search menu icon-carat-right cmu-wordmark

SEI Blog

The Latest Research in Software Engineering, Cybersecurity, and AI Engineering

Latest Posts

Verifying Timing in Undocumented Multicore Processors

Verifying Timing in Undocumented Multicore Processors

• SEI Blog
Bjorn Andersson

Many Department of Defense (DoD) systems rely on multicore processors--computers with many processor cores running programs simultaneously. These processors share resources and perform complex operations that depend on accurate timing and sequencing. Timing is crucial to ensure proper and safe operation of the overall system. Verifying multicore-processor timing can be hard, however, due to lack of documentation for key details, such as processor resource sharing. The inability to verify timing is an obstacle for using...

Read More
3 Metrics to Incentivize the Right Behavior in Agile Development

3 Metrics to Incentivize the Right Behavior in Agile Development

• SEI Blog
Pat Place

Will Hayes co-authored this blog post. The use of incentives to elicit certain behaviors in agile software development can often result in unintended consequences. One trap that we have seen project managers fall into is introducing metrics simply because they are familiar. As we stated in our first post in this series, there are many examples where an incentive to solve a problem creates an unintended, undesirable behavior. Software project managers must instead consider the...

Read More
Don't Incentivize the Wrong Behaviors in Agile Development

Don't Incentivize the Wrong Behaviors in Agile Development

• SEI Blog
Pat Place

Will Hayes coauthored this blog post. All too often, organizations collect certain metrics just because those are the metrics that they've always collected. Ordinarily, if an organization finds the metrics useful, there is no issue. Indeed, the SEI has long advocated the use of metrics to support the business goals of the organization. However, consider an organization that has changed from waterfall to Agile development; all metrics related to development must be reconsidered to determine...

Read More
Situational Awareness for Cybersecurity Architecture: 5 Recommendations

Situational Awareness for Cybersecurity Architecture: 5 Recommendations

• SEI Blog
Phil Groce

In this post on situational awareness for cybersecurity, we present five recommendations for the practice of architecture in the service of cybersecurity situational awareness (SA). Cybersecurity architecture is fundamentally an economic exercise. Economics is the practice of allocating finite resources to meet requirements. The goal of a cybersecurity SA architecture is to deploy your finite resources, such as equipment, staffing, and time, to enforce your organization's cybersecurity policies and controls. The endpoints on your network...

Read More
Addressing Open Architecture in Software Cost Estimation

Addressing Open Architecture in Software Cost Estimation

• SEI Blog
Michael Gagliardi

Michael Konrad and Douglas C. Schmidt contributed to this blog post. Identifying, estimating, and containing the cost of software is critical to the effective deployment of government systems. Cost estimation has been cited by the Government Accountability Office (GAO) as one of the primary reasons for DoD programs' cost overruns. Planners typically estimate costs via modeling and simulation tools, such as the Constructive Cost Model (COCOMO II). While COCOMO II is primarily used to estimate...

Read More
Detecting Mismatches in Machine-Learning Systems

Detecting Mismatches in Machine-Learning Systems

• SEI Blog
Grace Lewis

The use of machine learning (ML) could improve many business functions and meet many needs for organizations. For example, ML capabilities can be used to suggest products to users based on purchase history; provide image recognition for video surveillance; identify spam email messages; and predict courses of action, routes, or diseases, among others. However, in most organizations today (with the exception of large high-tech companies, such as Google and Microsoft), development of ML capabilities is...

Read More
Beyond NIST SP 800-171: 20 Additional Practices in CMMC

Beyond NIST SP 800-171: 20 Additional Practices in CMMC

• SEI Blog
Andrew Hoover

Katie Stewart co-authored this blog post. In November, defense contractors will be required to meet new security practices outlined in the Cybersecurity Maturity Model Certification (CMMC). As this post details, while the primary source of security practices in the CMMC is NIST Special Publication 800-171, the CMMC also includes 20 additional practices beyond 800-171 at levels 1-3. These 20 practices are intended to make DoD contractors more security conscious. Supply chain attacks are increasing at...

Read More
KalKi: Solution for High Assurance Software-Defined IoT Security

KalKi: Solution for High Assurance Software-Defined IoT Security

• SEI Blog
Sebastian Echeverria

Commercial Internet of things (IoT) devices are evolving rapidly, providing new and potentially useful capabilities. These devices can be a valuable source of data for improved decision making, so organizations that want to remain competitive have powerful motivations to embrace them. However, given the increasing number of IoT vulnerability reports, there is a pressing need for organizations to integrate IoT devices with high assurance, especially for systems with high security and safety requirements. In this...

Read More