DEFINITION OF PROCESS ASSESSMENT AND IMPROVEMENT APPROACH FOR CYBERSECURITY – EXPRO PLUS
28, April 2021

ESA Open Invitation to Tender: 1-10802
Open Date: 01/04/2021 16:05 GMT +3
Closing Date: 14/05/2021 13:00 GMT +3

Security is becoming increasingly important in all of ESA’s missions, rather than just in specific missions (Galileo, Copernicus) as was the case in the past. Therefore, the European space industry need to have a welldefined and standardized approach to assess the security processes of its suppliers, especially in terms of software development, where many security vulnerabilities can be introduced. Extending the existing software process assessment and improvement model (ECSS S4S) to also cover cyber security will ensurethat suppliers meet the ever-increasing security requirements in a cost-effective and proven way. It is important to harmonise theapproach for the assessment and improvement of software development processes in a context where it is vital to ensure the adequatesecurity of the output work products. There are many possible approaches, standards and certification schemes. Therefore, having a clear, unambiguous way forward is essential, especially with the aim of standardizing the approach in ECSS. The current software process assessment and improvement ISO standard (ISO/IEC 33000 family) enables to asses process quality characteristic in the more generic sense, rather than only process capability specifically as was the case in the preceding standard (ISO/IEC 15504). This could allow to use this well-established model to assess process security (which is a process quality characteristic). This proposed research and development activity will investigate how this can best be approached and will develop the Process Assessment Model, the Measurement model, etc. to enable such assessments, which can then be proposed for an ECSS handbook or standard. The activity encompasses the following tasks: – Define a Process Assessment Model for cyber security.- Define a Measurement Model for cyber security.- Define a Process Reference Model for cyber security.- Demonstrate the compliance of these 3 models to ISO/IEC 33000.- Elaborate a preliminary proposal for a new or updated ECSS handbook ( or standard).- Conduct at least one trial cyber security assessments using the new Process Assessment Model in order to evaluate how the theoretical model works in practice. Feed the lessons learned back intoan updated version of the model.

Directorate: Directorate of Tech, Eng. Quality
Estabilishment: ESTEC
ECOS Required: No
Classified: No
Price Range: 100-200 KEURO
Contracts Officer: Vasileios Angelopoulos
Initiating Service: TEC-QQS
IP Measure: N/A
Prog. Reference: E/0901-01 – Technology Developme
Tender Type: Open Competition
Open To Tenderers From: AT+BE+CH+CZ+DE+DK+EE+EL+ES+FI+FR+GB+HU+IE+IT+LU+NL+NO+PL+PT+RO+SE
Technology Keywords: 25-B-I-SW Process Quality Techniques
Products Keywords: 2-E-4-Other

If you wish to access the documents related to the Invitation to Tender, you have to log in to the ESA Portal.