Lockheed Martin s Move to Assurance: Software Safety and Security Certification Best Practices (BP)



Similar documents
Understanding, Modelling and Improving the Software Process. Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 31 Slide 1

H ig h L e v e l O v e r v iew. S te p h a n M a rt in. S e n io r S y s te m A rc h i te ct


Put the human back in Human Resources.



1.- L a m e j o r o p c ió n e s c l o na r e l d i s co ( s e e x p li c a r á d es p u é s ).

SYSTEMS SECURITY ENGINEERING

ACE-1/onearm #show service-policy client-vips


Software Engineering CSCI Class 50 Software Process Improvement. December 1, 2014

PSTN. Gateway. Switch. Supervisor PC. Ethernet LAN. IPCC Express SERVER. CallManager. IP Phone. IP Phone. Cust- DB


Software Quality. Process Quality " Martin Glinz. Chapter 5. Department of Informatics!

Foredragfor Den Norske Dataforening, den



CMMI Version 1.2. SCAMPI SM A Appraisal Method Changes

Opis przedmiotu zamówienia - zakres czynności Usługi sprzątania obiektów Gdyńskiego Centrum Sportu

Contracting Officer s Representative (COR) Interactive SharePoint Wiki

Benefits of Standardization. Benefits of Standardization


Distributed and Outsourced Software Engineering. The CMMI Model. Peter Kolb. Software Engineering

B R T S y s te m in S e o u l a n d In te g r a te d e -T ic k e tin g S y s te m


SCO TT G LEA SO N D EM O Z G EB R E-


Labor Category Descriptions

R e t r o f i t o f t C i r u n i s g e C o n t r o l

COMPLIANCE IS MANDATORY



Capability Maturity Model Integration (CMMI ) Overview

Simulation of Different SPI Models


proxy cert request dn, cert, Pkey, VOMS cred. (short lifetime) certificate: dn, ca, Pkey mod_ssl pre-process: parameters->

Raytheon Secure Systems and Networks

Online Department Stores. What are we searching for?

Campus Sustainability Assessment and Related Literature

Enterprise Information Security Business Risk Assessment


The Capability Road Map a framework for managing quality and improving process capability

LESS is, in fact, MORE! 60% Paper Reduction Using an Enterprise-Wide Process Framework


CROMERR Made Easier Eric Cleckler, Alabama DEM Greg Mitchell, U.S. EPA

Lessons Learned from Adopting CMMI for Small Organizations

[project.headway] Integrating Project HEADWAY And CMMI

3 k t h R e m e A c c e s s b t t t V T T c h t h p V T. Cl ic e ot rad io ut on nex o PN unnel yp e and oose e ap rop riat e PN unnel Int erfac e. 4.

Re: SEC Proposed Rule Regulation SCI SEC File No. S ; Release No

Suggested Language to Incorporate System Security Engineering for Trusted Systems and Networks into Department of Defense Requests for Proposals

How To Be A Successful Thai

Ma teria ls to fix p osters to the b oa rd s will b e p rovid ed b y the organization at the Conference site.

AN EVALUATION OF SHORT TERM TREATMENT PROGRAM FOR PERSONS DRIVING UNDER THE INFLUENCE OF ALCOHOL P. A. V a le s, Ph.D.

DCMA Software Contract Management Services CMM Based Insight Initiative

Data Management Maturity (DMM) Model Update


CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS. Steve Mills Professor of Information Technology

Software Quality Assurance: VI Standards

Security Testing. Claire L. Lohr, CSQE, CSDP, CTAL F. Scot Anderson, CISSP April 7, 2009 V 1.

d e f i n i c j i p o s t a w y, z w i z a n e j e s t t o m. i n. z t y m, i p o jі c i e t o

Process Improvement. Process improvement. Process improvement stages. Understanding, Modelling and Improving the Software Process

Software and Systems Engineering. Software and Systems Engineering Process Improvement at Oerlikon Aerospace


The Advantages and Disadvantages of Using Software Engineering Standards

PSM. Using CMMI To Improve Contract Management Within DCMA. Guy Mercurio, DCMA Boston, MA

CMMI for Acquisition, Version 1.3

1. Oblast rozvoj spolků a SU UK 1.1. Zvyšování kvalifikace Školení Zapojení do projektů Poradenství 1.2. Financování


Software Quality Requirements and Evaluation, the ISO Series

online magazine first edition 2009 berkeley club of france - online magazine - first edition 2009 berkeley club of france

5 Regional Approaches

Workload Management Services. Data Management Services. Networking. Information Service. Fabric Management

