<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns="http://www.w3.org/TR/REC-html40" xmlns:v =
"urn:schemas-microsoft-com:vml" xmlns:o =
"urn:schemas-microsoft-com:office:office" xmlns:w =
"urn:schemas-microsoft-com:office:word" xmlns:m =
"http://schemas.microsoft.com/office/2004/12/omml"><HEAD><TITLE>NIST SP 800-37</TITLE>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.3603" name=GENERATOR><!--[if !mso]>
<STYLE>v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
</STYLE>
<![endif]-->
<STYLE>@font-face {
font-family: Wingdings;
}
@font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@font-face {
font-family: Consolas;
}
@page Section1 {size: 612.0pt 792.0pt; margin: 70.85pt 70.85pt 70.85pt 70.85pt; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman","serif"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman","serif"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman","serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
P {
FONT-SIZE: 12pt; MARGIN-LEFT: 0cm; MARGIN-RIGHT: 0cm; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 99; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto
}
PRE {
FONT-SIZE: 10pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Courier New"; mso-style-priority: 99; mso-style-link: "HTML Preformatted Char"
}
P.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt 36pt; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
LI.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt 36pt; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
DIV.MsoListParagraph {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt 36pt; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 34
}
SPAN.HTMLPreformattedChar {
FONT-FAMILY: Consolas; mso-style-priority: 99; mso-style-link: "HTML Preformatted"; mso-style-name: "HTML Preformatted Char"
}
SPAN.EmailStyle20 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-reply
}
.MsoChpDefault {
FONT-SIZE: 10pt; mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
OL {
MARGIN-BOTTOM: 0cm
}
UL {
MARGIN-BOTTOM: 0cm
}
</STYLE>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></HEAD>
<BODY lang=NL-BE vLink=purple link=blue>
<DIV dir=ltr align=left><SPAN class=125041320-03022010><FONT face=Arial
color=#0000ff size=2>I like your take. Maybe the SAMM team could provide formal
commentary to NIST in this regard. I suspect that in not providing feedback, it
will be published and those who read it at a later date will get confused as to
the value proposition of each aka more disturbances in the
force...</FONT></SPAN></DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> samm-bounces@lists.owasp.org
[mailto:samm-bounces@lists.owasp.org] <B>On Behalf Of </B>Bart De
Win<BR><B>Sent:</B> Wednesday, February 03, 2010 2:51 PM<BR><B>To:</B> Software
Assurance Maturity Model (SAMM); SecureCode Mailing List<BR><B>Subject:</B> Re:
[SAMM] NIST SP 800-37<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV class=Section1>
<P class=MsoNormal><SPAN lang=EN-US
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">James,<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN lang=EN-US
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN lang=EN-US
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">I’m
not familiar (yet) with the details of SP800-37.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN lang=EN-US
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN lang=EN-US
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">However,
to add another NIST SP document to this discussion, SP 800-64 (R2 of October
2008) is definitely also worth looking at in the secure development lifecycle
context. Imho, from a bird’s eye view, the main differences between SP 800-64
and SAMM/BSIMM are:<o:p></o:p></SPAN></P>
<P class=MsoListParagraph style="TEXT-INDENT: -18pt; mso-list: l0 level1 lfo1"><![if !supportLists]><SPAN
lang=EN-US
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'"><SPAN
style="mso-list: Ignore">-<SPAN
style="FONT: 7pt 'Times New Roman'">
</SPAN></SPAN></SPAN><![endif]><SPAN lang=EN-US
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">The
NIST model is a process model, while SAMM and BSIMM are maturity models. This is
a fundamentally different. In that sense, it is more related to the
SDL/CLASP/TouchPoint type of models.<o:p></o:p></SPAN></P>
<P class=MsoListParagraph style="TEXT-INDENT: -18pt; mso-list: l0 level1 lfo1"><![if !supportLists]><SPAN
lang=EN-US
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'"><SPAN
style="mso-list: Ignore">-<SPAN
style="FONT: 7pt 'Times New Roman'">
</SPAN></SPAN></SPAN><![endif]><SPAN lang=EN-US
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">In
the same line of reasoning, the NIST model is waterfall-based, while SAMM and
BSIMM are actually process agnostic (they can be applied to waterfall, agile and
other types of processes)<o:p></o:p></SPAN></P>
<P class=MsoListParagraph style="TEXT-INDENT: -18pt; mso-list: l0 level1 lfo1"><![if !supportLists]><SPAN
lang=EN-US
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'"><SPAN
style="mso-list: Ignore">-<SPAN
style="FONT: 7pt 'Times New Roman'">
</SPAN></SPAN></SPAN><![endif]><SPAN lang=EN-US
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">NIST
SP 800-64 focuses much more on deployment, operations and disposal than any of
the other models that I’ve seen so far.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN lang=EN-US
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN lang=EN-US
