SEI Reports
Isolating Patterns of Failure in Department of Defense Acquisition
(June 2013) This report documents an investigation into issues related to aligning acquisition strategies with business and mission goals. (CMU/SEI-2013-TN-014)
Socio-Adaptive Systems Challenge Problems Workshop Report
(June 2013) Presents a summary of the findings that emerged from the Socio-Adaptive Systems Challenge Problem Workshop in Pittsburgh, held in April 2012. The workshop’s goal was to identify the challenges associated with resource allocation for warfighters operating at the tactical edge, where networks are often unreliable, and bandwidth limited and inconsistent. (CMU/SEI-2013-SR-010)
Application Virtualizaton as a Strategy for Cyber Foraging in Resource-Constrained Environments
(May 2013) This technical note explores the applicability of application virtualization as a strategy for cyber foraging in resource-constrained environments. Cyber foraging is a technique to enable resource-poor, mobile devices to leverage external computing power. Application virtualization emulates operating system services for applications. While it involves some challenges, it provides a promising strategy for cyber foraging in resource-constrained environments because of it is a lightweight approach that offers high portability. (CMU/SEI-2013-TN-007)
Spotlight On: Insider Theft of Intellectual Property Inside the United States Involving Foreign Governments or Organizations
(May 2013) This technical note defines intellectual property (IP) and insider theft of IP, gives a snapshot of the insiders involved in these cases, summarizes some of the cases, and provides recommendations for mitigating the risk of similar incidents of insider threat. (CMU/SEI-2013-TN-009)
Software Assurance Competency Model
(May 2013) This Software Assurance Competency Model helps create a foundation for assessing and advancing the capability of software assurance professionals. (CMU/SEI-2013-TN-004)
PSP-VDC: An Adaptation of the PSP that Incorporates Verified Design by Contract
(May 2013) This paper describes a proposal for integrating Verified Design by Contract into PSP in order to reduce the amount of defects present at the Unit Testing phase, while preserving or improving productivity. (CMU/SEI-2013-TR-005)
Quantifying Uncertainty in Expert Judgment: Initial Results
(March 2013) The work described in this report, part of a larger SEI research effort on Quantifying Uncertainty in Early Lifecycle Cost Estimation (QUELCE), aims to develop and validate methods for calibrating expert judgment. Reliable expert judgment is crucial across the program acquisition lifecycle for cost estimation, and perhaps most critically for tasks related to risk analysis and program management. This research is based on three field studies that compare and validate training techniques aimed at improving the participants’ skills to enable more realistic judgments commensurate with their knowledge. (CMU/SEI-2013-TR-001)
Justification of a Pattern for Detecting Intellectual Property Theft by Departing Insiders
(March 2013) This analysis justifies applying the pattern “Increased Review for Intellectual Property (IP) Theft by Departing Insiders,” which helps organizations plan, prepare, and implement a strategy to mitigate the risk of insider theft of IP. (CMU/SEI-2013-TN-013)
Detecting and Preventing Data Exfiltration Through Encrypted Web Sessions via Traffic Inspection
(March 2013) This report presents methods that can be used to detect and prevent data exfiltration using a Linux-based proxy server in a Microsoft Windows environment. (CMU/SEI-2013-TN-012)
The MAL: A Malware Analysis Lexicon
(February 2013) This report presents the results of the Malware Analysis Lexicon (MAL) initiative, a small project to develop the first common vocabulary for malware analysis. (CMU/SEI-2013-TN-010)
Insider Threat Control: Using Universal Serial Bus (USB) Device Auditing to Detect Possible Data Exfiltration by Malicious Insiders
(January 2013) This report presents methods to audit USB device use within a Microsoft Windows environment. (CMU/SEI-2013-TN-003)
Insider Threat Control: Understanding Data Loss Prevention (DLP) and Detection by Correlating Events from Multiple Sources
(January 2013) This report focuses on the theft of intellectual property using removable media, in particular, USB devices. We present methods to control removable media devices in a Microsoft Windows environment using Group Policy within an Active Directory environment. We also explore OpenDLP, an open source tool for identifying where sensitive data resides on organizational systems. (CMU/SEI-2013-TN-002)
Common Sense Guide to Mitigating Insider Threats, 4th Edition
