9ICCC CC and CMMI-DEV - Common Criteria˜ CMMI® (Capability Maturity Model® Integration) is a...
Transcript of 9ICCC CC and CMMI-DEV - Common Criteria˜ CMMI® (Capability Maturity Model® Integration) is a...
![Page 1: 9ICCC CC and CMMI-DEV - Common Criteria˜ CMMI® (Capability Maturity Model® Integration) is a process improvement approach that provides organizations with the essential elements](https://reader034.fdocuments.us/reader034/viewer/2022042118/5e97398fa9322703e905b795/html5/thumbnails/1.jpg)
TÜV Informationstechnik GmbH
- TÜViT -
CC and CMMI®
An Approach to Integrate CC with Development
Wolfgang Peter
![Page 2: 9ICCC CC and CMMI-DEV - Common Criteria˜ CMMI® (Capability Maturity Model® Integration) is a process improvement approach that provides organizations with the essential elements](https://reader034.fdocuments.us/reader034/viewer/2022042118/5e97398fa9322703e905b795/html5/thumbnails/2.jpg)
Sep 2008© TÜV Informationstechnik GmbH – Member of TÜV NORD Group Wolfgang Peter CC and CMMI-DEV, ICCC 2008 1
Contents
1. Status Quo
2. CMMI® for Development
3. Striking Analogies
4. Combining Standards
5. Conclusion
![Page 3: 9ICCC CC and CMMI-DEV - Common Criteria˜ CMMI® (Capability Maturity Model® Integration) is a process improvement approach that provides organizations with the essential elements](https://reader034.fdocuments.us/reader034/viewer/2022042118/5e97398fa9322703e905b795/html5/thumbnails/3.jpg)
Sep 2008© TÜV Informationstechnik GmbH – Member of TÜV NORD Group Wolfgang Peter CC and CMMI-DEV, ICCC 2008 2
What CC does accomplish ...
Ø assesses and rates security capabilities of IT products
Ø establishes various levels of confidence in those products
Ø offers flexibility for new type of products and configurations, and development models
Ø provides mutual recognition, i.e. dozens of countries and many commercial users buy into working with CC
Ø ...
![Page 4: 9ICCC CC and CMMI-DEV - Common Criteria˜ CMMI® (Capability Maturity Model® Integration) is a process improvement approach that provides organizations with the essential elements](https://reader034.fdocuments.us/reader034/viewer/2022042118/5e97398fa9322703e905b795/html5/thumbnails/4.jpg)
Sep 2008© TÜV Informationstechnik GmbH – Member of TÜV NORD Group Wolfgang Peter CC and CMMI-DEV, ICCC 2008 3
... but ...
Ø uses a complex and somehow artificial “language”developers are not familiar with
Ø usually starts fairly late in the development process
Ø requires documents “just for CC”
Ø focuses on product features, not on development processes
Ø ...
![Page 5: 9ICCC CC and CMMI-DEV - Common Criteria˜ CMMI® (Capability Maturity Model® Integration) is a process improvement approach that provides organizations with the essential elements](https://reader034.fdocuments.us/reader034/viewer/2022042118/5e97398fa9322703e905b795/html5/thumbnails/5.jpg)
Sep 2008© TÜV Informationstechnik GmbH – Member of TÜV NORD Group Wolfgang Peter CC and CMMI-DEV, ICCC 2008 4
Bottom line
Ø CC is normally not integrated with development
Ø CC causes disruption from regular development processes
Ø CC often results in established coexistences of “normal”and “CC development” within organizations
Ø CC is typically not institutionalized within an organization
![Page 6: 9ICCC CC and CMMI-DEV - Common Criteria˜ CMMI® (Capability Maturity Model® Integration) is a process improvement approach that provides organizations with the essential elements](https://reader034.fdocuments.us/reader034/viewer/2022042118/5e97398fa9322703e905b795/html5/thumbnails/6.jpg)
Sep 2008© TÜV Informationstechnik GmbH – Member of TÜV NORD Group Wolfgang Peter CC and CMMI-DEV, ICCC 2008 5
Associated risks
Ø Decisions on a case by case basis
Ø Unnecessary “overhead”Waste of time and money
Ø No efficient re-usage of development results (specifications, test results, development documents etc.)
