The SSECMM

1
The SSE-CMM EvaluationsPartners within the
Assurance Framework
Trust Me!

• Charles G. Menk III

V24, DoD menk_at_romulus.ncsc.mil
2
SSE CMM A Community Effort

• Facilitated by NSA
• Driven by industry-led Working Groups
• Office of Secretary of Defense supplemented NSA
  funding
• Canadian government, CSE, has committed resources.

3
Motivation

• Increased use of commercial products
• Commercial development cycles shorter than
  evaluation time lines
• Move from risk avoidance to risk management

4
The Assurance Framework

• Comprehensive integration of assurance
• Trusted Capability Maturity Model (TCMM)
• System Security Engineering CMM (SSE CMM)
• ISO 9000
• X/Open Branding
• Testing
• Evaluation

5
Some SSE-CMM Goals

• To have security built-in from day one
• To KNOW it is being done right
• To assist in educating suppliers, those called
  upon to analyze the products and systems, and
  their customers

6
The SSE CMM Process Areas

• Specify Security Needs
• Provide Security Input
• Verify and Validate Security
• Attack Security
• Assess Operational Security Risk
• Build Assurance Argument
• Monitor System Security Posture
• Administer Security Controls
• Coordinate Security
• Determine Security Vulnerabilities

7
Evaluation Concerns

• Documentation
• Does not reflect implementation
• Not detailed enough
• Code
• Not verifiable
• Undocumented
• Flaws

8
How Did We Get Here?

• Add-on Security
• Reduced Development Time Lines
• Systems too large and complex
• Evaluators expected to do too much
• Educate about security
• Assist in design modifications
• Assist in documentation development

9
Some SSE-CMM Solutions

• Address security from day one
• Create confidence in developer abilities
• Documentation
• Configuration Management
• Process error detection and correction
• Continuous improvement

10
Current Status of SSE-CMM

• Draft 1.0 now available
• Pilots started in June-October 1996
• Pilot Target Environments (Partially Complete)
• Combined assessments
• Stand alone assessments
• Add-on assessments
• Special case assessments

11
Pilot Results to Date

• Security practitioners judge model as valid
• Pilot appraisers judge appraisal method as valid
• Accurate results
• Acceptable expense
• Security suppliers judge the results as useful
• Can be used to provide guidance for improving
  process
• Can be used to make business case

12
Let Them Eat Cake

• Many bakeries produce good cakes
• Certain bakeries develop certain types of cakes
• Certain bakeries are better than others
• You may prefer a specific type of cake
• How do you get a good cake?
• Taste it when done (Evaluate)?
• Pick a mature bakery (CMM)?
• DO BOTH!!!

13
Recommendation

• Guide SSE CMM development to provide output that
  has diverse utility
• Evaluations / Profiles
• Accreditation Certification
• Procurement Authorities
• Use SSE CMM to gain assurance that the developer
  CAN build secure products
• Potential support to RAMP process NOW

14
For Additional Information

• Mary Schanken
• Project Manager
• System Security Engineering CMM
• Chuck Menk
• Web Site http// (410) 859-6091