The Department of Defense (DoD) and other government agencies increasingly rely on software and networked software systems. As one of over 40 federally funded research and development centers sponsored by the United States government, Carnegie Mellon University's Software Engineering Institute (SEI) is working to help the government acquire, design, produce, and evolve software-reliant systems in an affordable and secure manner. The quality, safety, reliability, and security of software and the cyberspace it creates are major concerns for both embedded systems and enterprise systems employed for information processing tasks in health care, homeland security, intelligence, logistics, etc. Cybersecurity risks, a primary focus area of the SEI's CERT Division, regularly appear in news media and have resulted in policy action at the highest levels of the US government (See Report to the President: Immediate Opportunities for Strengthening the Nation's Cybersecurity).

This blog posting is the first in a series describing the SEI's five-year technical strategic plan, which aims to equip the government with the best combination of thinking, technology, and methods to address its software and cybersecurity challenges.

Software in Government and the SEI's Value Proposition

Software provides the DoD and other federal agencies significant flexibility in delivering advanced capabilities comparatively quickly by leveraging the enormous existing investments in the IT industry. The demand for these software-reliant advanced capabilities is growing rapidly. For example, in 2006 the F-35 Lighting II had 6,800 KLOC (thousands of line of code). According to a recent Crosstalk article that figure increased to 24,000 KLOC, much of it related to sensing, communications, and data processing.

Trends such as big data, the emergence of cloud computing, cyber-physical systems, the Internet of Things, information sharing in social networks, and autonomous robots have caused the role and importance of software and its security to expand significantly for the DoD and entire government. While incredible efficiencies can result from government adoption of commercial IT technologies, the associated risks and operational requirements are often sufficiently different to require the modification and enhancement of commercial off-the-shelf (COTS) technologies for government purposes.

The SEI works with members of government, academia, and industry to customize, develop, analyze and adapt software technologies and related methods for the measurable benefit of users. To act effectively in its role at the nexus of government, academia, and industry, the SEI maintains expertise in the following areas:

• software engineering
• systems engineering for software systems
• cybersecurity and software assurance
• computer science
• applied mathematics
• measurement of software systems
• lifecycle management of software systems

Starting in 2014 and building on earlier work, the SEI is pursuing two primary technical focus areas:

1. lifecycle assurance of software-reliant systems
2. high performance software components for the distributed collection, processing, analysis, and dissemination of data and information, even in challenging settings where computing and communications may be limited

The remainder of this post presents an overview of the technical focus areas of the SEI. Future posts in these series will take a deeper dive into each of these focus areas, highlighting research initiatives and accomplishments in each.

Lifecycle Assurance of Software-Reliant Systems

Software behaves differently than "physics-based" systems, such as engines, airframes, and ship hulls. Understanding its complexity and risks is hard, especially for large-scale systems-of-systems composed of many components of differing origins and pedigree. Our work in this area therefore focuses on enabling the government to obtain software-based "capabilities with confidence." Confidence is multi-faceted, encompassing cost and schedule, functionality, security, monitorability and other desirable properties including the -ilities (i.e., non-functional architectural features such as extensibility, flexibility, availability, and efficiency.) Confidence also encompasses the level of assurance that individuals with conventional levels of education and training are able to effectively and safely operate software-reliant systems.

To further the technical vision of capabilities with confidence, the SEI focuses on the assurance of two primary lifecycles:

• the acquisition lifecycle, which includes aspects of requirements engineering, acquisition strategy selection, project management, and success measures
• the software design, development, testing, and operational lifecycle, which is part of the acquisition lifecycle

Both lifecycles have evolved to favor incremental and iterative "agile" approaches. Less well developed are the procedures and tools to provide standardized evidence for assurance throughout these lifecycles, especially at the scale of mission-critical DoD systems. A primary technical strategy element for the SEI involves providing this type of assurance throughout system lifecycles by combining expertise in areas as diverse as cost estimation and malware analysis. To accomplish this, the SEI focuses on the following activities to support the DoD and other government sponsors:

• acquisition and management, including quantitative methods for cost and schedule estimation, requirements based on system and software architectural properties including security, earned value assessment of functionality and assurance in conjunction with iterative/incremental development, architectural recovery of legacy systems, sustainment and remediation, and acquisition workforce education
• software development, including software/system/network/protocol architecture, model-based engineering, code analysis (binary, source, and malicious), formal analysis and proofs, building assurance cases, performance analysis, software techniques for heterogeneous/novel hardware architectures, cross-domain security designs, and usable security
• operations, including operational risk assessment, performance monitoring, and anomaly detection, insider threats, forensic analysis, performance analysis/scalability, simulations and exercises, continuity of operations (COOP)/event response, best uses of human-computer analyses
• policy, including gap analysis, security and safety policies, technology transfer and assessment, compliance and validation, privacy considerations in data processing, leadership briefings and consultation