Ø Heavy dependent on individualsNo guarantees that historical results can be repeated
Ø CC is normally not integrated with development
Ø CC causes disruption from regular development processes
Ø CC often results in established coexistences of “normal” and “CC development” within organizations
Ø CC is typically not institutionalized within an organization
![Page 7: 9ICCC CC and CMMI-DEV - Common Criteria˜ CMMI® (Capability Maturity Model® Integration) is a process improvement approach that provides organizations with the essential elements](https://reader034.fdocuments.us/reader034/viewer/2022042118/5e97398fa9322703e905b795/html5/thumbnails/7.jpg)
Sep 2008© TÜV Informationstechnik GmbH – Member of TÜV NORD Group Wolfgang Peter CC and CMMI-DEV, ICCC 2008 6
In general ...
Ø The quality of a product is highly influenced by the quality of the processes used to acquire, develop, and maintain it
Ø Every organization involved in the development of security products would basically benefit from experiences and best-practices of well-defined and structured engineering standards
Source: SEI, Mastering Process Improvement
![Page 8: 9ICCC CC and CMMI-DEV - Common Criteria˜ CMMI® (Capability Maturity Model® Integration) is a process improvement approach that provides organizations with the essential elements](https://reader034.fdocuments.us/reader034/viewer/2022042118/5e97398fa9322703e905b795/html5/thumbnails/8.jpg)
Sep 2008© TÜV Informationstechnik GmbH – Member of TÜV NORD Group Wolfgang Peter CC and CMMI-DEV, ICCC 2008 7
Contents
1. Status Quo
2. CMMI® for Development
3. Striking Analogies
4. Combining Standards
5. Conclusion
![Page 9: 9ICCC CC and CMMI-DEV - Common Criteria˜ CMMI® (Capability Maturity Model® Integration) is a process improvement approach that provides organizations with the essential elements](https://reader034.fdocuments.us/reader034/viewer/2022042118/5e97398fa9322703e905b795/html5/thumbnails/9.jpg)
Sep 2008© TÜV Informationstechnik GmbH – Member of TÜV NORD Group Wolfgang Peter CC and CMMI-DEV, ICCC 2008 8
Background
Ø CMMI® (Capability Maturity Model® Integration) is a process improvement approach that provides organizations with the essential elements of effective processes
Ø Successor of CMM or Software CMM; CMM developed from 1987 through 1997; release of CMMI, V1.1 in 2002
Ø Created by members of industry, government and the SEI (Software Engineering Institute, Pittsburgh, PA, USA)
Ø Three modelsØ CMMI for Development (CMMI-DEV), Version 1.2 (08/2006)Ø CMMI for Acquisition (CMMI-ACQ), Version 1.2 (11/2007)Ø CMMI for Services (CMMI-SVC), (2009)
Ø Primary focus: process improvementØ Organizations cannot be CMMI “certified”, but are appraised and awarded a 1-5
level rating (e.g., using SCAMPI - Standard CMMI Appraisal Method for Process Improvement)
Ø Web Site: http://www.sei.cmu.edu/cmmi/
![Page 10: 9ICCC CC and CMMI-DEV - Common Criteria˜ CMMI® (Capability Maturity Model® Integration) is a process improvement approach that provides organizations with the essential elements](https://reader034.fdocuments.us/reader034/viewer/2022042118/5e97398fa9322703e905b795/html5/thumbnails/10.jpg)
Sep 2008© TÜV Informationstechnik GmbH – Member of TÜV NORD Group Wolfgang Peter CC and CMMI-DEV, ICCC 2008 9
institutionalization level
implem
entation level
Key concept
Ø ProcessØ sequence of steps performed for a
given purpose
Ø Process Areas (PA)Ø characteristics of effective
processes
Ø Specific/Generic Goals (SG/GG) Ø requirements
Ø Specific/Generic Practices (SP/GP)Ø expected activities
Ø 2 types of representationsØ continuousØ staged
Ø Capability Level (CL)Ø CL 0, CL 1, ..., CL5 (cumulative)Ø PA specificØ CL i = achievement of GG i in a PA
Ø Maturity Level (ML)Ø ML 1, ML 2, ..., ML 5 (cumulative)Ø pre-defined set of PAs, each
reaching a pre-defined CL
Maturity Level
Capability Level
SpecificPractices
GenericPractices
SpecificGoals
GenericGoals
Process Area iProcess Area 1 Process Area n... ...
