An alternative approach to evaluating assurance is built on the capability maturity model (CMM) paradigm, which is a five-level model of increasingly mature processes and continuous improvement. The CMM originated in the Carnegie Mellon Software Engineering Institute (SEI) under the auspices of the U.S. Department of Defense (DoD).
The Systems Security Engineering Capability Maturity Model (SSE-CMM; copyright 1999 by the Systems Security Engineering Capability Maturity Model [SSE-CMM] Project) is based on the premise that if you can guarantee the quality of the processes that are used by an organization, then you can guarantee the quality of the products and services generated by those processes. It was developed by a consortium of government and industry experts and is now under the auspices of the International Systems Security Engineering Association (ISSEA) at www.issea.org. The SSE-CMM (www.sse-cmm.org/) makes the following salient points:
The SSE-CMM addresses the following areas of security: