IATRP

We realize that many students have not had their name added to the IATRP certified list, or information updated. We apologize for the delays and any inconvenience. The website is in the process of being reworked without any change to what you should see. Please contact iatrp@iatrp.com if you feel your information is not correct or needs updating. Thank you for your patience and we apologize for any inconvenience.

The INFOSEC Assurance - Capability Maturity Model (IA-CMM) is based on the System Security Engineering Capability Maturity Model (SSE-CMM) and modified to address the INFOSEC assurance processes.

Whereas IATRP methodology training focuses on an individual's ability to conduct an INFOSEC assurance service, the IA-CMM appraisal focuses on a provider organization's capability to support INFOSEC analyst in conducting their mission objectives (i.e. to provide quality INFOSEC Assurance or Evaluation). The IA-CMM is used to measure two things; the maturity of processes (specific functions) that produce products (e.g., identified vulnerabilities, countermeasures, and threats) and the level of compliance a process has with respect to an IATRP methodology.

Capability maturity is a measurement of the level of assurance that an organization can perform a process consistently (i.e., providing a consistent product from the process). The IA-CMM identifies nine process areas related to performing INFOSEC assurance services. For each of the nine process areas, the IA-CMM defines six levels of process maturity from Level "0" to Level "5". The higher the maturity levels, the more likely the process will be performed consistently. From this consistency, quality can be implied but not guaranteed.

In CMM processes, it is conceivable that a well-defined process that consistently produces a poor product can receive a fairly high maturity rating. The IA-CMM counters this by focusing on the process areas as they relate to the IATRP methodologies. The use of standardized IATRP methodology products adds additional assurance of quality (i.e., the right products are being produced).

At the conclusion of an IA-CMM appraisal, the organization will be assigned an IA-CMM Ratings Profile. This is a list of nine numbers (one for each process area) from “0” to “5”. The organization will also receive check marks for each of “9” process areas that is compliant with the IATRP methodology. For example an organization has an “identify impact” process area rating of “2” and a check for IAM. This means that not only is the process area at a capability maturity level of “2”, but it is also compliant for the IAM (i.e., proven all IAM related products are produced). Each IATRP methodology (e.g. IAM, IEM) will have separate compliance requirements. Thus, each methodology will have a separate check box for the organization’s rating.

When a customer is deciding on an INFOSEC assurance provider organization, they can use the IA-CMM rating profile along with the experience of the INFOSEC analysts to determine what is best to meet their needs. The lower the process area maturity rating, the more dependence the consumer should put on the experience of the individual analyst.

In order to maintain a corporate IA-CMM rating the following guidelines must be met:

If the organization has received a rating of "1" in any Process Area, an appraisal must be completed within 18 months from the date of the current rating.
If the organization has received a rating of "2" in any Process Area, an appraisal must be completed within 30 months from the date of the current rating.
If the organization has received a rating of "3" or better across all Process Area, an appraisal must be completed within 42 months from the date of the current rating.

Failure of the organization to maintain its rating as prescribed above will result in the corporate IA-CMM rating profile being removed from the www.IATRP.com website until such time that the organization is compliant. Furthermore, if there is no rating listed on the IATRP site, the response to any request for data on the organization’s rating will be "NOT RATED".

Any change in the organizational structure (e.g. re-organization, merger, acquisition, significant attrition – greater than 10% or loss of SME) needs to be reported so the Government IATRP Program Manager (PM) can determine if a new appraisal needs to be conducted.

There are currently two NSA Contracted firms providing IA-CMM support to the INFOSEC Assurance Rating and Training Program (IATRP), Security Horizon, Inc. and Engineering Solutions, Inc (ESI). ESI currently only provides the INFOSEC Assessment Capability Maturity Model (IA-CMM) and CAM (Continuous Appraisal Method) training lisathompson@enginsor.com or www.enginsol.com.

To request an IAM, IEM, or IA-CMM Assessment, please contact any one of the following Companies:

Security Horizon: Mr. Ed Fuller at EFuller@SecurityHorizon.com
EDS: Mr. Paul Holmes at Paul.Holmes@EDS.com

Or any of our IA-CMM Rated Companies listed below:

International Network Services:Mr. Jim Teller at Jim.Tiller@INS.COM
Backbone Security, Inc.: Mr. Jim Wingate at JWingate@BackboneSecurity.com
Federal Reserve Bank of NY: Mr. John Califano at John.Califano@NY.FRB.ORG
Honeywell Technology Solutions: Mr. Robert Guess at Robert.Guess@honeywell.com
SRA International, Inc.: Mr. Walt Hare at Walt_Hare@SRA.com

*Point of contacts for these companies may also be obtained from this site: http://www.iatrp.com/companies.php and click on "company info"