![Page 11: 9ICCC CC and CMMI-DEV - Common Criteria˜ CMMI® (Capability Maturity Model® Integration) is a process improvement approach that provides organizations with the essential elements](https://reader034.fdocuments.us/reader034/viewer/2022042118/5e97398fa9322703e905b795/html5/thumbnails/11.jpg)
Sep 2008© TÜV Informationstechnik GmbH – Member of TÜV NORD Group Wolfgang Peter CC and CMMI-DEV, ICCC 2008 10
Continuous representation:Process Areas by categories - 1
SupportSupportSupportEngineeringEngineeringEngineering
Process ManagementProcess Process ManagementManagement
Project Management
Project Project ManagementManagement
![Page 12: 9ICCC CC and CMMI-DEV - Common Criteria˜ CMMI® (Capability Maturity Model® Integration) is a process improvement approach that provides organizations with the essential elements](https://reader034.fdocuments.us/reader034/viewer/2022042118/5e97398fa9322703e905b795/html5/thumbnails/12.jpg)
Sep 2008© TÜV Informationstechnik GmbH – Member of TÜV NORD Group Wolfgang Peter CC and CMMI-DEV, ICCC 2008 11
Continuous representation:Process Areas by categories - 2
Process ManagementOPF Organizational Process FocusOPD Organizational Process DefinitionOT Organizational TrainingOPP Organizational Process PerformanceOID Organizational Innovation and Deployment
Process ManagementOPF Organizational Process FocusOPD Organizational Process DefinitionOT Organizational TrainingOPP Organizational Process PerformanceOID Organizational Innovation and Deployment
Project ManagementPP Project PlanningPMC Project Monitoring and ControlSAM Supplier Agreement ManagementIPM Integrated Project ManagementRSKM Risk ManagementQPM Quantitative Project Management
Project ManagementPP Project PlanningPMC Project Monitoring and ControlSAM Supplier Agreement ManagementIPM Integrated Project ManagementRSKM Risk ManagementQPM Quantitative Project Management
EngineeringREQM Requirements ManagementRD Requirements DevelopmentTS Technical SolutionPI Product IntegrationVER VerificationVAL Validation
EngineeringREQM Requirements ManagementRD Requirements DevelopmentTS Technical SolutionPI Product IntegrationVER VerificationVAL Validation
SupportCM Configuration ManagementPPQA Process and Product Quality AssuranceMA Measurement and AnalysisDAR Decision Analysis and ResolutionCAR Causal Analysis and Resolution
SupportCM Configuration ManagementPPQA Process and Product Quality AssuranceMA Measurement and AnalysisDAR Decision Analysis and ResolutionCAR Causal Analysis and Resolution
![Page 13: 9ICCC CC and CMMI-DEV - Common Criteria˜ CMMI® (Capability Maturity Model® Integration) is a process improvement approach that provides organizations with the essential elements](https://reader034.fdocuments.us/reader034/viewer/2022042118/5e97398fa9322703e905b795/html5/thumbnails/13.jpg)
Sep 2008© TÜV Informationstechnik GmbH – Member of TÜV NORD Group Wolfgang Peter CC and CMMI-DEV, ICCC 2008 12
