Spotlight On: Malicious Insiders and Organized Crime Activity
(January 2012) This report defines malicious insiders and organized crime and provides a snapshot of who malicious insiders are, what and how they strike, and why. (CMU/SEI-2012-TN-001)

Interoperability in the e-Government Context
(January 2012) This report describes a proposed model through which to understand interoperability in the e-government context. (CMU/SEI-2011-TN-014)

Best Practices for Artifact Versioning in Service-Oriented Systems
(January 2012) This report describes some of the challenges of software versioning in an SOA environment and provides guidance on how to meet these challenges by following industry guidelines and recommended practices. (CMU/SEI-2011-TN-009)

An Investigation of Techniques for Detecting Data Anomalies in Earned Value Management Data
(December 2011) This research demonstrated the effectiveness of various statistical techniques for discovering quantitative data anomalies. (CMU/SEI-2011-TR-027)

Quantifying Uncertainty in Early Lifecycle Cost Estimation (QUELCE)
(December 2011) The method of quantifying uncertainty described in this report synthesizes scenario building, Bayesian Belief Network (BBN) modeling and Monte Carlo simulation into an estimation method that quantifies uncertainties, allows subjective inputs, visually depicts influential relationships among program change drivers and outputs, and assists with the explicit description and documentation underlying an estimate. (CMU/SEI-2011-TR-026)

Using Defined Processes as a Context for Resilience Measures
(December 2011) This technical note, which builds on two previous reports, describes how implementation-level processes can provide the necessary context for identifying and defining measures of operational resilience. (CMU/SEI-2011-TN-029)

Standards-Based Automated Remediation: A Remediation Manager Reference Implementation, 2011 Update
(December 2011) This report describes the Software Engineering Institute’s (SEI’s) 2011 work for the National Security Agency (NSA) to develop standards for automated remediation of vulnerabilities and compliance issues on Department of Defense (DoD) networked systems. (CMU/SEI-2011-SR-016)

Agile Methods: Selected DoD Management and Acquisition Concerns
(October 2011) This technical note addresses some of the key issues that either must be understood to ease the adoption of Agile or are seen as potential barriers to adoption of Agile in the DoD acquisition context. (CMU/SEI-2011-TN-002)

Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination
(October 2011) This technical note presents an insider threat pattern on how organizations can combat insider theft of intellectual property. The technical note describes how to use the centralized log storage and indexing engine Splunk to detect malicious insider behavior on a network. (CMU/SEI-2011-TN-024)

An Acquisition Perspective on Product Evaluation
(October 2011) This technical note focuses on software acquisition and development practices related to the evaluation of products before, during, and after implementation. From engagements with numerous DoD acquisition programs, it has been observed that a number of recurring issues reduce the effectiveness of how software-reliant products are evaluated. An acquisition effort consists of identifying the customer’s needs, selecting or developing a product that is responsive to those needs, and then evaluating the product to determine if it properly addresses the identified needs. This technical note describes the Product Evaluation (verification, validation, and certification) process including test, reviews, and formal methods. It also makes the argument that Product Evaluation should not be deferred until after a product has been built, but should begin as soon as the customer’s needs have been identified and should continue throughout the acquisition effort (CMU/SEI-2011-TN-007)

2010 CERT Research Report
(September 2011) The CERT Research Report highlights our accomplishments and activities in successfully executing our research strategy. (CMU/SEI-2020-10--ce)

Smart Grid Maturity Model, Version 1.2: Model Definition
(September 2011) The Smart Grid Maturity Model (SGMM) is a business tool stewarded by the Software Engineering Institute at Carnegie Mellon University. It was originally developed by electric power utilities for use by electric power utilities. The model provides a framework for understanding the current extent of smart grid deployment and capability within an electric utility, a context for establishing strategic objectives and implementation plans in support of grid modernization, and a means to evaluate progress over time toward those objectives. The SGMM is composed of eight domains and six maturity levels as detailed in this document, which contains the full definition and description of the model. Introductory material to aid in understanding the purpose and use of the SGMM is also provided. The primary audiences for the SGMM, and for this document, are electric power utilities that are seeking guidance related to the modernization of their operations and practices for delivering electricity. The audience also includes any related stakeholders for such utilities. Currently, the model is better suited for utilities with transmission and distribution operations than for pure generation utilities. (CMU/SEI-2011-TR-025)

Understanding and Leveraging a Supplier’s CMMI Efforts: A Guidebook for Acquirers (Revised for V1.3)
(September 2011) This guidebook helps acquisition organizations formulate questions for their suppliers related to CMMI. It also helps organizations interpret responses to identify and evaluate risks for a given supplier. (CMU/SEI-2011-TR-023)