High Performance Software Components for the Distributed Collection, Processing, Analysis, and Dissemination of Data and Information

High performance software components refer to implemented collections of software functions that are known to perform efficiently, safely, and in a wide range of environments that are delivered with evidence indicating freedom from cybersecurity vulnerabilities. The DoD and other government agencies depend on many types of data that are amassed through a process known as TCPED--the tasking, collection, processing, exploitation and dissemination of (intelligence) data. Modern intelligence has grown far beyond the realm of closed government programs, however, and now includes commercial business intelligence, advertising, etc. Indeed, the current interest in big data, statistics and machine learning are modern instantiations of TCPED. It is well-established that software is the main driver for implementing modern analytics, advertising, scalable computing, and networks.

While commercial big data has received much attention, the DoD and other national security and emergency response organizations may need to use such capabilities in constrained environments that may lack power, communications, or other computing and communication resources. These challenges appear in the tactical setting (e.g., forward deployed operations or disaster scenarios). Many conventional commercial applications and computational frameworks perform poorly when applied in so-called disconnected, intermittent, and limited (DIL) communication environments. Bringing together assured, portable software components in support of modern TCPED in such environments is another major aspect of this SEI technical strategy element.

SEI researchers focus on the following activities to support the DoD and other government sponsors:

• frameworks including programming and computation frameworks for big data and analysis (e.g., map/reduce; Spark), application programming interface (API) security and ease of use, data storage architectures and security, performance monitoring tools
• networking protocols and architectures enabling the transport and access to data in tactical environments, protocol fuzzing, formal methods
• edge components, including applications and libraries focusing on analytic processing of mobile and tactical environments, disconnected operations, human factors (avoiding operator overload when in stressing circumstances)
• algorithms, including efficient portable graph algorithms, heterogenous high-performance computing, pattern matching, applied cryptography

Evaluation and Governance

SEI leadership works to ensure that its projects produce artifacts that are (or will ultimately be) useful to the government and do not require unknown leaps of faith. An emphasis on transitionability for research projects is accomplished by providing guidance and feedback to principal investigators (PIs) regarding stated government problems, industry trends, and potential collaborators. When PIs propose projects each year, SEI leaders ask them to indicate how their projects align to the SEI's technical focus areas and to show consistency with the expressed R&D needs of the government. For example, the DoD has initiated an effort to communicate its R&D needs and activities in a set of 'hard problems' which are being addressed by 17 technical "Communities of Interest" (COI), comprising the collective effort known as Reliance 21. In addition, PIs are asked to discuss the scientifically valid methods they intend to use in demonstrating results and the degree to which they will collaborate with others.

In addition to its internal research review processes, the SEI has external governance from both its DoD sponsors and CMU's leadership. Annually, the SEI presents its strategic technical direction and project plans to the SEI's DoD-managed Technical Advisory Group (TAG) and Joint Advisory Committee Executive Group (JAC-EG) that report to our DoD government sponsors at the Assistant Secretary of Defense for Research and Engineering (ASD(R&E)). Likewise, SEI leaders regularly present the SEI's status, including its R&D activities, to the SEI's Board of Visitors, which reports to the vice-president of research at CMU.

Wrapping Up and Looking Ahead

The SEI's technical efforts produce artifacts including component software technologies, methods, analyses, tools and prototype systems. In addition, the SEI helps to adapt and mature the technical work of others (e.g., government basic research organizations, such as the National Science Foundation and DARPA) for broader application. Our goal is to produce measurable improvements in the security and performance of software-reliant systems through improved practices in software engineering and cybersecurity.

The SEI brings the best combination of thinking, technology and methods to the most deserving government software-related problem sets, free from conflict-of-interest. As part of CMU, the SEI has access to facilities and research talent including professors, students, and staff members. Our FFRDC status and DoD affiliation grants our technologists access to government data and knowledge of national challenges unusual for most university R&D labs.

Future posts in this series will highlight current and forthcoming initiatives in each of our technical areas that are helping to support the DoD and other federal agencies. We welcome your feedback on the technical strategic plan and vision for the SEI. Please leave feedback in the comments section below.

Additional Resources

Download the latest technical notes, papers, publications, and presentations from SEI researchers at our digital library https://resources.sei.cmu.edu/library/.