As part of an ongoing effort to keep you informed about our latest work, this blog post summarizes some recent publications from the SEI in the areas of zero trust, DevSecOps, safety-critical systems, software resilience, and cloud adoption. These publications highlight the latest work of SEI technologists in these areas. This post includes a listing of each publication, author(s), and links where they can be accessed on the SEI website.

Zero Trust Industry Day 2022: Areas of Future Research
by Matthew Nicolai, Trista Polaski, and Timothy Morrow

In August 2022, the SEI hosted Zero Trust Industry Day 2022 to enable industry stakeholders to share information about implementing zero trust (ZT). At the event, attendees focused on how federal agencies with limited resources can implement a zero-trust architecture (ZTA) that adheres to executive orders M-22-009 and M-21-31, both of which address federal cybersecurity measures.

During these discussions, participants identified ZT-related issues that could benefit from additional research. By focusing on these areas, organizations in government, academia, and industry can collaborate to develop solutions that streamline and accelerate ongoing ZTA transformation efforts. In this paper, we discuss some of these potential research areas.
Read the white paper.

Does Your DevSecOps Pipeline Only Function as Intended?
by Timothy Chick

Understanding and articulating cybersecurity risk is hard. With the adoption of DevSecOps tools and techniques and the increased coupling between the product being built and the tools used to build them, the attack surface of the product continues to grow by incorporating segments of the development environment. Thus, many enterprises are concerned that DevSecOps pipeline weaknesses can be abused to inject exploitable vulnerabilities into their products and services.

Using model-based systems engineering (MBSE), a DevSecOps model can be built that considers system assurance and enables organizations to design and execute a fully integrated DevSecOps strategy in which stakeholder needs are addressed with cybersecurity in all aspects of the DevSecOps pipeline. An assurance case can be used to show the adequacy of the model for both the pipeline and the embedded or distributed system. While builders of embedded and distributed systems want to achieve the flexibility and speed expected when applying DevSecOps, reference material and a repeatable defensible process are needed to confirm that a given DevSecOps pipeline is implemented in a secure, safe, and sustainable way. In this webcast, Tim Chick discusses how using a DevSecOps model can be built using MBSE.
View the webcast.

Program Managers—The DevSecOps Pipeline Can Provide Actionable Data
by Julie Cohen and Bill Nichols

This paper by Julie Cohen and Bill Nichols describes how the Software Engineering Institute’s Automated Continuous Estimation for a Pipeline of Pipelines (ACE/PoPs) research project can help program managers (PMs) leverage existing DevSecOps software development environments to automate data collection and integrate cost, schedule, and engineering performance. Using this information, PMs can track, forecast, and display program progress.
Read the white paper.

A Model-Based Tool for Designing Safety-Critical Systems
by Sam Procter and Lutz Wrage

In this SEI Podcast, Sam Procter and Lutz Wrage discuss with Suzanne Miller the Guided Architecture Trade Space Explorer (GATSE), a new SEI-developed model-based tool to help with the design of safety-critical systems. The GATSE tool allows engineers to evaluate more design options in less time than they can now. This prototype language extension and software tool partially automates the process of model-based systems engineering so that systems engineers can rapidly explore combinations of different design options.
Listen to/view the SEI podcast.

Read Sam Procter’s blog post, which provides a technical explanation the GATSE tool.

Industry Best Practices for Zero-Trust Architecture
by Matthew Nicolai, Nathaniel Richmond, Timothy Morrow

This paper describes best practices identified during the SEI’s Zero Trust Industry Day 2022 and provides ways to help organizations shift to zero trust (ZT). In this paper, the authors describe some of the ZT best practices identified during the two-day workshop and provide SEI commentary and analysis on ways for organizations to empower their ZT transformations.

The 2022 event provided a scenario for industry stakeholders to react to and demonstrate how they would address practical problems when a federal agency is adopting ZT. As a result, the SEI identified several themes and corresponding best practices presented by these stakeholders that help government organizations plan their ZT journey. Presenters at the event showcased various solutions that could address the many common challenges faced by federal agencies with limited resources and complex network architectures, as described in the scenario.

