By Alan Weber: VP, New Product Innovations (PDF Solutions) and long-time SEMI Standards participant; currently co-leader of the Equipment Data Publication Task Force and Computer and Device Security Task Force.
Major Work Product Released!
SEMI’s Semiconductor Manufacturing Cybersecurity Consortium (SMCC) Work Group 3 (Supply Chain Cybersecurity) just released a major work product that will have a significant and lasting positive impact on the industry: the “Standardized Semiconductor Cyber Assessment (SSCA)” questionnaire. Creating a common security assessment process for device makers, equipment suppliers, software suppliers and other members of the global manufacturing value chain has been one of the principal focus areas for the SMCC from its outset, and its aim is to replace the plethora of company-specific questionnaires that are maintained, distributed, filled out, evaluated, discussed, and …
Given the breadth and importance of this objective, the workgroup involved expert stakeholders from across the globe, and the quality of their collective efforts reflects the robustness of this approach.
How is the SSCA structured?
The questionnaire takes its basic structure from the Capability Maturity Model Integration (CMMI) framework, which is designed to improve and integrate processes across multiple disciplines, such as software development, system engineering, system testing, and even people management. It defines five (5) distinct maturity levels for the relevant parts of an organization or aspects of a major topic (see figure below) with general explanations of what it means to be at a particular level.
Source: Wikipedia
Workgroup 3 tailored this model to the unique cybersecurity challenges faced by the semiconductor manufacturing supply chain, identifying six (6) activity areas inspired by the NIST Cybersecurity Framework 2.0—Govern, Identify, Protect, Detect, Respond, and Recover. Within each area, there are specific descriptions of the attributes an organization must exhibit to be at a certain level.
What does the SSCA include?
The SSCA is delivered in multi-tab spreadsheet form with a tab of instructions and a tab of questions. Some of the questions are multiple choice (“Which CMMI maturity level are you, based on the attributes listed?”) and many are Yes/No (“Does the organization use secure technologies to share sensitive data with suppliers?”). In total, there are 165 questions across the six activity areas.
The latter is already offered in 5 languages: English, Korean, Traditional/Simplified Chinese, and Japanese.
How can I get the SSCA?
Easy. Click the link below and fill out the SEMI form that appears.
https://www.semi.org/en/industry-groups/semiconductor-cybersecurity/ssca
“Remembrance of Things Past” or Has this ever been done before?
No… and sort of.
Those of you who remember the state of the semiconductor manufacturing industry in the early 90s will recall that one of the biggest problem areas was the poor and inconsistent quality of the embedded equipment control and communication interface software. SEMATECH and its member companies saw this as an ideal pre-competitive domain for the consortium’s focus, so the Manufacturing Systems Division evaluated best practices in the software engineering community of that era and selected the Capability Maturity Model (CMM) of Carnegie-Mellon’s Software Engineering Institute. Sound familiar?
While wholly adopting the CMM at that time was beyond the reach of most equipment suppliers, the nugget that emerged was the decision to standardize on a set of “4-Up” charts that conveyed the most basic of software quality metrics. This got everyone using the same vocabulary, definitions, and visualization techniques to compare progress across process areas and timeframes, which was instrumental in identifying and addressing the root causes of the software issues. An example of a typical software quality “4-Up” chart appears below.
Source: Techno-pm
And in related news!
Given the WG1,2 recent (mid-July) release of the SEMI E187 Compliance Guidance document and the formation of the new South Korea Cybersecurity workgroup (WG9), the SMCC is poised to realize its vision of accelerating the adoption of SEMI’s Cybersecurity standards while creating vital complementary material.
To access this important document, click the link below and fill out the SEMI form.