Software Assurance Curriculum Project Volume IV: Community College Education
(September 2011) The fourth volume in the Software Assurance Curriculum Project led by a team at the Software Engineering Institute, this report focuses on community college courses for software assurance. (CMU/SEI-2011-TR-017)

Proceedings of the Fourth International Workshop on a Research Agenda for Maintenance and Evolution of Service-Oriented Systems (MESOA 2010)
(September 2011) This report summarizes the proceedings from the 2010 MESOA workshop and includes the accepted papers that were the basis for the presentations given during the workshop. (CMU/SEI-2011-SR-008)

Architecting Service-Oriented Systems
(August 2011) This report presents guidelines for architecting service-oriented systems and the effect of architectural principles on system quality attributes. (CMU/SEI-2011-TN-008)

Measures for Managing Operational Resilience
(July 2011) In this report, Resilient Enterprise Management (REM) team members suggest a set of top ten strategic measures for managing operational resilience. These measures derive from high-level objectives of the ORM system defined in the CERT® Resilience Management Model, Version 1.1 (CERT®-RMM). (CMU/SEI-2011-TR-019)

Standards-Based Automated Remediation: A Remediation Manager Reference Implementation
(July 2011) This report describes the Software Engineering Institute's 2010 work to develop standards for vulnerability and compliance remediation on Department of Defense networked systems. (CMU/SEI-2011-SR-007)

A Decision Framework for Selecting Licensing Rights for Noncommercial Computer Software in the DoD Environment
(July 2011) This report describes standard noncommercial software licensing alternatives as defined by U.S. government and Department of Defense (DoD) regulations. It also suggests an approach for objectively identifying agency needs for license rights and the appropriate license type for systems with noncommercial computer software or as standalone software in the DoD environment. (CMU/SEI-2011-TR-014)

A Preliminary Model of Insider Theft of Intellectual Property
(June 2011) This report presents research about insider theft of intellectual property. (CMU/SEI-2011-TN-013)

Trusted Computing in Embedded Systems Workshop
(April 2011) This report describes the November 2010 Trusted Computing in Embedded Systems Workshop held at Carnegie Mellon University. (CMU/SEI-2011-SR-002)

Best Practices for National Cyber Security: Building a National Computer Security Incident Management Capability, Version 2.0
(April 2011) This document, first in the Best Practices for National Cyber Security series, provides information that interested organizations and governments can use to develop a national incident management capability. (CMU/SEI-2011-TR-015)

Appraisal Requirements for CMMI Version 1.3 (ARC, V1.3)
(April 2011) The Appraisal Requirements for CMMI, Version 1.3 (ARC, V1.3), defines the requirements for appraisal methods intended for use with Capability Maturity Model Integration (CMMI) and with the People CMM. (CMU/SEI-2011-TR-006)

Issues and Opportunities for Improving the Quality and Use of Data in the Department of Defense
(March 2011) The Office of the Secretary of Defense for Acquisition, Technology, and Logistics (OSD [AT&L]), Director, Defense Research & Engineering (DDR&E) sponsored a workshop to bring together leading researchers and practitioners to identify opportunities for research focused on data quality, data analysis, and data use. During workshop discussion participants were asked to identify challenging areas that would address technology gaps and to discuss research ideas that would support future DoD policies and practices. The Software Engineering Institute formed three primary recommendations for areas of further research from the information produced at the workshop. These areas were integrating data from disparate sources, employing provenance analytics, and developing models, methods, and tools that support data quality by design. (CMU/SEI-2011-SR-004)

Software Assurance Curriculum Project Volume III: Master of Software Assurance Course Syllabi
(March 2011) This report, the third volume in the Software Assurance Curriculum Project sponsored by the U.S. Department of Homeland Security, provides sample syllabi for the nine core courses in the Master of Software Assurance Reference Curriculum. (CMU/SEI-2011-TR-013)

IEEE Computer Society/Software Engineering Institute Software Process Achievement (SPA) Award 2009
(March 2011) Infosys Technologies Limited received the IEEE Computer Society/Software Engineering Institute Software Process Achievement (SPA) Award 2009 for establishing a cost-effective, sustained, and culturally integrated quality and productivity improvement program during a period of extraordinary corporate growth. (CMU/SEI-2011-TR-008)