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">I’d
be also interested in hearing any other opinions about this
one.<o:p></o:p></SPAN></P>
<P class=MsoListParagraph><SPAN lang=EN-US
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN lang=EN-US
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">Best
regards,<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN lang=EN-US
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'">Bart.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN lang=EN-US
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'"><o:p> </o:p></SPAN></P>
<DIV>
<P class=MsoNormal><B><SPAN lang=EN-US
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Arial','sans-serif'">------------</SPAN></B><SPAN
lang=EN-US
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Arial','sans-serif'"><BR></SPAN><B><SPAN
lang=EN-US
style="FONT-SIZE: 10pt; COLOR: #1f497d; FONT-FAMILY: 'Arial','sans-serif'">Bart
De Win </SPAN></B><SPAN lang=EN-US
style="FONT-SIZE: 7.5pt; COLOR: #1f497d; FONT-FAMILY: 'Arial','sans-serif'">CSSLP<BR>Principal
Consultant, CC Leader Application Assurance</SPAN><SPAN lang=EN-US
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Arial','sans-serif'"><BR></SPAN><SPAN
lang=EN-US
style="FONT-SIZE: 9pt; COLOR: #1f497d; FONT-FAMILY: 'Arial','sans-serif'">Tel.: +32
(0)9 243.10.20, Mob: +32 (0)479 46.79.57<BR></SPAN><SPAN lang=EN-US
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Arial','sans-serif'"><BR></SPAN><B><I><SPAN
lang=EN-US
style="FONT-SIZE: 9pt; COLOR: navy; FONT-FAMILY: 'Arial','sans-serif'">“Ascure,
demonstrating excellence in operational risk
management”<o:p></o:p></SPAN></I></B></P>
<P class=MsoNormal><B><I><SPAN lang=EN-US
style="FONT-SIZE: 9pt; COLOR: navy; FONT-FAMILY: 'Arial','sans-serif'">Looking
for world class education? Check-out </SPAN></I></B><B><SPAN lang=FR
style="FONT-SIZE: 9pt; COLOR: navy; FONT-FAMILY: 'Arial','sans-serif'"><A
title=http://www.ascureacademy.eu/ href="http://www.ascureacademy.eu/"><I><SPAN
lang=EN-US
style="COLOR: blue">www.ascureacademy.eu</SPAN></I></A></SPAN></B><B><I><SPAN
lang=EN-US
style="FONT-SIZE: 9pt; COLOR: navy; FONT-FAMILY: 'Arial','sans-serif'"> and
</SPAN></I></B><B><SPAN lang=FR
style="FONT-SIZE: 9pt; COLOR: navy; FONT-FAMILY: 'Arial','sans-serif'"><A
title=http://www.ascureacademy.eu/ href="http://www.ascureacademy.eu/"><I><SPAN
lang=EN-US
style="COLOR: blue">www.bcmacademy.be</SPAN></I></A></SPAN></B><B><SPAN
lang=EN-US
style="FONT-SIZE: 9pt; COLOR: #1f497d; FONT-FAMILY: 'Arial','sans-serif'">.</SPAN></B><SPAN
lang=EN-US
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Arial','sans-serif'"><o:p></o:p></SPAN></P>
<DIV class=MsoNormal style="TEXT-ALIGN: center" align=center><SPAN
style="COLOR: #1f497d">
<HR align=center width="100%" SIZE=2>
</SPAN></DIV>
<P class=MsoNormal><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: #1f497d">This
message may be confidential. It is also solely for the use of the individual or
group to whom it is addressed. If you have received it by mistake, please let us
know by e-mail reply. Ascure is not liable for any direct or indirect damage
arising from errors, inaccuracies or any loss in the message, from unauthorized
use, disclosure, copying or alteration of it. </SPAN><SPAN lang=EN-US
style="FONT-SIZE: 10pt; COLOR: #1f497d"><o:p></o:p></SPAN></P>
<P class=MsoNormal
style="mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"><SPAN lang=EN-US
style="FONT-SIZE: 10pt; COLOR: #1f497d">For the complete version or other
languages of this disclaimer see </SPAN><SPAN
style="FONT-SIZE: 10pt; COLOR: #1f497d"><A
href="http://www.ascure.com/disclaimer.htm"><SPAN lang=EN-US
style="COLOR: blue">http://www.ascure.com/disclaimer.htm</SPAN></A></SPAN><SPAN
style="FONT-SIZE: 10pt; COLOR: #1f497d"> <SPAN
lang=EN-US><o:p></o:p></SPAN></SPAN></P></DIV>
<P class=MsoNormal><SPAN lang=EN-US
style="FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-serif'"><o:p> </o:p></SPAN></P>
<DIV>
<DIV
style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0cm; BORDER-TOP: #b5c4df 1pt solid; PADDING-LEFT: 0cm; PADDING-BOTTOM: 0cm; BORDER-LEFT: medium none; PADDING-TOP: 3pt; BORDER-BOTTOM: medium none">
<P class=MsoNormal><B><SPAN lang=EN-US
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'">From:</SPAN></B><SPAN
lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'">
samm-bounces@lists.owasp.org [mailto:samm-bounces@lists.owasp.org] <B>On Behalf
Of </B>McGovern, James F. (eBusiness)<BR><B>Sent:</B> woensdag 3 februari 2010
19:13<BR><B>To:</B> Secure Code Mailing List; Software Assurance Maturity Model
(SAMM)<BR><B>Subject:</B> [SAMM] NIST SP
800-37<o:p></o:p></SPAN></P></DIV></DIV>
<P class=MsoNormal><o:p> </o:p></P>
<P><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">NIST has
created a draft document entitled: Guide for applying risk management framework
to federal information systems: a security lifecycle approach. Curious to know
if anyone has identified gaps, differences in opinion, etc between NIST and how
either SAMM or BSIMM would define the same?</SPAN><o:p></o:p></P><PRE>************************************************************<o:p></o:p></PRE><PRE>This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.<o:p></o:p></PRE><PRE>************************************************************<o:p></o:p></PRE></DIV><pre>************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************
</pre></BODY></HTML>