icon-carat-right menu search cmu-wordmark
Carnegie Mellon University

SEI Releases Security Engineering Framework

SEI Releases Security Engineering Framework
Article

December 17, 2024—The role of software within business- and mission-critical systems is growing, and so is the need to control the system security and resilience risks created by software components. The Software Engineering Institute (SEI) has released the Security Engineering Framework (SEF), a detailed schema of software-focused engineering practices that acquisition programs can use to manage security and resilience risks across the lifecycle of software-reliant systems.

Failing to account for the unique aspects of software assurance within a system’s development can endanger the success of the system. “A lot of acquisition programs and their contractors do a good job of engineering security and resilience at the system level, but many software security and resilience practices are not as well integrated into that process,” said Christopher Alberts, an SEI principal cybersecurity analyst and the framework’s lead author. “The Security Engineering Framework looks to bring aspects of software security engineering to the systems security engineering perspective.”

The SEF organizes its guidance into a hierarchy of domains, goals, and practices. The framework is a deep dive into the Engineering Lifecycle domain of the SEI’s Acquisition Security Framework (ASF), released early this year. The SEF tailors the ASF’s domain goals, modifies and adds practices, and provides summaries, context, competencies, and other guidance. “SEF practices help ensure that engineering processes, software, and tools are secure and resilient, reducing the risk that attackers will disrupt program and system information and assets,” according to the SEF.

Though Alberts and his colleagues created the SEF for adoption by Department of Defense programs and other federal agencies, it is also applicable to commercial enterprises and their contractors. “Acquisition programs can use the SEF to assess their current security/resilience engineering practices and chart a course for improvement, ultimately reducing security/resilience risks in deployed software-reliant systems,” the SEF states.

Download Security Engineering Framework (SEF): Managing Security and Resilience Risks Across the Systems Lifecycle and its quick-start guide from the SEI Digital Library, where you can also learn more about the ASF.

SHARE
Previous AI Red-Teaming Workshop Will Explore Best Practices

AI Red-Teaming Workshop Will Explore Best Practices
Next Portend Toolset Creates Guardrails for Machine Learning Data Drift

Portend Toolset Creates Guardrails for Machine Learning Data Drift