Standard CMMI Appraisal Method for Process Improvement (SCAMPI) A, Version 1.3: Method Definition Document
(March 2011) The SCAMPI Method Definition Document describes the requirements, activities, and practices associated with each of the processes that compose the SCAMPI method. It is intended to be one of the elements of the infrastructure within which SCAMPI Lead Appraisers conduct a SCAMPI appraisal. (CMU/SEI-2011-HB-001)

CMMI for Acquisition (CMMI-ACQ) Primer, Version 1.3
(March 2011) Acquisition practices for the project level that help you get started with CMMI for Acquisition practices without using the whole model. (CMU/SEI-2011-TR-010)

A Framework for Evaluating Common Operating Environments: Piloting, Lessons Learned, and Opportunities
(February 2011) This report explores the interdependencies among common language, business goals, and soft-ware architecture as the basis for a common framework for conducting evaluations of software technical solutions. (CMU/SEI-2010-SR-025)

Function Extraction (FX) Research for Computation of Software Behavior: 2010 Development and Application of Semantic Reduction Theorems for Behavior Analysis
(February 2011) The Carnegie Mellon Software Engineering Institute (SEI) has been engaged in a project to compute the behavior of software with mathematical precision to the maximum extent possible. Air Force Office of Scientific Research (AFOSR) sponsorship has played a key role in this effort. The findings of this research have been implemented in a system for malware analysis and have improved capabilities for behavior computation in other applications. (CMU/SEI-2011-TR-009)

Results of SEI Independent Research and Development Projects (FY 2010)
(February 2011) This report describes results of independent research and development (IRAD) projects undertaken in fiscal year 2010. (CMU/SEI-2011-TR-002)

An Analysis of Technical Observations in Insider Theft of Intellectual Property Cases
(February 2011) This report provides an overview of techniques employed by malicious insiders to steal intellectual property, including the types of assets targeted and the methods used to remove the information from a victim organization’s control. The report closes with a brief discussion of mitigating factors and strategic items that an organization should consider when defending against insider attacks on intellectual property. (CMU/SEI-2011-TN-006)

Integrating the Master of Software Assurance Reference Curriculum into the Model Curriculum and Guidelines for Graduate Degree Programs in Information Systems
(February 2011) This report examines how the recommendations of the Master of Software Assurance Reference Curriculum might be integrated into the model curriculum recommendations for a Master of Science in Information Systems (MSIS). (CMU/SEI-2011-TN-004)

Network Monitoring for Web-Based Threats
(February 2011) This report models the approach a focused attacker would take in order to breach an organization through web-based protocols and provides detection or prevention methods to counter that approach. (CMU/SEI-2011-TR-005)

Performance Analysis of WS-Security Mechanisms in SOAP-Based Web Services
(January 2011) rdware-based trusted computing platforms are intended to overcome many of the problems of trust that are prominent in computing systems. In this paper, a result of the Software Engineering Institute's Independent Research and Development Project "Trusted Computing in Extreme Adversarial Environments: Using Trusted Hardware as a Foundation for Cyber Security," we discuss the capabilities and limitations of the Trusted Platform Module (TPM). (CMU/SEI-2010-TR-023)

Trust and Trusted Computing Platforms
(January 2011) This technical note examines the Trusted Platform Module, which arose from work related to the Independent Research and Development project "Trusted Computing in Extreme Adversarial Environments: Using Trusted Hardware as a Foundation for Cyber Security." (CMU/SEI-2011-TN-005)

Deriving Candidate Technical Controls and Indicators of Insider Attack from Socio-Technical Models and Data
(January 2011) This paper seeks to demonstrate how a useful method for extracting technical information from previous insider crimes and mapping it to previous modeling work can create informed candidate technical controls and indicators. (CMU/SEI-2011-TN-003)

Software Supply Chain Risk Management: From Products to Systems of Systems
(January 2011) Taking a systems perspective on software supply chain risks, this report considers current practices in software supply chain analysis and suggests some foundational practices. This report suggests contractor and acquirer activities that support the management of supply chain risks. (CMU/SEI-2010-TN-026)

Guide for SCAMPI Appraisals: Accelerated Improvement Method (AIM)
(December 2010) This document provides guidance to lead appraisers and appraisal teams unfamiliar with TSP+ when conducting Standard CMMI Appraisal Method for Process Improvement (SCAMPI) appraisals within organizations that use the TSP+ as a foundational operational practice. (CMU/SEI-2010-SR-021)

Implementation Guidance for the Accelerated Improvement Method (AIM)
(December 2010) This 2010 report describes the (AIM which helps an organization to implement high-performance, high-quality CMMI practices much more quickly than industry norms.  (CMU/SEI-2010-SR-032)