Trilateral Research EUROPEAN COMMISSION Directorate-General for Internal Market, Industry, Entrepreneurship and SMEs Innovation and Advanced Manufacturing KETs, Digital Manufacturing and Interoperability European Catalogue ADOPTION METHODOLOGY Fondazione FORMIT: Pietro Costanzo, Massimiliano Argiolu DG CONNECT June, 2016

Adoption Methodology: structure of this session Presentation of the proposed Adoption Process and the key activities including role and responsibilities; Presentation of an Adoption Process Use Case; Workshop participants to evaluate the process “fit-for-use” Following Directive 98/34, this document defines a 'Standard' as “a technical specification approved by a recognised standardisation body for repeated or continuous application, with which compliance is not compulsory and which is one of the following: International standard: a standard adopted by an international standardisation organisation and made available to the public, Such as ISO European standard: a standard adopted by a European standardisation body and made available to the public, National standard: a standard adopted by a national standardisation body and made available to the public.” In addition, the European Commission will provide means by which fora and consortia specifications can be used with the same validity, once these have been approved by a multi-stakeholder platform. For the remainder of this document we will refer to formal standards developed by standard setting bodies, and technical specifications from fora and consortia that have the necessary properties to be approved by the multi-stakeholder platform as "standards".

Proposed definition of adoption methodology for the Catalogue The adoption methodology is the process of adopting ICT standards and related solutions based on the gathering of needs and proposals, the assessment, the adoption and the implementation. Each Catalogue Entry can include an Use Case and related standards profiles or set of standards, recommendations and procurement guidelines. USE CASE = possibile caso di utilizzo dello standard

The BPM Notation Events Activities Gateways Connections

Adopting ICT standards process: domain neutral including steps being or not being in place across MS

Process actors Solution Requester Actors that need to define requirements for a specific purpose. E.g. a procurer that needs to define requirements for a tender, or a private company that has to answer to an EU level tender. Also a Standard Organization can submit its own Standard for being inserted into the Catalogue (providing possible Use Case and Standard Profile, guidelines, etc.). Catalogue Management Team (CMT) CMT is responsible for the implementation, maintenance and improvement of the Catalogue. Setting priorities for each domain in short and long term and evaluate new requests, they also have to consider the impact of adopted standards changes. Teams of technical experts of Matter (TEM) TEM supports the CMT in deeper evaluation of technical aspects within the different domains. The team will be defined according to the governance model. Their duty is to analyse all the technical aspects of requirements and to identify interoperability issues; furthermore, they support the CMT in building the profiles. Board of Reviewers (BOR) BOR is the final decision making body about the adoption of a standard. Its composition depends on the chosen governance model. BOR should be supported by TEM and MS delegates, appointed depending on the specific subject to adopt.

New standard taking charge activities External Input Collection (Responsibility: Catalogue Management Team) the CMT receives requests coming from the external Process Stakeholders (like MS procurers or industries, Large Pilot Programmes or Standard Organization) checking if these requests are complete (i.e.: standard and its classification, domain, use case, etc.) Impact Analysis (Responsibility: Technical Experts of Matter) This analysis activity has to identify the impacts of introducing Standards, Profiles, Use Case, into the Catalogue, verifying possible issues.

Questions? Some inputs… If a standard is already present into the Catalogue, or the Use Case proposed is very similar to another, is it useful to execute the impact analysis in order to find possible integrations or improvements? When a new standard is proposed, is it useful to reassess all the use cases and related standard profiles, with similar topics?

First approval and Use Case definition and review Requirement approval review (Responsibility: Board of Reviewers) This activity reviews the results of the Impact Analysis, verifying if the proposed standard adheres to the Catalogue scope and it does not introduce risks that could alter the Catalogue. If the proposed standard is declared as not mature yet and/or not enough stable it could be refused. Proposed Catalogue Entry Discarding (Responsibility: Catalogue Management Team) After refusing a standard/requirement or other kind of input, the CMT has to store these information in a specific part of the Catalogue for future purposes issuing a formal motivation to the applicant. Use Case Definition (Responsibility: Catalogue Management Team) The aim of this activity is to define the use cases in which the proposed standard can be applied, e.g. in terms of domains, scope and applicability Use Case Review (Responsibility: Board of Reviewers ) Use Case proposed by the stakeholder or developed by CMT validation. BOR has to be supported by all interested stakeholders (internal or external to the governance).

Questions? Some inputs… Which kind of information do you need in building a use case representative of your real needs? Which are the necessary elements you need in the Use Case definition?

Catalogue Entry definition and adoption Selection of necessary Standards Definition of Standard Profile Definition of Procurement Guidelines (Responsibility: Catalogue Management Team) the Use Case should be integrated with other standards (other than the proposed ones) that could fit with Use Case scope. These standards should be aggregated in specific “profiles” based on the single needs depicted in the Use Cases. If necessary, procurement guidelines should be defined or collected Compliancy and interoperability Review (Responsibility: Technical Experts of Matter) This review tests the deliverables released in the last three activities. The CAMSS methodology and external databases (e.g. CEF) could be useful for avoiding interoperability issues Consultation Process Catalogue Entry Adoption Review (Responsibility: Board of Reviewers) This sub-process is useful to create consensus about all the deliverables produced; it is articulated depending on complexity and impact. At its end a formal review assesses the feedbacks received and decides to adopt the Catalogue Entry as highly recommended/mandatory or recommended only according to the agreement and the endorsement reached.

Questions? Some inputs… Other than the CAMSS, which other instruments could be useful to consider? NIST? ISO generic (i.e. ISO 20k family)? Cabinet Office Standards?

Catalogue Review Process

A simple use case example … A Procurer has to create an own Cloud Computing Service Catalogue by a tender or a framework agreement with the providers. The Procurer does not have developed specific service levels (SLA) and/or certification requirements yet. Which standards, (other than the CAMSS assessed) could be used for the Procurement? ITIL ISO 27001 ISO 20000 TOGAF NIST SP 800-146: Cloud Computing Synopsis and Recommendations NIST SP 800-144: Guidelines on Security and Privacy in Public Cloud Computing Procurement Innovation for Cloud Services in Europe (http://www.picse.eu/) Other Standards?

A simple use case example … The need is to support a User in the customization and/or tailoring a Cloud Computing Service.  The Service/Operational Level Agreement has to be adapted to the user’s needs. User also requires that Service has specific interoperability requirements (e.g.) and/or certification evidences against the requirement (e.g. Security) Which standards, (other than the CAMSS assessed) could be used? ITIL ISO 27002 SOC CSA CCM ODCA SUoM (Standard Units of Measure for IaaS)

A simple use case example … Other similar use case already in? Other use case or standard impacted

A simple use case example … Verify existing guidelines A simple use case example … Standard CAMSS only? Adaptable depending on impact and complexity

European Catalogue ADOPTION METHODOLOGY Trilateral Research EUROPEAN COMMISSION Directorate-General for Internal Market, Industry, Entrepreneurship and SMEs Innovation and Advanced Manufacturing KETs, Digital Manufacturing and Interoperability European Catalogue ADOPTION METHODOLOGY DG CONNECT June, 2016

Trilateral Research EUROPEAN COMMISSION Directorate-General for Internal Market, Industry, Entrepreneurship and SMEs Innovation and Advanced Manufacturing KETs, Digital Manufacturing and Interoperability European Catalogue ADOPTION METHODOLOGY – Draft issued by Fondazione FORMIT, June 2016 DG CONNECT June, 2016