• Home
  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Related Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact Us
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Login / Register

CSIAC

Cyber Security and Information Systems Information Analysis Center

  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Cybersecurity
  • Modeling & Simulation
  • Knowledge Management
  • Software Engineering
/ Journal Issues / Understanding Cyber Risks and Security Management / An Overview of the Schedule Compliance Risk Assessment Methodology (SCRAM)

An Overview of the Schedule Compliance Risk Assessment Methodology (SCRAM)

Published in Journal of Cyber Security and Information Systems
Volume: 1 Number: 4 - Understanding Cyber Risks and Security Management

Authors: Adrian Pitman, Elizabeth K. Clark, Brad Clark and Angela Tuffley
Posted: 02/10/2016 | Leave a Comment

Schedule slippage is an unfortunate reality for many large development programs. The Australian Defence Materiel Organisation Schedule Compliance Risk Assessment Methodology (SCRAM) provides a framework for identifying and communicating the root causes of schedule slippage and recommendations for going forward to Program and Executive-level management. It is based on a repeatable process that uses a root cause analysis of schedule slippage model to locate factors that impact program schedule along with a “health check” of the documented schedule, assessing its preparation and probability distribution of completion dates. SCRAM can be used at the commencement of a program to validate a proposed schedule and identify potential risks, during program execution as a “health check”, or as a diagnostic tool to identify root causes when schedule slippage occurs. To date, SCRAM has been applied to a number of major development acquisition programs in Australia and the United States. According to one documented report, seventy-eight percent of US Department of Defense Programs have experienced some form of schedule slippage [1]. Schedule slippage is a symptom of any number of problems or causes occurring on a project. Examples include:

Optimistic, unrealistic estimates Conflicting views among stakeholders
Evolving or unstable requirements Poor subcontractor performance
Use of immature technology Dependencies not realized and/or often not scheduled
Poor monitoring of changing workloads Poor quality work leading to unanticipated
or unplanned rework
Incurring Technical Debt with no plans to repay Inadequate staffing
Lack of adequate planning and preparation for System Integration Artificially imposed deadlines
Poorly constructed schedules Lack of Technical Progression
Poor management communication Lower than estimated productivity

Trying to identify root causes of schedule slippage is not always easy but is necessary if schedule slippage is to be remedied and managed.

This paper introduces the Schedule Compliance Risk Assessment Methodology (SCRAM) used by the Australian Defence Materiel Organisation (DMO) to identify and quantify risk to schedule compliance. SCRAM is an assessment approach and product suite developed by the authors and funded by the Australian DMO to facilitate remediation of troubled acquisition projects.

This paper describes the Root Cause Analysis of Schedule Slippage (RCASS) model used in SCRAM. Next the techniques used in SCRAM to estimate the most likely schedule completion date are discussed; these include Monte Carlo Schedule Risk Analysis and Parametric Software Modeling. Finally the methodology for collecting, organizing and communicating information is briefly described.

Pages: Page 1 Page 2 Page 3 Page 4 Page 5

Previous Article:
« Metrinome – Continuous Monitoring and Security Validation...
Next Article:
4G LTE Security for Mobile Network Operators »

References

[1] Edmound Conrow, “An Analysis of Acquisition Cost, performance, and Schedule Characteristics for DOD Programs,” Acquisition Community Connection, Defense Acquisition University, 2003.

[2] John McGarry, David Card, Cheryl Jones, Beth Layman, Elizabeth Clark, Joseph Dean, and Fred Hall, “Practical Software Measurement: Objective Information for Decision Makers,” Addison-Wesley, 2001.

[3] Barry Boehm, “Section 2: Risk Management Practices: The Six Basic Steps,” from Software Risk Management, IEEE Computer Society Press, 1989.

[4] Ricardo Valerdi, “The Constructive Systems Engineering Cost Model (COSYSMO): Quantifying the Costs of Systems Engineering Effort in Complex Systems,” VDM Verlag, 2008.

