http://www.sei.cmu.edu//library/reportspapers.cfmLibrary - Reports and PapersThu, 24 May 2012 22:51:37 +0000CommonSpot Content ServerSoftware Engineering InstituteThis report presents an example of an enterprise architectural pattern, Increased Monitoring for Intellectual Property (IP) Theft by Departing Insiders, to help organizations plan, prepare, and implement a means to mitigate the risk of insider theft of IP.http://www.sei.cmu.edu/library/abstracts/reports/12tr008.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/12tr008.cfmThu, 03 May 2012 14:35:45 +0000This report details the CERT Program's Source Code Analysis Laboratory (SCALe), a proof-of-concept demonstration that software systems can be conformance tested against secure coding standards, and provides an analysis of selected software systems.http://www.sei.cmu.edu/library/abstracts/reports/12tn013.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/12tn013.cfmTue, 01 May 2012 20:19:48 +0000This technical report describes the Insider Threat Security Reference Architecture (ITSRA), an enterprise-wide solution to the threat to organizations from its own insiders. The ITSRA draws from existing best practices and standards as well as from analysis of real insider threat cases to provide actionable guidance for organizations to improve their posture against the insider threat.http://www.sei.cmu.edu/library/abstracts/reports/12tr007.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/12tr007.cfmTue, 01 May 2012 14:21:10 +0000This technical note maps CERT® Resilience Management Model (CERT®-RMM) process areas to certain National Institute of Standards and Technology (NIST) special publications in the 800 series.http://www.sei.cmu.edu/library/abstracts/reports/11tn028.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/11tn028.cfmTue, 27 Mar 2012 12:25:58 +0000This report provides an overview of changes and improvements to the Architecture Analysis & Design Language (AADL) standard for describing both the software architecture and the execution platform architectures of performance-critical, embedded, real-time systems. http://www.sei.cmu.edu/library/abstracts/reports/11sr011.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/11sr011.cfmThu, 22 Mar 2012 19:42:02 +0000This paper gives substance and explicit meaning to the terms trust and trustworthy as they relate to automated systems and to embedded systems in particular. http://www.sei.cmu.edu/library/abstracts/reports/12tn007.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/12tn007.cfmMon, 05 Mar 2012 18:55:22 +0000The SEI has developed the Mission Risk Diagnostic (MRD) to assess risk in interactively complex, socio-technical systems across the life cycle and supply chain. http://www.sei.cmu.edu/library/abstracts/reports/12tn005.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/12tn005.cfmMon, 27 Feb 2012 13:12:38 +0000This report presents the foundational concepts of a risk-based approach for software security measurement and analysis and provides an overview of the IMAF and the MRD.http://www.sei.cmu.edu/library/abstracts/reports/12tn004.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/12tn004.cfmMon, 13 Feb 2012 22:01:57 +0000This report defines malicious insiders and organized crime and provides a snapshot of who malicious insiders are, what and how they strike, and why.http://www.sei.cmu.edu/library/abstracts/reports/12tn001.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/12tn001.cfmFri, 20 Jan 2012 19:38:08 +0000This report describes a proposed model through which to understand interoperability in the e-government context.http://www.sei.cmu.edu/library/abstracts/reports/11tn014.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/11tn014.cfmThu, 19 Jan 2012 14:16:57 +0000This report describes some of the challenges of software versioning in an SOA environment and provides guidance on how to meet these challenges by following industry guidelines and recommended practices. http://www.sei.cmu.edu/library/abstracts/reports/11tn009.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/11tn009.cfmWed, 18 Jan 2012 19:38:10 +0000This research demonstrated the effectiveness of various statistical techniques for discovering quantitative data anomalies. http://www.sei.cmu.edu/library/abstracts/reports/11tr027.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/11tr027.cfmWed, 08 Feb 2012 21:14:48 +0000The method of quantifying uncertainty described in this report synthesizes scenario building, Bayesian Belief Network (BBN) modeling and Monte Carlo simulation into an estimation method that quantifies uncertainties, allows subjective inputs, visually depicts influential relationships among program change drivers and outputs, and assists with the explicit description and documentation underlying an estimate.http://www.sei.cmu.edu/library/abstracts/reports/11tr026.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/11tr026.cfmWed, 08 Feb 2012 20:36:11 +0000The information in this report is intended to help program managers reason about actions they may need to take to adapt and comply with the Section 804 NDAA for 2010 and associated guidance.http://www.sei.cmu.edu/library/abstracts/reports/11sr015.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/11sr015.cfmThu, 16 Feb 2012 18:37:15 +0000This technical note, which builds on two previous reports, describes how implementation-level processes can provide the necessary context for identifying and defining measures of operational resilience.http://www.sei.cmu.edu/library/abstracts/reports/11tn029.