(December 2012) This fourth edition of the Common Sense Guide to Mitigating Insider Threats introduces the topic of insider threats, explains its intended audience and how this guide differs from previous editions, defines insider threats, outlines current patterns and trends, and describes 19 practices that organizations should implement across the enterprise to prevent and detect insider threats, as well as case studies of organizations that failed to do so. (CMU/SEI-2012-TR-012)
Analyzing Cases of Resilience Success and Failure—A Research Study
(December 2012) This report describes the SEI research study aimed at helping organizations to know the business value of implementing resilience processes and practices, and determine which ones to implement. (CMU/SEI-2012-TN-025)
The Business Case for Systems Engineering Study: Assessing Project Performance from Sparse Data
(December 2012) This report describes the data collection and analysis process used to support the assessment of project performance for the systems engineering (SE) effectiveness study. (CMU/SEI-2012-SR-010)
The Business Case for Systems Engineering Study: Results of the Systems Engineering Effectiveness Survey
(November 2012) This report summarizes the results of a survey that had the goal of quantifying the connection between the application of systems engineering (SE) best practices to projects and programs and the performance of those projects and programs. (CMU/SEI-2012-SR-009)
Reliability Improvement and Validation Framework
(November 2012) This report discusses the reliability validation and improvement framework developed by the SEI. The purpose of this framework is to provide a foundation for addressing the challenges of qualifying increasingly software-reliant, safety-critical systems. It aims to overcome the limitations of current reliability engineering approaches, leverage the best emerging engineering technologies and practices to complement the process focus of current practice, find acceptance in industry, and lead to a new set of reliability improvement metrics. (CMU/SEI-2012-SR-013)
DoD Information Assurance and Agile: Challenges and Recommendations Gathered Through Interviews with Agile Program Managers and DoD Accreditation Reviewers
(November 2012) This paper discusses the natural tension between rapid fielding and response to change (characterized as agility) and DoD information assurance policy. Data for the paper was gathered through interviews with DoD project managers and IA representatives. (CMU/SEI-2012-TN-024)
TSP Symposium 2012 Proceedings
(November 2012) The 2012 TSP Symposium was organized by the Software Engineering Institute (SEI) and took place September 18–20 in St. Petersburg, FL. The goal of the TSP Symposium is to bring together practitioners and academics who share a common passion to change the world of software engineering for the better through disciplined practice. The conference theme was “Delivering Agility with Discipline.” This report contains the six papers selected by the TSP Symposium Technical Program Committee. (CMU/SEI-2012-SR-015)
Supporting the Use of CERT® Secure Coding Standards in DoD Acquisitions
(October 2012) This technical note provides guidance to help DoD acquisition programs address software security in acquisitions. It provides background on the development of secure coding standards, sample request for proposal (RFP) language, and a mapping of the Application Security and Development STIG to the CERT(R) C Secure Coding Standard. (CMU/SEI-2012-TN-016)
Resource Allocation in Dynamic Environments
(October 2012) When warfighting missions are conducted in a dynamic environment, the allocation of resources needed for mission operation can change from moment to moment. This report addresses two challenges of resource allocation in dynamic environments: overstatement of resource needs and unpredictable network availability. (CMU/SEI-2012-TR-011)
Well There’s Your Problem: Isolating the Crash-Inducing Bits in a Fuzzed File
(October 2012) This report describes an algorithm that efficiently reverts bits from the fuzzed file to those found in the original seed file, keeping only the minimal bits required to recreate the crash under investigation. (CMU/SEI-2012-TN-018)
The Role of Standards in Cloud-Computing Interoperability
(October 2012) This report explores the role of standards in cloud-computing interoperability. It covers cloud-computing basics and standard-related efforts, discusses several use cases, and provides recommendations for cloud-computing adoption. (CMU/SEI-2012-TN-012)
Cloud Computing at the Tactical Edge
(October 2012) This technical note presents a strategy to overcome the challenges of obtaining sufficient computation power to run applications needed for warfighting and disaster relief missions. It discusses the use of cloudlets-- localized, stateless servers running one or more virtual machines--on which soldiers can offload resource-intensive computations from their handheld mobile devices. (CMU/SEI-2012-TN-015)
