Tutorial: The Systems Security Engineering Capability Maturity Model


Karen Ferraiolo

Arca Systems, Inc.

8229 Boone Blvd., Suite 750

Vienna, VA 22182

Phone: 703-734-5611

FAX: 703-790-0385

ferraiolo@arca.com
Tutorial Description


The Systems Security Engineering Capability Maturity Model (SSE-CMM) was developed with
the objective of advancing security engineering as a defined, mature and measurable discipline.
The model and its accompanying appraisal method are currently available tools for evaluating the
capability of providers of security engineering products, systems, and services as well as for
guiding organizations in defining and improving their security engineering practices.


The SSE-CMM Project began over three years ago as a joint effort between government and industry
to develop a CMM for security engineering. The SSE-CMM is rapidly becoming the de facto
standard for security engineering practices. Providers of systems, products, and services are now
using the model to assess their current practices, identify potential process improvements, and
distinguish themselves from competitors. Government acquisition agencies have already begun to use
the model to evaluate potential suppliers.


This tutorial describes the SSE-CMM and its appraisal method. A brief introduction to process
improvement and CMMs is provided. In addition, a discussion of the application of the SSE-
CMM looks at issues as they present themselves throughout a system acquisition, from RFP,
through development, and to system operation. The outline of the tutorial is as follows:

• History & the Need
• SSE-CMM Project Status
• Process Improvement and CMMs
• SSE-CMM Overview
• Using the SSE-CMM
• Current Applications

---

The Systems Security Engineering
Capability Maturity Model
Karen Ferraiolo
Arca Systems, Inc.
October 7, 1998

---

Topics
• History & the Need
• SSE-CMM Project Status
• Process Improvement and CMMs
• SSE-CMM Overview
• Using the SSE-CMM
• Current Applications

---

History and the Need

---

What is security engineering?
• Security engineering, or aspects thereof,
attempts to:
– establish a balanced set of security needs
– transform security needs into security guidance
– establish confidence in the correctness and
effectiveness of security mechanisms
– judge that operational impacts due to residual
security vulnerabilities are tolerable
– integrate all aspects into a combined
understanding of the trustworthiness of a system

---

Where are we now?
• Security products come to market through:
– lengthy and expensive evaluation
– no evaluation
• Results:
– technology growth more rapid than its assimilation
– unsubstantiated security claims
• Causes?

---

What is needed?
• continuity
• repeatability
• efficiency
• assurance

---

One Potential Solution
• Can knowing something about the
organization or individual provide a solution?
• Examples:
– ISO 9000
– Certification of Information System Security
Professionals (CISSP)
– Capability Maturity Model (CMM)
– Malcolm Baldridge National Quality Award
– Past Performance

---

Why was the SSE-CMM developed?
Objective
• advance security engineering as a defined, mature, and
measurable discipline
Project Goal
• Develop a mechanism to enable:
– selection of appropriately qualified security engineering providers
– focused investments in security engineering practices
– capability-based assurance
Why the CMM approach?
• accepted way of improving process capability
• increasing use in acquisition as indicator of process capability

---

The SSE-CMM Project

---

Document Outline

• Tutorial Description
  • Slides
• Table of Contents

---