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/11tn029.cfmWed, 21 Dec 2011 19:19:30 +0000This report describes the Software Engineering Institute’s (SEI’s) 2011 work for the National Security Agency (NSA) to develop standards for automated remediation of vulnerabilities and compliance issues on Department of Defense (DoD) networked systems. http://www.sei.cmu.edu/library/abstracts/reports/11sr016.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/11sr016.cfmFri, 16 Dec 2011 20:23:25 +0000This technical note addresses some of the key issues that either must be understood to ease the adoption of Agile or are seen as potential barriers to adoption of Agile in the DoD acquisition context. http://www.sei.cmu.edu/library/abstracts/reports/11tn002.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/11tn002.cfmMon, 31 Oct 2011 18:49:00 +0000This report demonstrates that the SCAMPI Version 1.2 method can be adapted and applied to CERT-RMM V1.1 as the reference model for a process appraisal. http://www.sei.cmu.edu/library/abstracts/reports/11tr020.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/11tr020.cfmTue, 21 Feb 2012 19:22:46 +0000CERT® Resilience Management Model (CERT-RMM) provides a reference model that allows organizations to make sense of their practice deployment in a process context. http://www.sei.cmu.edu/library/abstracts/reports/11tn012.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/11tn012.cfmTue, 21 Feb 2012 17:29:06 +0000This technical note presents an insider threat pattern on how organizations can combat insider theft of intellectual property. The technical note describes how to use the centralized log storage and indexing engine Splunk to detect malicious insider behavior on a network.http://www.sei.cmu.edu/library/abstracts/reports/11tn024.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/11tn024.cfmTue, 11 Oct 2011 17:18:12 +0000This technical note focuses on software acquisition and development practices related to the evaluation of products before, during, and after implementation. From engagements with numerous DoD acquisition programs, it has been observed that a number of recurring issues reduce the effectiveness of how software-reliant products are evaluated. An acquisition effort consists of identifying the customer’s needs, selecting or developing a product that is responsive to those needs, and then evaluating the product to determine if it properly addresses the identified needs. This technical note describes the Product Evaluation (verification, validation, and certification) process including test, reviews, and formal methods. It also makes the argument that Product Evaluation should not be deferred until after a product has been built, but should begin as soon as the customer’s needs have been identified and should continue throughout the acquisition efforthttp://www.sei.cmu.edu/library/abstracts/reports/11tn007.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/11tn007.cfmThu, 06 Oct 2011 12:37:36 +0000The CERT Research Report highlights our accomplishments and activities in successfully executing our research strategy.http://www.sei.cmu.edu/library/abstracts/reports/2010-cert-research-report.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/2010-cert-research-report.cfmMon, 03 Oct 2011 12:16:11 +0000The Smart Grid Maturity Model (SGMM) is a business tool stewarded by the Software Engineering Institute at Carnegie Mellon University. It was originally developed by electric power utilities for use by electric power utilities. The model provides a framework for understanding the current extent of smart grid deployment and capability within an electric utility, a context for establishing strategic objectives and implementation plans in support of grid modernization, and a means to evaluate progress over time toward those objectives. The SGMM is composed of eight domains and six maturity levels as detailed in this document, which contains the full definition and description of the model. Introductory material to aid in understanding the purpose and use of the SGMM is also provided. The primary audiences for the SGMM, and for this document, are electric power utilities that are seeking guidance related to the modernization of their operations and practices for delivering electricity. The audience also includes any related stakeholders for such utilities. Currently, the model is better suited for utilities with transmission and distribution operations than for pure generation utilities.http://www.sei.cmu.edu/library/abstracts/reports/11tr025.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/11tr025.cfmFri, 07 Oct 2011 11:59:03 +0000This guidebook helps acquisition organizations formulate questions for their suppliers related to CMMI. It also helps organizations interpret responses to identify and evaluate risks for a given supplier.http://www.sei.cmu.edu/library/abstracts/reports/11tr023.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/11tr023.cfmMon, 17 Oct 2011 11:48:56 +0000 The fourth volume in the Software Assurance Curriculum Project led by a team at the Software Engineering Institute, this report focuses on community college courses for software assurance.http://www.sei.cmu.edu/library/abstracts/reports/11tr017.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/11tr017.cfmTue, 27 Sep 2011 16:34:04 +0000This report summarizes the proceedings from the 2010 MESOA workshop and includes the accepted papers that were the basis for the presentations given during the workshop.http://www.sei.cmu.edu/library/abstracts/reports/11sr008.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/11sr008.cfmMon, 19 Sep 2011 13:58:36 +0000This report presents guidelines for architecting service-oriented systems and the effect of architectural principles on system quality attributes.http://www.sei.cmu.edu/library/abstracts/reports/11tn008.