Generic Goals 1-3
Ø GG 1 Achieve Specific GoalsØ GP 1.1 Perform Specific Practices
Ø GG 2 Institutionalize a Managed ProcessØ GP 2.1 Establish an Organizational PolicyØ GP 2.2 Plan the ProcessØ GP 2.3 Provide ResourcesØ GP 2.4 Assign ResponsibilityØ GP 2.5 Train PeopleØ GP 2.6 Manage ConfigurationsØ GP 2.7 Identify and Involve Relevant StakeholdersØ GP 2.8 Monitor and Control the ProcessØ GP 2.9 Objectively Evaluate AdherenceØ GP 2.10 Review Status with Higher Level Management
Ø GG 3 Institutionalize a Defined ProcessØ GP 3.1 Establish a Defined ProcessØ GP 3.2 Collect Improvement Information
Process Area
GenericPractices
GenericGoals
![Page 14: 9ICCC CC and CMMI-DEV - Common Criteria˜ CMMI® (Capability Maturity Model® Integration) is a process improvement approach that provides organizations with the essential elements](https://reader034.fdocuments.us/reader034/viewer/2022042118/5e97398fa9322703e905b795/html5/thumbnails/14.jpg)
Sep 2008© TÜV Informationstechnik GmbH – Member of TÜV NORD Group Wolfgang Peter CC and CMMI-DEV, ICCC 2008 13
Staged representation:Process Areas by Maturity Level
ML 5Optimizing
Organizational Innovation and DeploymentCausal Analysis and Resolution
Generic Goal / Capability Level 1 2 3 4 5
ML 4Quantitatively Managed
Organizational Process PerformanceQuantitative Project Management
Requirements Management Project PlanningProject Monitoring and ControlSupplier Agreement ManagementMeasurement and AnalysisProcess and Product Quality AssuranceConfiguration Management
Requirements DevelopmentTechnical SolutionProduct IntegrationVerificationValidationOrganizational Process FocusOrganizational Process Definition +IPPDOrganizational Training Integrated Project Management +IPPDRisk ManagementDecision Analysis and Resolution
ML 2Managed
P l u
s
C r
i t i
c a
l S
u b
p r
o c
e s
s e
s
P l u
s
C r
i t i
c a
l S
u b
p r
o c
e s
s e
s
ML 3Defined
Source: method park, 2008
![Page 15: 9ICCC CC and CMMI-DEV - Common Criteria˜ CMMI® (Capability Maturity Model® Integration) is a process improvement approach that provides organizations with the essential elements](https://reader034.fdocuments.us/reader034/viewer/2022042118/5e97398fa9322703e905b795/html5/thumbnails/15.jpg)
Sep 2008© TÜV Informationstechnik GmbH – Member of TÜV NORD Group Wolfgang Peter CC and CMMI-DEV, ICCC 2008 14
Contents
1. Status Quo
2. CMMI® for Development
3. Striking Analogies
4. Combining Standards
5. Conclusion
![Page 16: 9ICCC CC and CMMI-DEV - Common Criteria˜ CMMI® (Capability Maturity Model® Integration) is a process improvement approach that provides organizations with the essential elements](https://reader034.fdocuments.us/reader034/viewer/2022042118/5e97398fa9322703e905b795/html5/thumbnails/16.jpg)
Sep 2008© TÜV Informationstechnik GmbH – Member of TÜV NORD Group Wolfgang Peter CC and CMMI-DEV, ICCC 2008 15
Look and see!
