US SC7 TAG Meeting Report
Scott Duncan, SW Division Standards Chair
This column is being written based on the meeting at the National Institute for Standards and Technology (NIST) in Gaithersburg, MD (September 21-23).
At this 53rd meeting of the US SC7 TAG, I served as TAG Chair. Our Chair for the past few years, Mike Gayle of JPL, had to step down and JPL has, for the time being withdrawn from the TAG. Normally, the 1st Vice Chair, Paul Croll, would step in as he did last Spring, to fill the Chair role until an election can be held. However, due to some temporary restrictions because of a recent operation, Paul was unable to travel. That left the job of Chair to me as 2nd Vice Chair.
Department of Homeland Security Presentation
Joe Jarzombek (USAF Lt. Col., Retired) is the Director for Software Assurance in the National Cyber Security Division of the Department of Homeland Security. His presented a talk about software assurance (safety and security) efforts at DHS. He has spoken about this before at the TAG and at IEEE S2ESC meetings. Fundamentally, there are 16 key points to the software assurance program (divided into 4 higher level topics):
|Establishing a Safety and Security Infrastructure|
|1. Ensure Safety and Security Competency|
|2. Establish Qualified Work Environment|
|3. Ensure Integrity of Safety and Security Information|
|4. Monitor Operations and Report Incidents|
|5. Ensure Business Continuity|
|Managing Safety and Security Risks|
|6. Identify Safety and Security Risks|
|7. Analyze and Prioritize Risks|
|8. Determine, Implement, and Monitor Risk Mitigation Plan|
|Satisfying Safety and Security Requirements|
|9. Determine Regulatory Requirements, Laws, and Standards|
|10. Develop and Deploy Safe and Secure Products and Services|
|11. Objectively Evaluate Products|
|12. Establish Safety and Security Assurance Arguments|
|Managing Activities and Products|
|13. Establish Independent Safety and Security Reporting|
|14. Establish a Safety and Security Plan|
|15. Select and Manage Suppliers, Products, and Services|
|16. Monitor and Control Activities and Products|
[The October, 2005 issue of Crosstalk (which can be found along with many years of past issues at http://www.stsc.hill.af.mil) has software security as its theme and contains this information in much expanded form along with several other articles on the topic of software assurance. Joe Jarzombek and I will be presenting this, and related material, in a joint session at the Quality Assurance Association of Maryland's (QAAM) annual conference -- in conjunction with the Quality Assurance Institute QAI -- in the Baltimore area on November 1, 2005.]
Task Group Presentations
What follows are excerpts from the "outbriefs" (i.e., final day reports) from each Task Group (TG) which explain the current status of various SC7 standards at the international Working Group (WG) level. TGs exist at the TAG level to track and work on the standards and proposals assigned to the WGs at the international level. In some cases, TAG members and other U.S. Technical Experts participate as WG Chairs or Editors.
Unless otherwise noted, the commentary relates to the international status of the standards discussed. When US TAG-specific activities are reported they will be so noted.
System and Software Documentation (TG 2)
A new "business plan" for SC7 documentation standards was shown at this meeting identifying two series of standards: the 26511-16514 series addressing user documentation and the 26521-26524 series addressing software and life cycle documentation. Each series will have a document directed at documentation managers, acquirers and suppliers, testers and assessors, and designers and developers.
ISO/IEC 15289 on the content of systems and software life cycle process information products was approved at the Final Committee Draft (FCD) level and will be moving to the Final Draft International Standard (FDIS) level with resolution of FCD comments.
Software Product Quality Measurement (TG 6)
Comments on ISO/IEC 25012, which addresses data quality, were discussed including suggestions to add activities such as data quality audits. This document is currently in ballot at the Working Draft/Committee Draft (WD/CD) level.
TG6 members met with TG7 on planned revisions to 15939, which address the software measurement process and is up for renewal/revision. It was formerly developed under another WG, but when the original work was completed, the WG disbanded. The five-year period for reconsideration gas arrived and the work has been moved into WG7.
Other WG6 documents in or near ballot are 25001 (quality planning) at the CD level, 25020 (quality measurement) at the FCD level, and 25030 (quality requirements) at the FCD level.