Communication Among Incident Responders - A Study
(September 2012) This technical note describes three factors that can help or hinder the cooperation of incident responders. (CMU/SEI-2012-TN-028)
Toward a Theory of Assurance Case Confidence
(September 2012) Assurance cases provide an argument and evidence explaining why a claim about some system property holds. This report presents a framework for thinking about (and determining) confidence in assurance case arguments. The framework uses argumentation theory as developed in philosophy, jurisprudence, mathematics, and artificial intelligence to provide a justified basis for asserting some level of confidence in the truth of assurance case claims. (CMU/SEI-2012-TR-002)
SEPG Europe 2012 Conference Proceedings
(September 2012) This report compiles seven papers based on presentations given at SEPG Europe 2012. (CMU/SEI-2012-SR-005)
Competency Lifecycle Roadmap: Toward Performance Readiness
(September 2012) This technical note describes the Competency Lifecycle Roadmap (CLR), a preliminary roadmap for understanding and building workforce readiness. (CMU/SEI-2012-TN-020)
Probability-Based Parameter Selection for Black-Box Fuzz Testing
(August 2012) This report describes an algorithm to automate selection of seed files and other parameters used in black-box fuzz testing. (CMU/SEI-2012-TN-019)
Network Profiling Using Flow
(August 2012) This report provides a step-by-step guide for profiling—discovering public-facing assets on a network—using network flow (netflow) data. (CMU/SEI-2012-TR-006)
Results of SEI Line-Funded Exploratory New Starts Projects
(August 2012) This report describes the line-funded exploratory new starts (LENS) projects that were undertaken during fiscal year 2011. For each project, the report presents a brief description and a recounting of the research that was done, as well as a synopsis of the results of the project. (CMU/SEI-2012-TR-004)
Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector
(July 2012) This report describes a new insider threat study in which researchers extracted technical and behavioral patterns from fraud cases and developed insights and risk indicators of malicious insider activity within the banking and finance sector. (CMU/SEI-2012-SR-004)
The Evolution of a Science Project: A Preliminary System Dynamics Model of a Recurring Software-Reliant Acquisition Behavior
(July 2012) This report uses a preliminary system dynamics model to analyze a specific adverse acquisition dynamic concerning the poorly controlled evolution of small prototype efforts into full-scale systems. (CMU/SEI-2012-TR-001)
A Virtual Upgrade Validation Method for Software-Reliant Systems
(June 2012) Presents the Virtual Upgrade Validation (VUV) method, an approach that uses architecture-centric, model-based analysis to identify system-level problems early in the upgrade process to complement established test qualification techniques. (CMU/SEI-2012-TR-005)
Report from the First CERT-RMM Users Group Workshop Series
(May 2012) This report describes the first CERT RMM Users Group (RUG) Workshop Series and relays the experiences of participating members and CERT staff. (CMU/SEI-2012-TN-008)
A Pattern for Increased Monitoring for Intellectual Property Theft by Departing Insiders
(May 2012) This report presents an example of an enterprise architectural pattern, Increased Monitoring for Intellectual Property (IP) Theft by Departing Insiders, to help organizations plan, prepare, and implement a means to mitigate the risk of insider theft of IP. (CMU/SEI-2012-TR-008)
Source Code Analysis Laboratory (SCALe)
(May 2012) This report details the CERT Program's Source Code Analysis Laboratory (SCALe), a proof-of-concept demonstration that software systems can be conformance tested against secure coding standards, and provides an analysis of selected software systems. (CMU/SEI-2012-TN-013)
Insider Threat Security Reference Architecture
(May 2012) This technical report describes the Insider Threat Security Reference Architecture (ITSRA), an enterprise-wide solution to the threat to organizations from its own insiders. The ITSRA draws from existing best practices and standards as well as from analysis of real insider threat cases to provide actionable guidance for organizations to improve their posture against the insider threat. (CMU/SEI-2012-TR-007)
CERT® Resilience Management Model (CERT®-RMM) V1.1: NIST Special Publication Crosswalk Version 1
(March 2012) This technical note maps CERT® Resilience Management Model (CERT®-RMM) process areas to certain National Institute of Standards and Technology (NIST) special publications in the 800 series. (CMU/SEI-2011-TN-028)
What’s New in V2 of the Architecture Analysis & Design Language Standard?
