You are evaluating and selecting software vendors to customize the transportation management system in a procurement project. Which of the following is least likely to be part of the evaluation criteria for the vendor qualification?
A. FOCI (Foreign Ownership, Control, and Influence)
B. Capability Maturity Model Integration (CMMI)
C. Software Assurance Maturity Model (SAMM)
D. Common Criteria (ISO 15408)

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Common Criteria (ISO 15408).

The Common Criteria (ISO 15408) specifies the criteria for evaluating IT products, not for vendor qualification.

FOCI as Regulatory Requirements

FOCI (Foreign Ownership, Control, and Influence) is a common regulatory requirement, e.g., 32 CFR § 2004.34 and 4.30.30. Foreign ownership, control or influence in Canada. CFR is an acronym for the Code of Federal Regulations in the US.

CMMI

You, as an acquirer, can benefit from a vendor’s use of CMMI-DEV and avoid the pitfalls associated with unrealistic expectations by effectively using information obtained from the vendor’s CMMI-DEV efforts on development programs. (Osiecki)

“CMMI can be appraised using two different approaches: staged and continuous. The staged approach yields appraisal results as one of five maturity levels. The continuous approach yields one of four capability levels.” (Wikipedia)

OWASP SAMM

Given that ISACA acquires the CMMI Institute and materials are copyrighted, OWASP’s SAMM (Software Assurance Maturity Model) is an open project.

Reference

• Foreign Ownership Control or Influence: Supplemental FOCI Data Sheet
• CMMI: The DoD Perspective
• What is CMMI? A model for optimizing development processes
• Understanding and Leveraging a Supplier’s CMMI® Efforts: A Guidebook for Acquirers (Revised for V1.3)

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

• It is available on Amazon.
• Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.

在一個採購專案中，您正在評估和選擇軟件供應商，以客製開發一套運輸管理系統。 以下哪項最不可能成為供應商資格評估標準的一部分？
A. FOCI (外國所有權，控制權和影響力)
B. 能力成熟度模型集成 (CMMI)
C. 軟件保障成熟度模型 (SAMM)
D. 共同標準 (Common Criteria)