Chapter 3. Model Components
This chapter introduces the CERT-RMM process areas and their categories and describes the process area components and their categories. You will need to fully understand this information to make use of the process areas contained in Part Three. It may be helpful to skim a few process areas before you read this section to become familiar with their general construction and layout.
3.1 The Process Areas and Their Categories
As in CMMI models, a process area in CERT-RMM is “a cluster of related practices in an area that, when implemented collectively, satisfy a set of goals considered important for making improvement in that area” [CMMI Product Team 2009, p. 10]. CERT-RMM has 26 process areas (PAs) that are organized into high-level operational resilience categories: Engineering, Enterprise Management, Operations, and Process Management. Table 3.1 shows the 26 CERT-RMM process areas by category.
Table 3.1. Process Areas by Category
Categories are further elaborated and described in Section 4.1.
3.1.1 Process Area Icons
The process area categories are reinforced visually in the model by process area icons. The process area icons show the process area tags (explained below and in Section 3.4) and the symbol of the process area’s operational resilience management area. Figure 3.1 shows an example of a process area icon from each operational resilience management area.
Figure 3.1. Examples of Process Area Icons
3.2 Process Area Component Categories
CERT-RMM process areas contain three categories of components: Required, Expected, and Informative. These categories aid in establishing process improvement objectives and in adapting the model to an organization’s unique circumstances.1
Table 3.2 lists the model components in each category.
Table 3.2. CERT-RMM Components by Category
3.2.1 Required Components
Required components describe what an organization must achieve to satisfy a process area. There are two required components in CERT-RMM: specific goal statements and generic goal statements. Goal satisfaction is used in CERT-RMM–based capability appraisals to determine capability levels (see Part Two, Section 6.4). Satisfaction of a goal means that it is visibly and verifiably implemented in the organization’s processes.
Note that it is the goal statements that are required components, not the goal titles. The goal title of specific goal 1 in Asset Definition and Management is “Establish Organizational Assets”; the goal title of generic goal 1 is “Achieve Specific Goals.”
3.2.2 Expected Components
Expected components describe the practices that an organization will typically implement to achieve required components. Specific practice statements and generic practice statements are both expected components in CERT-RMM. To satisfy goals, the specific and generic practices are expected to be present in the planned and implemented processes of the organization unless acceptable alternatives are present.
Again, note that it is the practice statements that are expected components, not the practice titles.
3.2.3 Informative Components
Informative components provide guidance and suggestions about how to achieve the required and expected components. The informative components in CERT-RMM are listed in Table 3.2.
For example, “Identify high-value services” is a subpractice in Asset Definition and Management specific goal 2, specific practice 1, and “List of high-value services and associated assets” is a typical work product.
3.3 Process Area Component Descriptions
3.3.1 Purpose Statements
Purpose statements summarize the content of the process area and collectively represent the goals of the process area. For example, for the Service Continuity process area, “The purpose of Service Continuity is to ensure the continuity of essential operations of services and related assets if a disruption occurs as a result of an incident, disaster, or other disruptive event.”
3.3.2 Introductory Notes
The introductory notes provide explanatory matter on the contents of the process area. They are designed to explain the scope of the process area and how developing competency in that area is important to achieving and sustaining resilience. Unique conditions and terminology are included in the introductory notes, as well as a summary of the goals of the process area.
3.3.3 Related Process Areas Section
The related process areas section lists references to other process areas and reflects the high-level relationships among capabilities. This information is useful in deciding which other capabilities are complementary and should be considered by the organization when improving capability.
The following are two examples of relationships from the Service Continuity process area:
The consideration of consequences as a foundational element for developing a service continuity plan is addressed in the Risk Management process area.
The identification of vital records and databases for service continuity is addressed in the Knowledge and Information Management process area.
3.3.4 Summary of Specific Goals and Practices
The summary of specific goals and practices is a table that lists the tag and title of all of the specific goals in the process area and the tag and title of the specific practices of each specific goal.
3.3.5 Specific Goals and Practices
The specific goals of each process area state at a high level the unique capabilities that characterize the process and are required for improving the process. They describe what to do to achieve the capabilities. Specific goals are decomposed into specific practices, which are considered to be the base practices that reflect the process area’s body of knowledge. Specific practices are expected components of the process area that, when achieved, should promote accomplishment of the associated goal. They begin to articulate how to achieve process capabilities. Specific practices provide suggested ways to meet their associated goals, but in implementation they may differ from organization to organization.
Figure 3.2 shows a specific goal from the Asset Definition and Management process area with its required component, the specific goal statement.
Figure 3.2. A Specific Goal and Specific Goal Statement
Figure 3.3 shows a specific practice from the Asset Definition and Management process area with its expected component, the specific practice statement.