There was discussion in TG6 regarding security becoming a top-level quality characteristic in the 25010 (quality model) document. This idea will be carried to the next WG6 meeting in Beijing.
At the WG level, U.S. members have been asked to draft a resolution for WG6 to formally request a liaison (Mary Theofanos) with TC159/SC4 and to work a New Work Proposal on the Common Industry Format (for human factors evaluation reports) based on a resolution out of the May SC7 Plenary in Helsinki.
Other WG6 document statuses are:
- ISO/IEC 25000, the Guide to SquaRE has passed its FDIS Ballot and will be sent for publishing after editorial changes.
- ISO/IEC 25021, on quality model elements, is due for its 2nd Preliminary Draft Technical report (PDTR) ballot but it had not been issued yet at the time of the TAG meeting.
- ISO/IEC 25040, the evaluation process guide, should be revised by the Beijing meeting, and then forwarded for WD and CD ballot after the meeting.
- ISO/IEC 25051 (the renumbering of 12119 on COTS quality requirements and testing) should soon be out for FDIS Ballot. Mike Kress, who has been working as a co-editor on this noted that all significant U.S. comments had been addressed.
- ISO/IEC 25062 (formerly the CIF document numbered 23025) has been fast tracked to DIS and will be published after editorial changes are completed.
(System and Software) Life Cycle Management (TG 7)
The active products for WG7 include:
- ISO/IEC 24748 which is a Technical report outlining the concepts and definitions for the harmonization of 12207 and 15288.
- ISO/IEC 15939, as noted above, is to be revised to include systems with the scope as it was originally labeled as a software measurement process document. However, there is nothing inherent in the document that prevents it from being used as a measurement process for things other than software.
- ISO/IEC 16236 has been approved as a New Work Item to address software project management with the option to expand to include systems, pending progress on the harmonization work.
The short-term approach for 12207 and 15288 revision is to implement the IEEE-CS "Harmonization Lite" proposal for "interoperable standards" with consistent terminology and concepts, the same process constructs, minimal essential changes to allow interoperability, and an evolutionary path for current users of the documents. Long-term, "integrated processes" are intended to (1) produce a consolidated list of processes described in terms of their purpose and their outcomes, which, though distinct, may have additional domain-specific outcomes, then (2) develop an architecture for grouping processes, then (3) determine a suitable document structure to meet stakeholder needs, prioritizing the documents, and, finally, (4) actually produce the documents.
The draft process set includes:
- Stakeholder Requirements Definition
- Requirements Analysis
- Architectural Definition
- Detailed Design (Recursive application starting at system-level. May have SW or other specialization)
- Implementation (Code & Unit Test (for SW specialization), Facility preparation, Operator Training, Other (TBD))
- Support (replacing the term "maintenance" and expanding the Utilization stage to merge the Support stage to be a single stage, including Maintenance and Integrated Logistics Support (ILS) Execution or equivalent)
- Agreement Mgt, covering Acquisition and Supply
- Risk Mgt
- Decision Mgt
- Configuration Mgt
- Info Mgt (Documentation)
- Knowledge Mgt
- Quality Mgt (which would point to 9001 and the project quality standard, including quality assurance, quality control, and audits (which may only be activities))
- Life Cycle Mgt, including Project Life Cycle Definition and Reviews
- Project Mgt (including project initiation and closure, and problem resolution)
- Process Mgt (including planning, execution, assessment and control activities performed for each process thereby eliminating duplication)
Resource Provisioning (that is, resources needed to enable process purposes and outcomes)
- Infrastructure and Environment, including safety and security
- Process & Life Cycle Model Definition, including improvement
- Human Resource Management and Training
- Financial Resource Management, including Investment Mgt from 15288 (with the question of whether "portfolio management" might be better)
TG7 issues related to the near-term revision work include
- moving Life Cycle Stages to 24748, including Life Cycle Model types, definitions, and usage concepts, and seeing how well that would work,
- combining measurement and risk management processes down to the activity and task level, but no lower,
- moving life cycle definition from tailoring to planning (where tailoring involves deleting only or replacing with an equivalent task as adding new tasks/outcomes should not affect compliance),
- problem resolution being defined as a separate process since material in 15288 is dispersed on this topic but there is a single such process in 12207,
- investigating alignment with BS15000 (proposed as ISO/IEC 20000) and the ITIL guidance,
- adding more focus to stakeholder/user/customer in the operations process,
- reducing redundancy in supplier agreement's contract execution activity which has 17 tasks mostly repeating planning, execution, assessment and control tasks from project/process management processes,
- consider a "continuously applied" process/project management/implementation process to eliminate redundancy in general in 12207.