(March 2012) This report provides an overview of changes and improvements to the Architecture Analysis & Design Language (AADL) standard for describing both the software architecture and the execution platform architectures of performance-critical, embedded, real-time systems. (CMU/SEI-2011-SR-011)
Principles of Trust for Embedded Systems
(March 2012) This paper gives substance and explicit meaning to the terms trust and trustworthy as they relate to automated systems and to embedded systems in particular. (CMU/SEI-2012-TN-007)
Mission Risk Diagnostic (MRD) Method Description
(February 2012) The SEI has developed the Mission Risk Diagnostic (MRD) to assess risk in interactively complex, socio-technical systems across the life cycle and supply chain. (CMU/SEI-2012-TN-005)
Risk-Based Measurement and Analysis: Application to Software Security
(February 2012) This report presents the foundational concepts of a risk-based approach for software security measurement and analysis and provides an overview of the IMAF and the MRD. (CMU/SEI-2012-TN-004)
Spotlight On: Malicious Insiders and Organized Crime Activity
(January 2012) This report defines malicious insiders and organized crime and provides a snapshot of who malicious insiders are, what and how they strike, and why. (CMU/SEI-2012-TN-001)
Interoperability in the e-Government Context
(January 2012) This report describes a proposed model through which to understand interoperability in the e-government context. (CMU/SEI-2011-TN-014)
Best Practices for Artifact Versioning in Service-Oriented Systems
(January 2012) This report describes some of the challenges of software versioning in an SOA environment and provides guidance on how to meet these challenges by following industry guidelines and recommended practices. (CMU/SEI-2011-TN-009)
An Investigation of Techniques for Detecting Data Anomalies in Earned Value Management Data
(December 2011) This research demonstrated the effectiveness of various statistical techniques for discovering quantitative data anomalies. (CMU/SEI-2011-TR-027)
Quantifying Uncertainty in Early Lifecycle Cost Estimation (QUELCE)
(December 2011) The method of quantifying uncertainty described in this report synthesizes scenario building, Bayesian Belief Network (BBN) modeling and Monte Carlo simulation into an estimation method that quantifies uncertainties, allows subjective inputs, visually depicts influential relationships among program change drivers and outputs, and assists with the explicit description and documentation underlying an estimate. (CMU/SEI-2011-TR-026)
A Closer Look at 804: A Summary of Considerations for DoD Program Managers
(December 2011) The information in this report is intended to help program managers reason about actions they may need to take to adapt and comply with the Section 804 NDAA for 2010 and associated guidance. (CMU/SEI-2011-SR-015)
Using Defined Processes as a Context for Resilience Measures
(December 2011) This technical note, which builds on two previous reports, describes how implementation-level processes can provide the necessary context for identifying and defining measures of operational resilience. (CMU/SEI-2011-TN-029)
Standards-Based Automated Remediation: A Remediation Manager Reference Implementation, 2011 Update
(December 2011) This report describes the Software Engineering Institute’s (SEI’s) 2011 work for the National Security Agency (NSA) to develop standards for automated remediation of vulnerabilities and compliance issues on Department of Defense (DoD) networked systems. (CMU/SEI-2011-SR-016)
Agile Methods: Selected DoD Management and Acquisition Concerns
(October 2011) This technical note addresses some of the key issues that either must be understood to ease the adoption of Agile or are seen as potential barriers to adoption of Agile in the DoD acquisition context. (CMU/SEI-2011-TN-002)
CERT® Resilience Management Model Capability Appraisal Method (CAM) Version 1.1
(October 2011) This report demonstrates that the SCAMPI Version 1.2 method can be adapted and applied to CERT-RMM V1.1 as the reference model for a process appraisal. (CMU/SEI-2011-TR-020)
CERT® Resilience Management Model (RMM) v1.1: Code of Practice Crosswalk Commercial Version 1.1
(October 2011) CERT® Resilience Management Model (CERT-RMM) provides a reference model that allows organizations to make sense of their practice deployment in a process context. (CMU/SEI-2011-TN-012)
Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination
(October 2011) This technical note presents an insider threat pattern on how organizations can combat insider theft of intellectual property. The technical note describes how to use the centralized log storage and indexing engine Splunk to detect malicious insider behavior on a network. (CMU/SEI-2011-TN-024)
An Acquisition Perspective on Product Evaluation
(October 2011) This technical note focuses on software acquisition and development practices related to the evaluation of products before, during, and after implementation. From engagements with numerous DoD acquisition programs, it has been observed that a number of recurring issues reduce the effectiveness of how software-reliant products are evaluated. An acquisition effort consists of identifying the customer’s needs, selecting or developing a product that is responsive to those needs, and then evaluating the product to determine if it properly addresses the identified needs. This technical note describes the Product Evaluation (verification, validation, and certification) process including test, reviews, and formal methods. It also makes the argument that Product Evaluation should not be deferred until after a product has been built, but should begin as soon as the customer’s needs have been identified and should continue throughout the acquisition effort (CMU/SEI-2011-TN-007)
2010 CERT Research Report
(September 2011) The CERT Research Report highlights our accomplishments and activities in successfully executing our research strategy. (CMU/SEI-2020-10--ce)
Smart Grid Maturity Model, Version 1.2: Model Definition
(September 2011) The Smart Grid Maturity Model (SGMM) is a business tool stewarded by the Software Engineering Institute at Carnegie Mellon University. It was originally developed by electric power utilities for use by electric power utilities. The model provides a framework for understanding the current extent of smart grid deployment and capability within an electric utility, a context for establishing strategic objectives and implementation plans in support of grid modernization, and a means to evaluate progress over time toward those objectives.
The SGMM is composed of eight domains and six maturity levels as detailed in this document, which contains the full definition and description of the model. Introductory material to aid in understanding the purpose and use of the SGMM is also provided.