ML 5Optimizing
Organizational Innovation and DeploymentCausal Analysis and Resolution
Generic Goal / Capability Level 1 2 3 4 5
ML 4Quantitatively Managed
Organizational Process PerformanceQuantitative Project Management
Requirements Management Project PlanningProject Monitoring and ControlSupplier Agreement ManagementMeasurement and AnalysisProcess and Product Quality AssuranceConfiguration Management
Requirements DevelopmentTechnical SolutionProduct IntegrationVerificationValidationOrganizational Process FocusOrganizational Process Definition +IPPDOrganizational Training Integrated Project Management +IPPDRisk ManagementDecision Analysis and Resolution
ML 2Managed
P l u
s
C r
i t i
c a
l S
u b
p r
o c
e s
s e
s
P l u
s
C r
i t i
c a
l S
u b
p r
o c
e s
s e
s
ML 3Defined
![Page 17: 9ICCC CC and CMMI-DEV - Common Criteria˜ CMMI® (Capability Maturity Model® Integration) is a process improvement approach that provides organizations with the essential elements](https://reader034.fdocuments.us/reader034/viewer/2022042118/5e97398fa9322703e905b795/html5/thumbnails/17.jpg)
Sep 2008© TÜV Informationstechnik GmbH – Member of TÜV NORD Group Wolfgang Peter CC and CMMI-DEV, ICCC 2008 16
Analogy of key terms
Ø Assurance Family
Ø Assurance Class
Ø Assurance Component Leveling
Ø EAL
Ø Extension
Ø Process Area
Ø PA Category
Ø Capability Level
Ø Maturity Level
Ø Addition
Both, CMMI and CC, represent state of the art concepts and culmination of decades of experiences
![Page 18: 9ICCC CC and CMMI-DEV - Common Criteria˜ CMMI® (Capability Maturity Model® Integration) is a process improvement approach that provides organizations with the essential elements](https://reader034.fdocuments.us/reader034/viewer/2022042118/5e97398fa9322703e905b795/html5/thumbnails/18.jpg)
Sep 2008© TÜV Informationstechnik GmbH – Member of TÜV NORD Group Wolfgang Peter CC and CMMI-DEV, ICCC 2008 17
Contents
1. Status Quo
2. CMMI® for Development
3. Striking Analogies
4. Combining Standards
5. Conclusion
![Page 19: 9ICCC CC and CMMI-DEV - Common Criteria˜ CMMI® (Capability Maturity Model® Integration) is a process improvement approach that provides organizations with the essential elements](https://reader034.fdocuments.us/reader034/viewer/2022042118/5e97398fa9322703e905b795/html5/thumbnails/19.jpg)
Sep 2008© TÜV Informationstechnik GmbH – Member of TÜV NORD Group Wolfgang Peter CC and CMMI-DEV, ICCC 2008 18
An organization develops products with different requirements onfunctionality, security, and ... (e.g. safety)
General idea
CC covers additional security related requirements, for the
product and the product’s development environment
... (e.g. IEC 61508)
Process Areas of CMMI-DEV cover demands on planned and controllable product development
![Page 20: 9ICCC CC and CMMI-DEV - Common Criteria˜ CMMI® (Capability Maturity Model® Integration) is a process improvement approach that provides organizations with the essential elements](https://reader034.fdocuments.us/reader034/viewer/2022042118/5e97398fa9322703e905b795/html5/thumbnails/20.jpg)
Sep 2008© TÜV Informationstechnik GmbH – Member of TÜV NORD Group Wolfgang Peter CC and CMMI-DEV, ICCC 2008 19
Example: ALC_CMS (CM Scope)
Configuration Management
Generic Goals & PracticesGG 1 Achieve Specific Goal
GP 1.1 Perform Specific Practices
GG 2 Institutionalize a Managed ProcessGP 2.1 Establish an Organizational PolicyGP 2.2 Plan the ProcessGP 2.3 Provide ResourcesGP 2.4 Assign ResponsibilityGP 2.5 Train PeopleGP 2.6 Manage ConfigurationsGP 2.7 Identify and Involve Relevant
StakeholdersGP 2.8 Monitor and Control the ProcessGP 2.9 Objectively Evaluate AdherenceGP 2.10 Review Status with Higher Level
Management
GG 3 Institutionalize a Defined ProcessGP 3.1 Establish a Defined ProcessGP 3.2 Collect Improvement Information
Institutionalization of this PA within the
organization
Configuration Management
Specific Goals & PracticesSG 1 Establish Baselines
SP 1.1 Identify Configuration ItemsSP 1.2 Establish a Configuration
Management SystemSP 1.3 Create or Release Baselines
SG 2 Track and Control ChangesSP 2.1 Track Change RequestsSP 2.2 Control Configuration Items
SG 3 Establish IntegritySP 3.1 Establish Configuration
Management RecordsSP 3.2 Perform Configuration Audits
Achievement of process related requirements
ALC_CMS.4: Problemtracking CM coverage
ALC_CMS.4.1C The configuration list shall include the following: the TOE itself; the evaluation evidence required by the SARs; the parts that comprise the TOE; the implementation representation; and security flaw reports and resolution status.
