1. 11/08/06Copyright 2006, RCI1 CONIPMO Workshop Out-brief 21 st International Forum on COCOMO and Software Cost Modeling Donald J. Reifer Reifer Consultants, Inc. P.O. Box 4046 Torrance, CA 90510-4046 Phone: 310-530-4493 Email: dreifer@earthlink.netdreifer@earthlink.net CONIPMO

2. 11/08/06Copyright 2006, RCI2 Goal Summary Large interest as measured by workshop attendance Easily accommodated in the small training room Lots of interesting discussion (and some really good jokes) Total consensus that such a model is needed especially as we become more net-centric Goals of the Workshop included the following: –Discuss the CONIPMO model Model formulated by expert group Model refined via two Delphi rounds Model matured to the point where we believe data collection can commence –Summarize and discuss the open issues raised in Delphi One versus separate team Dynamic configurations Drivers versus scale factors Separate anti-tamper model 8 ; 98 ; 9

3. 11/08/06Copyright 2006, RCI3 Network Security –At What Cost? DMZ Firewall Router SQL Server Intrusion Prevention System Proxy Server Gateway Sniffer Servers Defense-in-depth is a necessary, but expensive proposition requiring additional equipment and software to provide layers of protection against intruders, both insiders and outsiders. Costs need to be justified by the protection provided.

4. 11/08/06Copyright 2006, RCI4 Goals Established for CONIPMO Three primary goals for the effort were established using the GQM approach –Be able to generate an accurate estimate of the time and effort needed to secure the network infrastructure defenses –Be able to validate the estimate using actuals –Be able to predict the effort involved should anti-tamper be a requirement Expert Collaborators Group Inputs

5. 11/08/06Copyright 2006, RCI5 Network Defense Early Phase Cost Model 12 Effort = A (B) ∏ D i (Size) C i = 1 Size -No of requirements -No. of interfaces -No. of operational scenarios -No. of critical algorithms -No. of false alarms -+ Volatility Factor Effort (PM) Duration (CM) Calibration Where Effort = All hours to perform engineering tasks (requirements, architecture, development, test and integration; includes task management, in PM (152 hours/month)) A = Calibration constant B = Architecture constant (see Page 13) C = Power law D i = Cost Drivers Where: ∏ D i = product of their ratings Size = No. of weighted predictors scaled for a given false alarm rate Note: The model takes the form of a regression model. We are currently working with our collaborators to reduce the number of cost drivers to the set that captures the variations in effort as noted by our experts. The size drivers are taken from the COSYSMO model as representative of systems comprised of both hardware and software components. Acquisitions are excluded and their costs must be added to the estimates generated. See descriptions for cost drivers on following pages Duration = Function (Effort)

6. 11/08/06Copyright 2006, RCI6 COSYSMO/CONIPMO Differences COSYSMO Systems engineering Entire life cycle 4 years old 20+ data points 18 drivers Fixed granularity No anchor points Size is driven by no. of system requirements CONIPMO Security engineering Entire life cycle 1 year old ~ 2 data points 16 drivers Fixed granularity No anchor points Size is driven by no. of security requirements

7. 11/08/06Copyright 2006, RCI7 EMR Results (Delphi Rounds) Level of Service Requirements--------------------------------------------------------- 2.67 Technology Maturity------------------------------------------------- 2.20 Personnel/Team Experience-------------------------------------------------------------------------- 3.25 Stakeholder Team Cohesion-------------------------------------------------- 2.33 Tools Support--------------------------------------- 1.77 Requirements Complexity------------------------------------------ 1.89 Process Capability----------------------------------------- 1.79 Architecture Understanding-------------------------------------------- 2.13 No. and Diversity of Platforms--------------------------------------- 1.70 Depth & Breadth of Requirements------------------------------------------------------------------------- 3.25 Degree of Ceremony--------------------------------------------- 2.13 0.0 1.0 2.0 3.0 EMR EMR values differ slightly for AT Early Estimation Model

8. 11/08/06Copyright 2006, RCI8 Workshop Conclusions COSYSMO estimates the cost of systems engineering Everything today is a system of systems COSOSIMO estimates the cost of system of systems Every system of systems is network-centric CONIPMO estimates the cost of systems engineering for network-centric systems Conclusion – therefore the only model we need to work on is CONIPMO

9. 11/08/06Copyright 2006, RCI9 More Workshop Conclusions Most of the issues raised can be worked in real-time as a function of data collection –Definitions of parameters will be refined and clarified –Counting conventions will be developed –Data will indicate where sources of data are and how they vary –Data will help identify relationships Anti-tamper model will probably fall by the wayside due to classification issues Letters of support from: –Army Future Warfare Center –Galorath –Lockheed Martin –MDA/GMD –Motorola –Navy Underwater Warfare Center –Net-Centric Certification Office (DISA) Collaborative effort with USC/CSSE Hopefully, will be funded under MDA Phase II SBIR

10. 11/08/06Copyright 2006, RCI10 Questions or Comments Donald J. Reifer dreifer@earthlink.net Phone: 310-530-4493 When eating an elephant take one bite at a time. ………Creighton Adams An elephant is a mouse built to Mil-Spec. ……….Sayings Galore