Process Assessment (TG 10)
Part 5 of 15504 remains the only part not yet completed and published. It appears that it will not be done for another 6 months, though the FDIS ballot is near. Experience creating a full exemplar model, including the many people who have come and gone as editorial support for it, would seem to indicate that the U.S. position over the past decade has been valid, i.e., that process assessment model development work of this size and nature does not fit well at the international standards level and should be left to the marketplace.
Despite this, a Part 6 is being proposed to create a system life cycle process assessment model (based on ISO/IEC 15288), but as that is undergoing change and harmonization is beginning, it seems to the U.S. that it is even less desirable for such an effort to start given the Part 5 experience to date.
A Part 7 is also being proposed to address the possibility of deriving an organizational maturity "level" from the continuous process profile output of a 15504 assessment. The U.S. will suggest consideration of criteria such as that used for the Baldrige Award in the U.S. and similar models used elsewhere in the world such as EFQM in Europe since such models offer an implicit scoring structure related to organizational maturity. Another consideration is the new ISO Technical Committee (whose US TAG will be administered by ASQ) on social responsibility and how its work could affect consideration of organizational maturity.
Functional Size Measurement (TG 12)
The FDIS for 14143-6 (the guide to functional size measurement) should be finalized at the interim international meeting in October, and balloted soon after that. The Draft Corrigendum for 14143-1 will also be finalized at the interim meeting, and balloted thereafter.
Software and Systems Engineering Consolidated Vocabulary (TG 22)
The IEEE-CS has offered to host the resulting database of definitions and the University of Washington has offered some student resources to define a prototype design and interface to such a web-based database as input to the final IEEE-CS development.
[There were no presentations from TG 9 or Special Working Group 5.]
Changes in TAG membership
Motorola and Jet propulsion Labs formally withdrew and the Institute for Certification of Computer Professionals (ICCP) was dropped by the IEEE TAG Administrator for failure to pay the annual TAG fee.
However, 5 new members could be voted in at the next TAG meeting: the Department of Homeland Security, Human Factors International, Affiliated Computer Services, Sun Microsystems and an individual membership by Tom Kurihara, a long-time TAG participant who has represented various organizations in the past.
The Project Management Institute is pursuing Category A Liaison relationship directly with SC7, but may also pursue TAG membership once the liaison status is resolved. Right now they attend TAG meetings as observers.
TC176 TAG Liaison
The TAG asked me to ask the ASQ SW Division if it would support my being the TAG's liaison to the US TAG for TC176. TC176 is the ISO Technical Committee, which handles the ISO 9000 series (and related) quality management standards. Dave Kitson (of the Software Engineering Institute) went to the last TC176 TAG meeting a month ago but cannot continue as a permanent liaison. My thought is that I could go to a TC176 TAG meeting each year and they could send someone to one of ours. The two liaisons could work together, then, on the effort.
TAG Chair Status
As the TAG is formally without a Chair given JPL withdrawing, the TAG needs to formulate a call for volunteers that the IEEE TAG Administrator can send out. When candidates are identified, an election ballot can be sent.
It was mentioned that the TAG Chair does not have to be the US Head of Delegation to international meetings. Indeed the IEEE TAG Administrator noted that the HoD can be named differently for every international meeting if the TAG chooses to do so. Before the SW Division joined the TAG, the Chair and HoD were not always the same person. That might make it easier to get folks to volunteer as Chair if the international travel/responsibility were not a presumed part of the commitment.
Next TAG Meeting(s)
The next US SC7 TAG meeting will be Long beach (hosted by Boeing) from March 21-23, 2006. The meeting after that will be at the University of Washington next September (probably the week of September 18th).
Those interested in any of the topics mentioned above, or other standards-related issues, can send email to email@example.com.