Posted on Semiconductor Engineering: Click here to view original article
By: Alan Weber
- Evaluate cyber readiness and reduce supply chain risk
- Streamline compliance with one standardized assessment
- Build trust and share results across multiple clients
- Align with NIST CSF 2.0 and industry best practices
How is the SSCA structured?
The questionnaire takes its basic structure from the Capability Maturity Model Integration (CMMI) framework, which is designed to improve and integrate processes across multiple disciplines, such as software development, system engineering, system testing, and even people management. It defines five distinct maturity levels for the relevant parts of an organization or aspects of a major topic (see figure below) with general explanations of what it means to be at a particular level.
Source: Wikipedia
Workgroup 3 tailored this model to the unique cybersecurity challenges faced by the semiconductor manufacturing supply chain, identifying six activity areas inspired by the NIST Cybersecurity Framework 2.0—Govern, Identify, Protect, Detect, Respond, and Recover. Within each area, there are specific descriptions of the attributes an organization must exhibit to be at a certain level.
What does the SSCA include?
The SSCA is delivered in multi-tab spreadsheet form with a tab of instructions and a tab of questions. Some of the questions are multiple choice (“Which CMMI maturity level are you, based on the attributes listed?”) and many are Yes/No (“Does the organization use secure technologies to share sensitive data with suppliers?”). In total, there are 165 questions across the six activity areas.
The latter is already offered in five languages: English, Korean, Traditional and Simplified Chinese, and Japanese.
How can I get the SSCA?
Click here and fill out the form to download the SSCA.
“Remembrance of Things Past,” or has this ever been done before?
No… and sort of.
Those of you who remember the state of the semiconductor manufacturing industry in the early 90s will recall that one of the biggest problem areas was the poor and inconsistent quality of the embedded equipment control and communication interface software. SEMATECH and its member companies saw this as an ideal pre-competitive domain for the consortium’s focus, so the Manufacturing Systems Division evaluated best practices in the software engineering community of that era and selected the Capability Maturity Model (CMM) of Carnegie-Mellon’s Software Engineering Institute. Sound familiar?
While wholly adopting the CMM at that time was beyond the reach of most equipment suppliers, the nugget that emerged was the decision to standardize on a set of “4-Up” charts that conveyed the most basic of software quality metrics. This got everyone using the same vocabulary, definitions, and visualization techniques to compare progress across process areas and timeframes, which was instrumental in identifying and addressing the root causes of the software issues. An example of a typical software quality “4-Up” chart appears below.
Source: Techno-pm