ALC_CMS.4.2C The configuration list shall uniquely identify the configuration items.
ALC_CMS.4.3C For each TSF relevant configuration item, the configuration list shall indicate the developer of the item.
CC EAL4 specific requirements
![Page 21: 9ICCC CC and CMMI-DEV - Common Criteria˜ CMMI® (Capability Maturity Model® Integration) is a process improvement approach that provides organizations with the essential elements](https://reader034.fdocuments.us/reader034/viewer/2022042118/5e97398fa9322703e905b795/html5/thumbnails/21.jpg)
Sep 2008© TÜV Informationstechnik GmbH – Member of TÜV NORD Group Wolfgang Peter CC and CMMI-DEV, ICCC 2008 20
Activities and (first) results
Ø Focused on EAL4
Ø Bi-directional “mapping” and parts of the integration CC/CMMI-DEV done
Ø EAL4 does not require any addition of new CMMI-DEV process areas
Ø CMMI-DEV specific goal needs to be added (à ALC_DVS)
Ø Lots of additions to specific practices in engineering, project management, and support will be needed
Ø Lots of additions to the CMMI-DEV informative material necessary
![Page 22: 9ICCC CC and CMMI-DEV - Common Criteria˜ CMMI® (Capability Maturity Model® Integration) is a process improvement approach that provides organizations with the essential elements](https://reader034.fdocuments.us/reader034/viewer/2022042118/5e97398fa9322703e905b795/html5/thumbnails/22.jpg)
Sep 2008© TÜV Informationstechnik GmbH – Member of TÜV NORD Group Wolfgang Peter CC and CMMI-DEV, ICCC 2008 21
Contents
1. Status Quo
2. CMMI® for Development
3. Striking Analogies
4. Combining Standards
5. Conclusion
![Page 23: 9ICCC CC and CMMI-DEV - Common Criteria˜ CMMI® (Capability Maturity Model® Integration) is a process improvement approach that provides organizations with the essential elements](https://reader034.fdocuments.us/reader034/viewer/2022042118/5e97398fa9322703e905b795/html5/thumbnails/23.jpg)
Sep 2008© TÜV Informationstechnik GmbH – Member of TÜV NORD Group Wolfgang Peter CC and CMMI-DEV, ICCC 2008 22
Conclusion and next steps
Ø Experience shows that efficiently developing high quality/security products requires managing the engineering processes
Ø In this respect CC needs to evolve or be combined with engineering standards
Ø Combining CMMI-DEV and CC is feasibleØ e.g. EAL4 would require Capability Level 3 of quite a few CMMI
Process Areas
Ø Piloting with customers will follow
Ø Models will be implemented in a web based tool, supportingØ reference modelsØ process definitionØ management
![Page 24: 9ICCC CC and CMMI-DEV - Common Criteria˜ CMMI® (Capability Maturity Model® Integration) is a process improvement approach that provides organizations with the essential elements](https://reader034.fdocuments.us/reader034/viewer/2022042118/5e97398fa9322703e905b795/html5/thumbnails/24.jpg)
Sep 2008© TÜV Informationstechnik GmbH – Member of TÜV NORD Group Wolfgang Peter CC and CMMI-DEV, ICCC 2008 23
![Page 25: 9ICCC CC and CMMI-DEV - Common Criteria˜ CMMI® (Capability Maturity Model® Integration) is a process improvement approach that provides organizations with the essential elements](https://reader034.fdocuments.us/reader034/viewer/2022042118/5e97398fa9322703e905b795/html5/thumbnails/25.jpg)
Sep 2008© TÜV Informationstechnik GmbH – Member of TÜV NORD Group Wolfgang Peter CC and CMMI-DEV, ICCC 2008 24
TÜV INFORMATIONSTECHNIK GMBHMember of TÜV NORD Group
Wolfgang PeterDirector Evaluation Body for IT Security
Langemarckstr. 20D-45141 Essen
Phone: +49 201 8999 – 624Fax: +49 201 8999 – 666E-Mail: [email protected]: www.tuvit.net