[5] International Organization for Standardization; ISO/IEC 15504.2:2003 – Information Technology Process Assessment – Part 2: Performing an assessment

Endnotes


[1] COTS: Commercial Of The Shelf; MOTS: Modified Of The Shelf; NDI: Non-Developed Item (previously existing); GFE: Government Furnished Equipment

Authors

Adrian Pitman
Adrian Pitman
Mr. Adrian Pitman is the Director Acquisition Engineering Improvement in the Standardisation Office of the Australian Defence Materiel Organisation (DMO). He has over 45 years military systems experience, including 20 years as a member of the Royal Australian Air Force and 25 years in capital equipment acquisition in various engineering, project management and quality assurance management roles. Throughout his career Adrian has focused his work on implementing organizational improvement including his role as a foundation member of the DMO Software Acquisition Reform Program and as Director Quality Systems in the Australian Department of Defence. Adrian obtained his engineering qualifications at the Royal Melbourne Institute of Technology and is a SCRAM Lead Assessor, a former DMO CMMI Lead Assessor, ISO 9001 Lead Auditor and a Certified International Software Configuration Manager.
Elizabeth K. Clark
Elizabeth K. Clark
Dr. Elizabeth (Betsy) Clark is President of Software Metrics, Inc., a Virginia-based consulting company she co-founded in 1983. Dr. Clark is a primary contributor to Practical Software Measurement (PSM). Dr. Clark was also a principle contributor to the Software Engineering Institute’s (SEI) core measures. Dr. Clark is a Research Associate at the Center for Systems and Software Engineering at USC. She collaborated with Dr. Barry Boehm and Dr. Chris Abts to develop and calibrate the COCOTS model. She is a consultant to the Institute for Defense Analyses and the Software Engineering Institute. She is also a primary contributor to SCRAM. Dr. Clark received her B.A. from Stanford University and her Ph.D. in Cognitive Psychology from UC, Berkeley.
Brad Clark
Brad Clark
Dr. Brad Clark is Vice-President of Software Metrics Inc. – a Virginia based consulting company. His area of expertise is in software cost and schedule data collection, analysis and modeling. He also works with clients to setup their own estimation capability for use in planning and managing. He has also helped clients with software cost and schedule feasibility analysis and cost estimation training. Dr. Clark received his Master’s in Software Engineering in 1995 and Ph.D. in Computer Science in 1997 from the University of Southern California. He is a co-author of the most widely used Software Cost Estimation model in the world, COCOMO II. This model estimates the effort and duration required to complete a software development project Brad is a former US Navy A-6 Intruder pilot.
Angela Tuffley
Angela Tuffley
Ms Angela Tuffley is the Director of the RedBay Consulting, an Adjunct Senior Lecturer with Griffith University and Software Engineering institute (SEI) Visiting Scientist. She has over 30 years of industry experience, both in Australia and overseas, providing expert professional services in training, assessment and advice for the acquisition, engineering and support of software intensive systems. She is a co-developer of the Schedule Compliance Risk Assessment Methodology (SCRAM) and provides consultation on SCRAM, the adoption of the Capability Maturity Model Integration (CMMI) and ISO/IEC 15504 Information Technology Process Assessment (SPICE). She is a CMMI Institute Certified CMMI Instructor and has a Bachelor of Science and a Graduate Diploma in Software Quality from Griffith University.

Reader Interactions

Leave a Comment Cancel

You must be logged in to post a comment.

sidebar

Blog Sidebar

Featured Content

The DoD Cybersecurity Policy Chart

The DoD Cybersecurity Policy Chart

This chart captures the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware, in a helpful organizational scheme.

View the Policy Chart

Featured Subject Matter Expert (SME): Daksha Bhasker

A dynamic CSIAC SME, Senior Principal Cybersecurity Architect, Daksha Bhasker has 20 years of experience in the telecommunications services provider industry. She has worked in systems security design and architecture in production environments of carriers, often leading multidisciplinary teams for cybersecurity integration, from conception to delivery of complex technical solutions. As a CSIAC SME, Daksha's contributions include several published CSIAC Journal articles and a webinar presentation on the sophiscated architectures that phone carriers use to stop robocalls.