Status Report: Practical Software Measurement

Governor s Cybersecurity Task Force. Monday, November 23, 2015 Roughrider Room State Capitol Building

An Application of an Iterative Approach to DoD Software Migration Planning


Cyber Workforce Training

U S B Pay m e n t P r o c e s s i n g TM

Engineering Standards in Support of


Using CMMI Effectively for Small Business Panel

CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS. Steve Mills DAU-South

INCOSE System Security Engineering Working Group Charter

CobiT and IT Governance Elements for building in security. from the top, down and the bottom, up

Update: OSD Systems Engineering Revitalization Efforts

GENERAL INFORMAT ION:

CMMI for Development, Version 1.3

ORACLE NAIO Excellence combined with Quality A CMMI Case study

Continuous Risk Management Guidebook

CMMI for Development, Version 1.3

Software Performance Evaluation Maturity Model (SPE-MM)

National Defense Industrial Association Systems Engineering Division Task Group Report Top Five Systems Engineering Issues

Software Process Improvement

GLOBES AMERICA GlobesAmerica.com

Program Management vs Systems Engineering

Industrial Collaboration Systems Engineering Capability Maturity Model Description and Overview of Hughes Pilot Appraisal


Lawrence M Greene 10 Lake Park Court Germantown, MD cell4476@comcast.net

QUality Assessment of System ARchitectures (QUASAR)

i n g S e c u r it y 3 1B# ; u r w e b a p p li c a tio n s f r o m ha c ke r s w ith t his å ] í d : L : g u id e Scanned by CamScanner

Transcription:

Lockheed Martin s Move to Assurance: Software Safety and Security Certification Best Practices (BP) Dennis Beard, CISSP Lockheed Martin Syracuse, NY August 7, 2007 Page 1

Agenda Best Practices Guidebook Context Guidebook Specifics Structure and Content Development of Guidebook Safety and Security for Integrated Capability Maturity Models Guidebook Promotion Target Audience Page 2

CMMI and Assurance - What Started This Discussion??? Dennis Beard leads an internal LM SW Subcouncil WG relating to SW Safety and Security certification. This group produced a corporate-wide SW Certification Best Practices (BP) Guidebook. In November 2006, presented the BP to a joint meeting with the SW Engineering Institute (SEI) and the Corporate VP for Engineering and his staff. Suggestion was raised by LM management that we pursue the furthering of these Best Practices concepts via a Security extension to the CMMI. CMMI is register in the U.S. Patent and Trademark Office by Carnegie Mellon University Page 3

Context SW Subcouncil Over 200 people and over 37,000 hours of participation!! Tech Ops Management Council (TOMC) (Engineering VPs from LMC Businesses) Sets Str ate gy, Provid es Re sou rces Corp Te ch Training C ouncil Cor p. E n g. & Te ch n olo gy V P E ngi ne er in g Andy Gre en EPI Center Steve Butt P rovid es Pr ogr am Directi on & Ma nag em ent S ystem Engi neering Software Engi neering Tes t a n d Evaluation Mec ha ni cal Engi ne ering Electric al Engi ne ering Engi ne ering Project Ma na gem e nt Facilit ates Subc oun cil/ Foc us Tea m Activiti es Subcounci ls Consensus on best practices, process, methods, tools Process Groups High Priority initiatives Speci alt y E ngi ne er in g PWB / CCA Maint ain P roc esses, Selec t Sta nda rd To ols Subcouncil / Focus Team Representatives Lo ck hee d Mar ti n C om pa nies - Te ch Op s Ma na ger s - EPI Le ad er s Imple me nt EPI P roce sses, Apply Stan da rd Tool s Joint W orki ng Gro ups (all SCs su ppo rtin g) Inte gra ted M easu re me nt (EP M le d) Embe dde d Syst em s (SWSC l ed) WorkSh ar e POCs, Risk & Opp ty M gm t. Inte gra ted ap pr oach to Tr ainin g Provid es Engi ne erin g Suppo rt f or P roces s/t ools SubCouncil/Process Group Participation Benefits Members, Companies and Lockheed Martin Page 4

SW Safety and Security Certification Best Practices Completed a joint Safety and Security guidebook entitled: Software Safety & Security: A Guidebook for Engineering Best Practices and Certification & Accreditation Requirements EPI 260-19 Version 1.0 completed July 2006. Continuous content development has been maintained since July 2006 Version 2.0 was released end of July 2007. Page 5

Best Practices Specifics Description of the more common SW Safety and Security Engineering and Certification Processes LM programs encounter. Also how to use those processes. Intended for those not fully knowledgeable with a particular certification process program management / technical / business development. Built in an electronic format as a web-based document. - but many people still want / need paper version Page 6

