As part of an ongoing effort to keep you informed about our latest work, this blog post summarizes some recent publications from the SEI in the areas of explainable artificial intelligence, cyber risk and resilience management, digital engineering effectiveness, and tailoring DoD RFPs to include modeling. These publications highlight the latest work of SEI technologists in these areas.

We have also included links to our 2021 SEI Year in Review, which highlights our work in artificial intelligence, cybersecurity, and software engineering undertaken during the 2021 fiscal year.

This post includes a listing of each publication, author(s), and links where they can be accessed on the SEI website.

SEI Year in Review

Always focused on the future, the Software Engineering Institute (SEI) advances software as a strategic advantage for national security. We lead research and direct transition of software engineering, cybersecurity, and artificial intelligence technologies at the intersection of academia, industry, and government. We serve the nation as a federally funded research and development center (FFRDC) sponsored by the U.S. Department of Defense (DoD) and are based at Carnegie Mellon University, a global research university annually rated among the best for its programs in computer science and engineering.

The 2021 SEI Year in Review highlights the work of the institute undertaken during the fiscal year spanning October 1, 2020, to September 30, 2021.
Read or download the SEI Year in Review.

Explainable AI Explained
by Violet Turri

As the field of artificial intelligence (AI) has matured, increasingly complex opaque models have been developed and deployed to solve hard problems. Unlike many predecessor models, these models, by the nature of their architecture, are harder to understand and oversee. When such models fail or do not behave as expected or hoped, it can be hard for developers and end-users to pinpoint why or determine methods for addressing the problem. Explainable AI (XAI) meets the emerging demands of AI engineering by providing insight into the inner workings of these opaque models. In this SEI Podcast, Violet Turri and Rachel Dzombak discusses explainable AI, which encompasses all the techniques that make the decision-making processes of AI systems understandable to humans.
Listen to the podcast.

Read Violet Turri’s SEI Blog post that provides introduction to the current state of XAI, including the strengths and weaknesses of this practice.

Experiences with Deploying Mothra in Amazon Web Services (AWS)
by Brad Powell, Daniel Ruef, and John Stogoski

The Mothra large-scale data processing platform can be deployed in the AWS GovCloud environment. The SEI evaluation of this deployment shows that it meets (and even exceeds) the operating requirements of the on-premises Mothra deployment. This report describes (1) how an SEI team developed an at-scale prototype of the on-premises system to test the performance of Mothra in the cloud and (2) the approaches the team recommends for similar deployments.
Download the SEI technical report.

An Analysis of How Many Undiscovered Vulnerabilities Remain in Information Systems
by Jonathan Spring

Vulnerability management strategy, from both organizational and public policy perspectives, hinges on an understanding of the supply of undiscovered vulnerabilities. If the number of undiscovered vulnerabilities is small enough, then a reasonable investment strategy would be to focus on finding and removing the remaining undiscovered vulnerabilities. If the number of undiscovered vulnerabilities is and will continue to be large, then a better investment strategy would be to focus on quick patch dissemination and engineering resilient systems. This paper examines a paradigm, namely that the number of undiscovered vulnerabilities is manageably small, through the lens of mathematical concepts from the theory of computing. From this perspective, we find little support for the paradigm of limited undiscovered vulnerabilities. We then briefly support the notion that these theory-based conclusions are relevant to practical computers in use today. We find no reason to believe undiscovered vulnerabilities are not essentially unlimited in practice, and we examine the possible economic impacts should this is indeed the case. Based on our analysis, we recommend vulnerability management strategy adopts an approach favoring quick patch dissemination and engineering resilient systems, while continuing good software engineering practices to reduce (but never eliminate) vulnerabilities in information systems.
Read the white paper.

Listen to an SEI podcast where Jonathan Spring discusses the findings outlined in his paper.

Digital Engineering Effectiveness
by Alfred Schenker, Tyler Smith (Adventium Labs, Inc.), William Richard Nichols

The 2018 release of the DoD’s Digital Engineering (DE) strategy and the success of applying DE methods in the mechanical and electrical engineering domains motivate application of DE methods in other product development workflows, such as systems and/or software engineering. The expected benefits of this are improved communication and traceability with reduced rework and risk. Organizations have demonstrated advantages of DE methods many times over by using model-based design and analysis methods, such as Finite Element Analysis (FEA) or SPICE (Simulation Program with Integrated Circuit Emphasis), to conduct detailed evaluations earlier in the process (i.e., shifting left). However, other domains such as embedded computing resources for cyber physical systems (CPS) have not yet effectively demonstrated how to incorporate relevant DE methods into their development workflows. Although there is broad support for SysML and there has been significant advancement in specific tools (e.g., MathWorks, ANSYS, and Dassault tool offerings) and standards like Modelica and AADL, the DE benefits to CPS engineering have not been broadly realized. In this paper, we will explore why CPS developers have been slow to embrace DE, how DE methods should be tailored to achieve their stakeholders’ goals, and how to measure the effectiveness of DE-enabled workflows.
Read the white paper.

Guidance for Tailoring DoD Request for Proposals (RFPs) to Include Modeling
by Julie B. Cohen, Tom Merendino, and Robert Wojcik

With the advent of digital engineering and the Department of Defense (DoD) Digital Engineering strategy, programs are attempting to include digital engineering as part of their acquisition strategy. Realizing the desired benefits of digital engineering requires program offices to consider how to best acquire the models and artifacts necessary to gain the advantages of a robust digital engineering program. This report provides guidance for government program offices that are including digital engineering/modeling requirements into a request for proposal (RFP). Since RFPs can be released at many different program phases and because every program is different, the information in this report is meant to stimulate thought on the part of the program office into different areas to consider. The report provides overall guidance and more specific guidance regarding statements of work, deliverables, and Sections L and M of a request for proposal. Sample language included in this report is provided as exemplars and is not intended to be copied verbatim. We encourage program managers to use this report as a resource when partnering with contracting officers.
Download the SEI special report.

Predictable Use of Multicore in the Army and Beyond
by Bjorn Andersson, Dionisio de Niz, and William Vance of the U.S. Army Combat Capabilities Development Command Aviation & Missile Center

Complex, cyber-physical DoD systems, such as aircraft, depend on correct timing to properly and reliably execute crucial sensing, computing, and actuation functions. In this webcast, SEI staff members Bjorn Andersson and Dionisio de Niz and William Vance of the U.S. Army Combat Capabilities Development Command Aviation & Missile Center discuss using real-time software on multicore processors. Specifically, they review the challenges that DoD and civilian systems face and the proven solutions that are available.

View the webcast.