As part of an ongoing effort to keep you informed about our latest work, this blog post summarizes some recent publications from the SEI in the areas of coordinated vulnerability disclosure, zero trust, CSIRTS, artificial intelligence, deepfakes, and digital engineering. These publications highlight the latest work of SEI technologists in these areas.

In case you missed it in our earlier post, we are also including a link to our 2021 SEI Year in Review, which highlights our work in artificial intelligence, cybersecurity, and software engineering undertaken during the 2021 fiscal year.

This post includes a listing of each publication, author(s), and links where they can be accessed on the SEI website.

SEI Year in Review

Always focused on the future, the Software Engineering Institute (SEI) advances software as a strategic advantage for national security. We lead research and direct transition of software engineering, cybersecurity, and artificial intelligence technologies at the intersection of academia, industry, and government. We serve the nation as a federally funded research and development center (FFRDC) sponsored by the U.S. Department of Defense (DoD) and are based at Carnegie Mellon University, a global research university annually rated among the best for its programs in computer science and engineering.

The 2021 SEI Year in Review highlights the work of the institute undertaken during the fiscal year spanning October 1, 2020, to September 30, 2021.
Read or download the SEI Year in Review.

Coordinated Vulnerability Disclosure User Stories
by Brad Runyon, Eric Hatleback, Allen D. Householder, Art Manion, Vijay Sarvapalli, Timur D. Snoke, Jonathan Spring, Laurie Tyzenhaus, Charles G. Yarbrough

This white paper documents the various user stories that the CERT Coordination Center team could imagine. The user stories are expected to be utilized by the reader to better understand, create, and implement a coordinated vulnerability disclosure protocol. In addition, the CERT/CC believes these use cases are suitable for any enterprise designing or implementing its own CVD policies, processes, and procedures.
Read the white paper.

The 4 Phases of the Zero Trust Journey
by Timothy Morrow and Matthew Nicolai

Over the past several years, zero trust architecture has emerged as an important topic within the field of cybersecurity. Heightened federal requirements and pandemic-related challenges have accelerated the timeline for zero trust adoption within the federal sector. Private sector organizations are also looking to adopt zero trust to bring their technical infrastructure and processes in line with cybersecurity best practices. Real-world preparation for zero trust, however, has not caught up with existing cybersecurity frameworks and literature. NIST standards have defined the desired outcomes for zero trust transformation, but the implementation process is still relatively undefined. As the nation’s first federally funded research and development center with a clear emphasis on cybersecurity, the SEI is uniquely positioned to bridge the gap between NIST standards and real-world implementation. In this SEI podcast, Tim Morrow and Matthew Nicolai, researchers with the SEI’s CERT Division outline four steps that organizations can take to implement and maintain a zero trust architecture.
Download/view the podcast.

Enabling the Sustainability and Success of a National Computer Security Incident Response Team
by Tracy Bills, Brittany Manley, and James Lord

A national computer security incident response team (CSIRT)[HAB1] serves a unique role in protecting and defending its country or economy from cybersecurity incidents that can have an impact on national or economic security and public safety. It serves as a center of technical capability for the prevention, detection, and response coordination of cybersecurity incidents.

Over the past thirty years, more than 130 national CSIRTs have been established. Also, during this time, organizations have produced various documents and resources that address best practices for creating and managing CSIRTs, including national CSIRTs. However, because of differences in culture, economics, and government structure, the organization and responsibilities of national CSIRTs vary among countries and economies. Such differences include how many national CSIRTs serve a country, where they are located, who their constituencies are, and the nature of their services and responsibilities. With so many variables, how is it possible to ensure the sustainability and success of a national CSIRT?

This document can be used in conjunction with existing resource materials to help prioritize efforts for developing or enhancing a national CSIRT.
Download the handbook.

What are Deepfakes, and How Can We Detect Them?
by Shannon Gallagher and Dominic Ross

In this webcast, Shannon Gallagher and Dominic Ross discuss what deepfakes are, and how they are building AI/ML tech to distinguish real from fake. They will start with some well-known examples of deepfakes and discuss what makes them distinguishable as fake for people and computers.

The webcast will cover

• the definition of deepfake
• fooling computers versus fooling people
• how digital fingerprints are used in detection algorithms
• challenges in the field

View the webcast.
Download/view a podcast on deepfakes.

Trust and AI Systems
by Carol Smith and Dustin Updyke

To ensure trust, artificial intelligence systems need to be built with fairness, accountability, and transparency at each step of the development cycle. In this podcast, Carol Smith, a senior research scientist in human machine interaction, and Dustin Updyke, a senior cybersecurity engineer in the SEI’s CERT Division, discuss the construction of trustworthy AI systems and factors influencing human trust of AI systems.
Download/view the podcast.

Challenges and Metrics in Digital Engineering
by William Nichols

Digital engineering uses digital tools and representations in the process of developing, sustaining, and maintaining systems, including requirements, design, analysis, implementation, and test. The digital modeling approach is intended to establish an authoritative source of truth for the system, in which discipline-specific views of the system are created using the same model elements. In this SEI Podcast, William “Bill” Nichols, a senior member of the technical staff with the SEI’s Software Solutions Division, discusses with principal researcher Suzanne Miller the challenges in making the transition from traditional development practices to digital engineering.
Download/view the podcast.