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/11tn008.cfmFri, 05 Aug 2011 13:23:45 +0000In this report, Resilient Enterprise Management (REM) team members suggest a set of top ten strategic measures for managing operational resilience. These measures derive from high-level objectives of the ORM system defined in the CERT® Resilience Management Model, Version 1.1 (CERT®-RMM). http://www.sei.cmu.edu/library/abstracts/reports/11tr019.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/11tr019.cfmTue, 26 Jul 2011 17:19:37 +0000This report describes the Software Engineering Institute's 2010 work to develop standards for vulnerability and compliance remediation on Department of Defense networked systems.http://www.sei.cmu.edu/library/abstracts/reports/11sr007.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/11sr007.cfmWed, 20 Jul 2011 14:46:32 +0000This report describes standard noncommercial software licensing alternatives as defined by U.S. government and Department of Defense (DoD) regulations. It also suggests an approach for objectively identifying agency needs for license rights and the appropriate license type for systems with noncommercial computer software or as standalone software in the DoD environment.http://www.sei.cmu.edu/library/abstracts/reports/11tr014.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/11tr014.cfmWed, 20 Jul 2011 14:26:27 +0000This report presents research about insider theft of intellectual property.http://www.sei.cmu.edu/library/abstracts/reports/11tn013.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/11tn013.cfmThu, 02 Jun 2011 14:44:21 +0000This report describes the November 2010 Trusted Computing in Embedded Systems Workshop held at Carnegie Mellon University. http://www.sei.cmu.edu/library/abstracts/reports/11sr002.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/11sr002.cfmFri, 29 Apr 2011 11:58:00 +0000This document, first in the Best Practices for National Cyber Security series, provides information that interested organizations and governments can use to develop a national incident management capability.http://www.sei.cmu.edu/library/abstracts/reports/11tr015.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/11tr015.cfmThu, 21 Apr 2011 11:55:00 +0000The Appraisal Requirements for CMMI, Version 1.3 (ARC, V1.3), defines the requirements for appraisal methods intended for use with Capability Maturity Model Integration (CMMI) and with the People CMM. http://www.sei.cmu.edu/library/abstracts/reports/11tr006.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/11tr006.cfmTue, 12 Apr 2011 11:33:59 +0000The Office of the Secretary of Defense for Acquisition, Technology, and Logistics (OSD [AT&L]), Director, Defense Research & Engineering (DDR&E) sponsored a workshop to bring together leading researchers and practitioners to identify opportunities for research focused on data quality, data analysis, and data use. During workshop discussion participants were asked to identify challenging areas that would address technology gaps and to discuss research ideas that would support future DoD policies and practices. The Software Engineering Institute formed three primary recommendations for areas of further research from the information produced at the workshop. These areas were integrating data from disparate sources, employing provenance analytics, and developing models, methods, and tools that support data quality by design. http://www.sei.cmu.edu/library/abstracts/reports/11sr004.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/11sr004.cfmMon, 02 May 2011 18:39:00 +0000This report, the third volume in the Software Assurance Curriculum Project sponsored by the U.S. Department of Homeland Security, provides sample syllabi for the nine core courses in the Master of Software Assurance Reference Curriculum. http://www.sei.cmu.edu/library/abstracts/reports/11tr013.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/11tr013.cfmFri, 01 Apr 2011 15:17:00 +0000Infosys Technologies Limited received the IEEE Computer Society/Software Engineering Institute Software Process Achievement (SPA) Award 2009 for establishing a cost-effective, sustained, and culturally integrated quality and productivity improvement program during a period of extraordinary corporate growth. http://www.sei.cmu.edu/library/abstracts/reports/11tr008.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/11tr008.cfmTue, 22 Mar 2011 09:15:00 +0000The SCAMPI Method Definition Document describes the requirements, activities, and practices associated with each of the processes that compose the SCAMPI method. It is intended to be one of the elements of the infrastructure within which SCAMPI Lead Appraisers conduct a SCAMPI appraisal.http://www.sei.cmu.edu/library/abstracts/reports/11hb001.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/11hb001.cfmFri, 18 Mar 2011 18:37:00 +0000Acquisition practices for the project level that help you get started with CMMI for Acquisition practices without using the whole model.http://www.sei.cmu.edu/library/abstracts/reports/11tr010.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/11tr010.cfmFri, 04 Mar 2011 13:19:00 +0000This report explores the interdependencies among common language, business goals, and soft-ware architecture as the basis for a common framework for conducting evaluations of software technical solutions. http://www.sei.cmu.edu/library/abstracts/reports/10sr025.cfmhttp://www.sei.cmu.edu/library/abstracts/reports/10sr025.cfmTue, 01 Mar 2011 16:57:07 +0000