Building Trust in the Security of Software
NIST National Cybersecurity Framework Function Description Use of ISO / IEC 5055
Recover Incident Recovery Plan Execution
Eliminate similar ISO 5055-based anti-patterns
Incident Recovery Communication Table 2-1: Opportunities to use ISO / IEC 5055 in the context of NIST’ s Cybersecurity Framework.
The last five frameworks focus on building organizations that use best practices to create high quality products, one aspect of which is security. Obviously, there are many overlaps between these frameworks where practices in one framework satisfy requirements in another framework.
2.2 MATURITY MODELS
Table 2-2 presents how each level of the classic Capability Maturity Model [ 14 ] that formed the basis for CMMI [ 3 ] and SPICE( VDA Working Group 13, 2023), contributes to producing secure software. The implementation of mature development practices is verified through a rigorous evaluation process involving both examination of documents and interviews with management and staff. Compliance with ISO and other relevant standards is usually verified with formal audits of compliance to required practices.
Level Characteristic Attributes Approach to secure and reliable products
5- Optimizing Innovative practices
If security results are not sufficient to satisfy customers or compete in the market, then new practices, tools, or other opportunities must be piloted and deployed to improve results.
4 – Quantitatively Managed
Statistically managed practices and results
Quantitative obectives are established. Product and process data are monitored throughout development to achieve stable results and predict security outcomes in-process to make corrections early.
3- Defined Standardized practices
2- Managed Repeatable practices
The most effective practices are integrated and standardized across projects. Baselines are established for security results to support improvement activities.
Security results are stable but may differ across products whose practices differ.
I- Initial Inconsistent practices Projects often lack stability resulting in inconsistent outcomes and insecure products.
Table 2-2: Maturity level growth to improve the delivery of secure products.
6 May 2025