Structure and Content of BP Section I Overview DoD 8570 - Information Assurance Workforce Improvement Program. Anti Tamper A high level awareness summary of the: Guidelines for Implementation of Anti-Tamper Techniques in Weapon Systems Acquisition Programs* *Issued by Dr. Gansler, Under Secretary of Defense, in May 2000 Page 7

Structure and Content of BP Section II Engineering Guidance DOD-I- 8500.2- Information Assurance Implementation Safety & Security Extensions for Integrated Capability Maturity Models Key Practices for Engineering Security Mission-critical Systems ISO/IEC 27002: 2005 - Code of Practice for Information Security Management (formerly ISO-IEC 17799) NIST 800-53 - Security Controls for Federal Information Systems & Appendices NIST 800-30 - Risk Management Guide for Information Technology Systems NASA-GB-8719.13: Software Safety Guidebook Security Engineering Checklists Page 8

Structure and Content of BP Section III Certification Standards DITSCAP DIACAP (MIL-STD-882) Standard Practice for System Safety DO178B - Software Considerations in Airborne Systems and Equipment Certification C&A Methodologies Overview developed by Systems Software Consortium ISO-IEC 27001: 2005 - Information Security Management Systems - Reqs; (27001 requires the use of 27002 which provides the needed guidance.) Common Criteria, ISO 15408, Information technology - Security Techniques - Evaluation criteria for IT security DCID 6/3 - Protecting Sensitive Compartmented Information Within Information Systems Page 9

BP Development Concept Very aggressive schedule Started late September 2005 Draft of BP completed at the end of March 2006 Review cycle with our Pilot Partners completed late June 2006 Delivered to the SW Subcouncil on June 23, 2006 SW Subcouncil provided feedback completed July 2006 BP became EPI 260-19 in August 2006 First Version - developed 3 engineering and 3 certification processes documents in parallel Each document led by a SME SME created synopsis of reference guidance with appropriate links to source(s) SME solicited and selected pilot project partner SME worked with pilot project partner to validate the guidance Second version added additional relevant processes to sections II and III. Page 10

Safety & Security Extensions A relevant component of section II of our Guidebook is a summary description of the Safety and Security Extension for Integrated Capability Maturity Models*. Section II Engineering Guidance DOD-I- 8500.2 Safety & Security Extensions for Integrated Capability Maturity Models Key Practices for Engineering Security Mission-critical Systems S & S Extensions are viewed as important to LM programs. Within our Best Practices, the Extensions are described and organized as: Background - Section 2: Overview / Status / Evaluation Structure Section 3: Application Area / Work Environment *Safety and Security Extensions for Integrated Capability maturity Models, September 2004, L. Ibrahim, J. Jarzombek, M. Ashford, et al. Page 11

Safety & Security Extensions Section 2 CMMI Section 2: draws from existing and established Safety and Security sources many which are pertinent to LM programs Safety: Security: - MIL_STD 882D* - ISO 17799* - DEF STAN 00-56 - ISO 15408 Common Criteria* - ISO 21827 (Sys Sec Eng CMM) - NIST 800-30 Risk Management* *Certifications and processes covered in Best Practices v1.0 and its revisions. Page 12

BP Promotion and Use With the release of Version 2.0 content development gives way to promoting the use of the Best Practices so that.... Better SW assurance is the result by changing behavior in new programs to consider safety and security certification requirements up front. Management has to be aware of the Best Practices in order to use them effectively. Page 13

Promotion Tasks Working with the LM Business Areas management leaders: - Brief BP to Program Management Councils - Identify to leaders SMEs (the authors) who can be help in specific certification areas - Monitor which programs are using the BP - Maintain the document via its built-in reader comment capability - Continue to add new and relevant engineering and certification processes to the BP Page 14

Who is our Target Audience? Primarily we seek to promote the use of these Best Practices for Safety and Security assurance among program managers at project inception. Best Practices (BP) serves front line engineers who have limited knowledge of assurance or certification processes BP has easy-to-use reader to SME contact capability for each given Safety or Security topic. Page 15

Summary Within LM we are taking an active role to foster a development environment that promotes Safety and Security Assurance from program inception. The Certification Best Practices Guidebook is an important part of that strategy. We welcome the opportunity to promote and extend this level of assurance awareness out to the larger community of practice via the CMMI Model or other well recognized standards organizations. Page 16

Contact Information Dennis J. Beard, CISSP Systems Engineer (IT Security) Senior Staff MS2 Syracuse 315-456-3236 dennis.j.beard@lmco.com Page 17

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information