Integrity Assurance Repository 2.4 Manage the Integrity Assurance Program Integrity Assurance: Extending the CMMI & icmm for Safety and Security Slide 13

Integrity Assurance Practices (Review Package) - 2 3. Managing Supplier Agreements 3.1 Select Suppliers 3.1 Establish Supplier Agreements 3.2 Satisfy Supplier Agreements that Include Integrity Requirements 4. Determining and Applying Integrity Principles 4.1 Determine Appropriate Integrity Principles, Measures and Tools 4.2 Apply Integrity Principles, Measures and Tools 5. Identifying Threats 5.1 Identify Likely Sources of Threats 5.2 Document Threats and Incidents Integrity Assurance: Extending the CMMI & icmm for Safety and Security Slide 14

Integrity Assurance Practices (Review Package) - 3 6. Analyzing Integrity Risk 6.1 Categorize Threats 6.2 Prioritize Threats 6.3 Identify Causal Factors 6.4 Determine Risk Reduction Strategy 7. Developing and Allocating Integrity Requirements 7.1 Develop Integrity Requirements 7.2 Analyze Integrity Requirements 7.3 Allocate Integrity Requirements 7.4 Perform Impact Analysis of Changes 8. Determining Integrity Achievement 8.1 Determine Compliance 8.2 Assure Integrity 8.3 Establish and Maintain Integrity Assurance Argument Integrity Assurance: Extending the CMMI & icmm for Safety and Security Slide 15

Review/Revise Review package released for broader internal and external review 200+ review comments received Comments dispositioned Model placement in progress Integrity Assurance: Extending the CMMI & icmm for Safety and Security Slide 16

Integration with CMMI & icmm The goal is for common content to be integrated into both CMMI and icmm The Model Team is Analyzing and relating the harmonized practices to the content and structure of the existing integrated models Determining placement of the material for both CMMI and icmm, e.g., several of the harmonized practices are already covered to varying extents in existing PAs of the icmm and CMMI Insufficient to use Integrity Assurance practices alone to conduct a safety or security appraisal To be used in conjunction with other CMMI or icmm PAs (with elaborations/amplifications) Need to integrate with reference models Integrity Assurance: Extending the CMMI & icmm for Safety and Security Slide 17

The Way Ahead Pilot appraisals are being planned Appraisal feedback will be incorporated Tech Note to be developed, including: Front matter Integrity Assurance Process Area extension Reference model integration amplifications/elaborations to PAs Guidance material Mapping to source material Tech Note to be distributed for review Publication and Use Integrity Assurance: Extending the CMMI & icmm for Safety and Security Slide 18

Contact Information For more information, or to participate, please contact: Linda Ibrahim: linda.ibrahim@faa.gov Joe Jarzombek: joe.jarzombek@osd.mil Matt Ashford: mashford@hq.dcma.mil Information available on-line at: http://www.acq.osd.mil/sts/sis/ http://www.faa.gov/ipg Integrity Assurance: Extending the CMMI & icmm for Safety and Security Slide 19

Team Members 1 of 2 Name Organization Team/Role Ahern, Dennis Northrop Grumman Electronic Systems Model Team Ashford, Matt Australian Defence Materiel Organisation Safety Co-lead (DMO) Bate, Roger Software Engineering Institute Model Team Coblentz, Brenda US Department of Energy (DOE) Safety Buddy Pilot Team Conrad, Ray Lockheed Martin Air Traffic Mgt (Safety) Safety Buddy Cooper, David Praxis Critical Systems Ltd (UK) Harmonization Team Courington, Tim FAA/Northrop Grumman Security Co-lead Croll, Paul Computer Sciences Corporation (CSC) Harmonization Lead Dhami, Sartaj FAA/Northrop Grumman Security Author Gill, Janet US Navy, NAVAIR Software System Safety Author Safety Lead Henning, Ronda Harris Corp Security Co-lead Horn, Mary US Federal Aviation Administration (FAA) Security Buddy Ibrahim, Linda US Federal Aviation Administration (FAA) Project Co-Manager Model Team Lead Jackson, Tom Lockheed Martin Security Buddy Jarzombek, Joe US Office of Secretary of Defense (OSD) DoD Co-Sponsor Project Co-Manager Harmonization Team Integrity Assurance: Extending the CMMI & icmm for Safety and Security Slide 20

Team Members 2 of 2 Name Organization Team/Role Keblawi, Faisal US Federal Aviation Administration (FAA) Security Co-Lead Kemens, Victor US Federal Aviation Administration (FAA) Security Buddy LaBruyere, Larry FAA/Northrop Grumman Pilot Team Leonette, Martha J. US Federal Aviation Administration (FAA) Security Author Miller, Gerald FAA/Northrop Grumman Security Author Ming, Lisa Defense Contract Management Agency Safety Author Patel, Raju B. US Air Force, Wright Patterson AFB Security Author Pierson, Hal US Federal Aviation Administration (FAA) Security Buddy Pyster, Art US Federal Aviation Administration (FAA) FAA Co-Sponsor Roseboro, Douglas US Federal Aviation Administration (FAA) Security Buddy Sherer, Wayne US Army, Picatinny Arsenal Model Team Simmons, Marty Lockheed Martin Mission Systems Security Buddy (Security) Stamnas, Les SAIC Pilot Team Stroup, Ron US Federal Aviation Administration (FAA) Safety Co-lead Stuart, Sandra US Federal Aviation Administration (FAA) Security Buddy Terry, Ray C US Navy, NAVAIR Systems Safety Safety Buddy Division Head VanBuren, Scott US Federal Aviation Administration (FAA) Harmonization Team Wells, Curt i-metrics Model Team Wetherholt, Martha NASA Safety Author Integrity Assurance: Extending the CMMI & icmm for Safety and Security Slide 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback