You are evaluating and selecting software vendors to customize the transportation management system in a procurement project. Which of the following is least likely to be part of the evaluation criteria for the vendor qualification?
A. FOCI (Foreign Ownership, Control, and Influence)
B. Capability Maturity Model Integration (CMMI)
C. Software Assurance Maturity Model (SAMM)
D. Common Criteria (ISO 15408)
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Common Criteria (ISO 15408).
The Common Criteria (ISO 15408) specifies the criteria for evaluating IT products, not for vendor qualification.
FOCI as Regulatory Requirements
FOCI (Foreign Ownership, Control, and Influence) is a common regulatory requirement, e.g., 32 CFR § 2004.34 and 4.30.30. Foreign ownership, control or influence in Canada. CFR is an acronym for the Code of Federal Regulations in the US.
You, as an acquirer, can benefit from a vendor’s use of CMMI-DEV and avoid the pitfalls associated with unrealistic expectations by effectively using information obtained from the vendor’s CMMI-DEV efforts on development programs. (Osiecki)
“CMMI can be appraised using two different approaches: staged and continuous. The staged approach yields appraisal results as one of five maturity levels. The continuous approach yields one of four capability levels.” (Wikipedia)
Given that ISACA acquires the CMMI Institute and materials are copyrighted, OWASP’s SAMM (Software Assurance Maturity Model) is an open project.
- Foreign Ownership Control or Influence: Supplemental FOCI Data Sheet
- CMMI: The DoD Perspective
- What is CMMI? A model for optimizing development processes
- Understanding and Leveraging a Supplier’s CMMI® Efforts: A Guidebook for Acquirers (Revised for V1.3)
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
A. FOCI (外國所有權，控制權和影響力)
B. 能力成熟度模型集成 (CMMI)
C. 軟件保障成熟度模型 (SAMM)
D. 共同標準 (Common Criteria)