View SME's Contributed Content

CSIAC Report - Smart Cities, Smart Bases and Secure Cloud Architecture for Resiliency by Design

Integration of Smart City Technologies to create Smart Bases for DoD will require due diligence with respect to the security of the data produced by Internet of Things (IOT) and Industrial Internet of Things (IIOT). This will increase more so with the rollout of 5G and increased automation "at the edge". Commercially, data will be moving to the cloud first, and then stored for process improvement analysis by end-users. As such, implementation of Secure Cloud Architectures is a must. This report provides some use cases and a description of a risk based approach to cloud data security. Clear understanding, adaptation, and implementation of a secure cloud framework will provide the military the means to make progress in becoming a smart military.

Read the Report

CSIAC Journal - Data-Centric Environment: Rise of Internet-Based Modern Warfare “iWar”

CSIAC Journal Cover Volume 7 Number 4

This journal addresses a collection of modern security concerns that range from social media attacks and internet-connected devices to a hypothetical defense strategy for private sector entities.

Read the Journal

CSIAC Journal M&S Special Edition - M&S Applied Across Broad Spectrum Defense and Federal Endeavors

CSIAC Journal Cover Volume 7 Number 3

This Special Edition of the CSIAC Journal highlights a broad array of modeling and simulation contributions – whether in training, testing, experimentation, research, engineering, or other endeavors.

Read the Journal

CSIAC Journal - Resilient Industrial Control Systems (ICS) & Cyber Physical Systems (CPS)

CSIAC Journal Cover Volume 7 Number 2

This edition of the CSIAC Journal focuses on the topic of cybersecurity of Cyber-Physical Systems (CPS), particularly those that make up Critical Infrastructure (CI).

Read the Journal

Recent Video Podcasts

  • A Brief Side-by-Side Comparison Between C++ and Rust – Part 3 Series: Programming Language Comparisons
  • A Brief Side-by-Side Comparison Between C++ and Rust – Part 2 Series: Programming Language Comparisons
  • A Brief Side-by-Side Comparison Between C++ and Rust – Part 1 Series: Programming Language Comparisons
  • Digital Engineering Implementation Progress and Plans Series: CSIAC Webinars
  • Assessing the Operational Risk Imposed by the Infrastructure Deployment Pipeline Series: The CSIAC Podcast
View all Podcasts

Upcoming Events

Jan 28

Data Privacy Day

January 28, 2022
Jan 28

Data Privacy Day

January 28, 2023
View all Events

Footer

CSIAC Products & Services

  • Free Technical Inquiry
  • Core Analysis Tasks (CATs)
  • Resources
  • Events Calendar
  • Frequently Asked Questions
  • Product Feedback Form

About CSIAC

The CSIAC is a DoD-sponsored Center of Excellence in the fields of Cybersecurity, Software Engineering, Modeling & Simulation, and Knowledge Management & Information Sharing.Learn More

Contact Us

Phone:800-214-7921
Email:info@csiac.org
Address:   266 Genesee St.
Utica, NY 13502
Send us a Message
US Department of Defense Logo USD(R&E) Logo DTIC Logo DoD IACs Logo

Copyright 2012-2021, Quanterion Solutions Incorporated

Sitemap | Privacy Policy | Terms of Use | Accessibility Information
Accessibility / Section 508 | FOIA | Link Disclaimer | No Fear Act | Policy Memoranda | Privacy, Security & Copyright | Recovery Act | USA.Gov

This website uses cookies to provide our services and to improve your experience. By using this site, you consent to the use of our cookies. To read more about the use of our site, please click "Read More". Otherwise, click "Dismiss" to hide this notice. Dismiss Read More
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.

SAVE & ACCEPT