Figure 3.3. A Specific Practice and Specific Practice Statement
3.3.6 Generic Goals and Practices
Generic goals are called “generic” because the same goal statement applies to multiple process areas. A generic goal describes the capabilities that must be present to institutionalize the processes that implement a process area. A generic goal is a required model component and is used in appraisals to determine whether a process area is satisfied.
Figure 3.4 shows a generic goal from the Asset Definition and Management process area with its required component, the generic goal statement.
Figure 3.4. A Generic Goal and Generic Goal Statement
Generic practices are called “generic” because the same practice applies to multiple process areas. A generic practice is the description of an activity that is considered important in achieving the associated generic goal. (See Part Two, Chapter 5, for a more detailed description of generic goals and practices.)
Figure 3.5 shows a generic practice from the Asset Definition and Management process area with its expected component, the generic practice statement.
Figure 3.5. A Generic Practice and Generic Practice Statement
3.3.7 Typical Work Products
Typical work products describe the artifacts typically produced by a specific practice. As informative elements, these artifacts are not set in stone; rather, they are suggested from experience, and an organization may have similar or additional artifacts. Typical process artifacts are useful as model elements because they provide a baseline from which measurement of the performance of the practice can be gauged.
3.3.8 Subpractices, Notes, Example Blocks, Generic Practice Elaborations, References, and Amplifications
Subpractices are informative elements associated with each specific practice and relevant to typical work products. Subpractices are a transition point for process-area–specific practices because the focus changes at this point from what must be done to how. While not prescriptive or detailed, subpractices can help organizations determine how they can satisfy the specific practices and achieve the goals of the process area. Each organization will have its own subpractices that it has either organically developed or has acquired from a code of practice.
Subpractices can include notes and example blocks. Notes provide expanded and explanatory detail for subpractices where necessary. Examples provide relevant and real-world illustrations and depictions that support understanding of the subpractices.
Generic practice and subpractice elaborations provide guidance about how the generic practice should be applied uniquely to the process area. For example, in every process area, subpractice 1 of generic goal 2, generic practice 3 (“Provide Resources”), is “Staff the process.” In the Incident Management and Control process area, the subpractice elaboration lists examples of staff required to perform the incident management and control process, such as staff responsible for triaging events.
References are pointers to related, additional, or more detailed information in other process areas or other components within the same process area. The CERT Resiliency Engineering Framework: Code of Practice Crosswalk, Preview Version, v0.95R [REF Team 2008b] contains subpractice references to common codes of practice that aid in effectively adopting CERT-RMM regardless of what practices an organization has already invested in and implemented.
Amplifications explain or describe a unique aspect of a practice. They are used in Asset Definition and Management to describe the differences between asset types. Otherwise, they are infrequently used in the current version of the model. Future versions of the model will use amplifications to describe how a particular process area is addressed for a specific asset type, such as software, systems, or facilities.
Figure 3.6 illustrates the structure of the major model components and indicates whether all or part of each component is required, expected, or informative.
Figure 3.6. Summary of Major Model Components
3.4 Numbering Scheme
Process areas in CERT-RMM are tagged with a two- to four-letter tag. The tags for all the process areas are shown in Table 3.3.
Specific and generic goals are tagged and numbered as follows: SG refers to a specific goal; GG refers to a generic goal. These are appended to the CERT-RMM process area tags and numbered. For example, “ADM:SG1” is specific goal 1 in the Asset Definition and Management process area, and “ADM:GG3” is generic goal 3 in the Asset Definition and Management process area.
Specific and generic practices are tagged and numbered as follows: SP refers to a specific practice; GP refers to a generic practice. These are appended to the CERT-RMM process area tags and the specific goal and generic goal tags, respectively, and are numbered. For example, “ADM:SG1.SP1” is specific practice 1 in specific goal 1 in ADM, and “ADM:GG2.GP3” is generic practice 3 in generic goal 2 in ADM.
Typical work products are numbered sequentially beginning with “1” within each specific practice. Subpractices are numbered sequentially beginning with “1” in each specific or generic practice. Subpractices are referenced in text with their specific or generic practice tag. For example, “ADM:SG2.SP1 subpractice 1” is subpractice 1 in specific practice 1 in specific goal 2 in ADM, and “ADM:GG2.GP3 subpractice 2” is subpractice 2 in generic practice 3 in generic goal 2 in ADM.
3.5 Typographical and Structural Conventions
Typographical and structural conventions have been used in the model to distinguish model components and make them easier to recognize. Also, references to other process areas or process area components are always styled in italic in CERT-RMM.
These conventions can be seen in Figure 3.7, which shows extracts of process area pages with model components identified.