Their insights should also help all government organizations better understand the perspectives of various vendors and the ZT industry as a whole and how those perspectives fit into overall federal government efforts. We at the SEI are confident that the insights gained from SEI Zero Trust Industry Day 2022 will support organizations as they assess the current vendor landscape and prepare for their ZT transformation.
Read the SEI white paper.

Acquisition Security Framework (ASF): Managing Systems Cybersecurity Risk
by Christopher J. Alberts, Michael S. Bandor, Charles M. Wallen, Carol Woody, PhD

The Acquisition Security Framework (ASF) is a collection of leading practices for building and operating secure and resilient software-reliant systems across the systems lifecycle. It enables programs to evaluate risks and gaps in their processes for acquiring, engineering, and deploying secure software-reliant systems and provides programs more insight and control over their supply chains. The ASF provides a roadmap for building security and resilience into a system rather than “bolting them on” after deployment. The framework is designed to help programs coordinate the management of engineering and supply-chain risks across the many components of a system, including hardware, network interfaces, software interfaces, and mission capabilities. ASF practices promote proactive dialogue across all program and supplier teams, helping to integrate communications channels and facilitate information sharing. The framework is consistent with cybersecurity engineering, supply-chain management, and risk-management guidance from the International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), and Department of Homeland Security (DHS). This report presents an overview of the ASF and its development status. It also includes a description of the practices that have been developed so far and outlines a plan for completing the ASF body of work.
Read the SEI technical note.

A Prototype Set of Cloud-Adoption Risk Factors
by Christopher J. Alberts

This report presents the results of a study that the SEI conducted to identify a prototype set of risk factors for the adoption of cloud technologies. These risk factors cover a broad range of potential problems that can affect a cloud initiative, including business strategy and processes, technology management and implementation, and organizational culture.

The publication of this report is an initial step in the development of cloud-adoption risk factors rather than the culmination of SEI work in this area. This report identifies a range of potential future development and transition tasks related to the Mission-Risk Diagnostic (MRD) for cloud adoption.

The SEI MRD method defines a time-efficient, mission-oriented approach for assessing risk in mission threads, business processes, and organizational initiatives.
Read the SEI white paper.

A Strategy for Component Product Lines: Report 1: Scoping, Objectives, and Rationale
by Sholom G. Cohen, John J. Hudak, John McGregor, Gabriel Moreno, Alfred Schenker

This is the first in a series of three reports describing the complete Component Product Line Strategy. It includes an adoption approach that contributes to achieving the enterprise vision and reusability. This report is supplemented by reports that cover modeling and governance for systematic reuse.

Today, components are designed and developed for integration into a specific weapon system. To achieve the objectives of the Modular Open Systems Approach, components need to be designed and developed to be integrated into multiple weapon systems. This first report defines a strategy for achieving multiple component product lines in support of military weapon systems. The report provides an overview of product lines from the acquirer’s side—how to specify product line capabilities, provide those component product line specification models (CPLSMs) to a community of suppliers, and create a marketplace of components.
Read the SEI special report.

Challenge-Development Guidelines for Cybersecurity Competitions
by Jarrett Booz, Leena Arora, Joseph Vessella, Matt Kaar, Dennis M. Allen, and Josh Hammerstein

Cybersecurity competitions provide a way for participants to learn and develop hands-on technical skills, and they serve to identify and reward talented cybersecurity practitioners. They also form part of a larger, multifaceted effort for ensuring that the nation has a highly skilled cybersecurity workforce to secure its critical infrastructure systems and to defend against cyberattacks. To help support these efforts of cultivating the skills of cybersecurity practitioners and of building a workforce to safeguard the nation, this paper draws on the Software Engineering Institute’s experience developing cybersecurity challenges for the President’s Cup Cybersecurity Competition and provides general-purpose guidelines and best practices for developing effective cybersecurity challenges.
Read the SEI technical report.