As part of an ongoing effort to keep you informed about our latest work, I would like to let you know about some recently published SEI technical reports and notes. These reports highlight the latest work of SEI technologists in resilience, metrics, sustainment, and software assurance. This post includes a listing of each report, author(s), and links where the published reports can be accessed on the SEI website.

A Proven Method for Meeting Export Control Objectives in Postal and Shipping Sectors
By Greg Crabb, Julia H. Allen, Pamela D. Curtis, Nader Mehravari

On a weekly basis, the U.S. Postal Service (USPS) processes over one million packages destined to overseas locations. All international shipments being sent from the United States are subject to federal export laws. The USPS has extensive export compliance policies and screening procedures to ensure that customers comply with federal export laws.

Compliance policies and screening procedures are expensive and time consuming and can negatively affect the efficiency of international mail delivery services. The U.S. Postal Inspection Service (USPIS) has defined, developed, and successfully implemented an innovative approach for export screening that has drastically improved its efficiency, effectiveness, and accuracy. Having benefited from using concepts of operational resilience management to improve the security and resilience of USPS products and services, the USPIS team conducted its new export screening project using a structured and repeatable approach based on the CERT Resilience Management Model (CERT-RMM) developed by the SEI.

This report describes how CERT-RMM enabled the USPIS to implement an innovative approach for achieving complex international mail export control objectives. The authors also discuss how this USPIS application of CERT-RMM might be equally applicable to other shipping and transportation sectors that are tasked with meeting export control objectives.
Download a PDF of the Report.

Measuring What Matters Workshop Report
By Katie C. Stewart, Julia H. Allen, Michelle A. Valdez, Lisa R. Young

This report describes the inaugural Measuring What Matters Workshop conducted in November 2014 and the team's experiences in planning and executing the workshop and identifying improvements for future offerings. The Measuring What Matters Workshop introduces the Goal-Question-Indicator-Metric (GQIM) approach that enables users to derive meaningful metrics for managing cybersecurity risks from strategic and business objectives. This approach helps ensure that organizational leaders have better information to make decisions, take action, and change behaviors.
Download a PDF of the Report.

A Dynamic Model of Sustainment Investment
By Sarah Sheard, Robert Ferguson, Andrew P. Moore, Mike Phillips
This paper describes a dynamic sustainment model that shows how budgeting, allocation of resources, mission performance, and strategic planning are interrelated and how they affect each other over time. Each of these processes is owned by a different stakeholder, so a decision made by one stakeholder might affect performance in a different organization. Worse, delaying a decision to fund some work might result in much longer delays and much greater costs to several of the organizations.
The SEI developed and calibrated a systems dynamic model that shows interactions of various stakeholders over time and the results of four realistic scenarios. The current model has been calibrated with data from the F/A-18 and EA-18G Advanced Weapons Lab (AWL) at China Lake, CA.
The model makes it possible for a decision maker to study different decision scenarios and interpret the likely effects on other stakeholders in acquisition. In a scenario where sustainment infrastructure investment is shortchanged over a period of time, the tipping point phenomenon is shown in the results of the calibrated model.
Download a PDF of the Report.

Predicting Software Assurance Using Quality and Reliability Measures
By Carol Woody, Robert J. Ellison, William Nichols
Security vulnerabilities are defects that enable an external party to compromise a system. Our research indicates that improving software quality by reducing the number of errors also reduces the number of vulnerabilities and hence improves software security. Some portion of security vulnerabilities (maybe over half of them) are also quality defects. This report includes security analysis based on data the Software Engineering Institute (SEI) has collected over many years for 100 software development projects. Can quality defect models that predict quality results be applied to security to predict security results? Simple defect models focus on an enumeration of development errors after they have occurred and do not relate directly to operational security vulnerabilities, except when the cause is quality related. This report discusses how a combination of software development and quality techniques can improve software security.
Download a PDF of the Report.

Additional Resources
For the latest SEI technical reports and notes, please visit https://resources.sei.cmu.edu/library/.