The primary audiences for the SGMM, and for this document, are electric power utilities that are seeking guidance related to the modernization of their operations and practices for delivering electricity. The audience also includes any related stakeholders for such utilities. Currently, the model is better suited for utilities with transmission and distribution operations than for pure generation utilities. (CMU/SEI-2011-TR-025)
Understanding and Leveraging a Supplier’s CMMI Efforts: A Guidebook for Acquirers (Revised for V1.3)
(September 2011) This guidebook helps acquisition organizations formulate questions for their suppliers related to CMMI. It also helps organizations interpret responses to identify and evaluate risks for a given supplier. (CMU/SEI-2011-TR-023)
Software Assurance Curriculum Project Volume IV: Community College Education
(September 2011) The fourth volume in the Software Assurance Curriculum Project led by a team at the Software Engineering Institute, this report focuses on community college courses for software assurance. (CMU/SEI-2011-TR-017)
Proceedings of the Fourth International Workshop on a Research Agenda for Maintenance and Evolution of Service-Oriented Systems (MESOA 2010)
(September 2011) This report summarizes the proceedings from the 2010 MESOA workshop and includes the accepted papers that were the basis for the presentations given during the workshop. (CMU/SEI-2011-SR-008)
Architecting Service-Oriented Systems
(August 2011) This report presents guidelines for architecting service-oriented systems and the effect of architectural principles on system quality attributes. (CMU/SEI-2011-TN-008)
Measures for Managing Operational Resilience
(July 2011) In this report, Resilient Enterprise Management (REM) team members suggest a set of top ten strategic measures for managing operational resilience. These measures derive from high-level objectives of the ORM system defined in the CERT® Resilience Management Model, Version 1.1 (CERT®-RMM). (CMU/SEI-2011-TR-019)
Standards-Based Automated Remediation: A Remediation Manager Reference Implementation
(July 2011) This report describes the Software Engineering Institute's 2010 work to develop standards for vulnerability and compliance remediation on Department of Defense networked systems. (CMU/SEI-2011-SR-007)
A Decision Framework for Selecting Licensing Rights for Noncommercial Computer Software in the DoD Environment
(July 2011) This report describes standard noncommercial software licensing alternatives as defined by U.S. government and Department of Defense (DoD) regulations. It also suggests an approach for objectively identifying agency needs for license rights and the appropriate license type for systems with noncommercial computer software or as standalone software in the DoD environment. (CMU/SEI-2011-TR-014)
A Preliminary Model of Insider Theft of Intellectual Property
(June 2011) This report presents research about insider theft of intellectual property. (CMU/SEI-2011-TN-013)
Trusted Computing in Embedded Systems Workshop
(April 2011) This report describes the November 2010 Trusted Computing in Embedded Systems Workshop held at Carnegie Mellon University. (CMU/SEI-2011-SR-002)
Best Practices for National Cyber Security: Building a National Computer Security Incident Management Capability, Version 2.0
(April 2011) This document, first in the Best Practices for National Cyber Security series, provides information that interested organizations and governments can use to develop a national incident management capability. (CMU/SEI-2011-TR-015)
Appraisal Requirements for CMMI Version 1.3 (ARC, V1.3)
(April 2011) The Appraisal Requirements for CMMI, Version 1.3 (ARC, V1.3), defines the requirements for appraisal methods intended for use with Capability Maturity Model Integration (CMMI) and with the People CMM. (CMU/SEI-2011-TR-006)
Issues and Opportunities for Improving the Quality and Use of Data in the Department of Defense
(March 2011) The Office of the Secretary of Defense for Acquisition, Technology, and Logistics (OSD [AT&L]), Director, Defense Research & Engineering (DDR&E) sponsored a workshop to bring together leading researchers and practitioners to identify opportunities for research focused on data quality, data analysis, and data use. During workshop discussion participants were asked to identify challenging areas that would address technology gaps and to discuss research ideas that would support future DoD policies and practices. The Software Engineering Institute formed three primary recommendations for areas of further research from the information produced at the workshop. These areas were integrating data from disparate sources, employing provenance analytics, and developing models, methods, and tools that support data quality by design. (CMU/SEI-2011-SR-004)
Software Assurance Curriculum Project Volume III: Master of Software Assurance Course Syllabi
(March 2011) This report, the third volume in the Software Assurance Curriculum Project sponsored by the U.S. Department of Homeland Security, provides sample syllabi for the nine core courses in the Master of Software Assurance Reference Curriculum. (CMU/SEI-2011-TR-013)
IEEE Computer Society/Software Engineering Institute Software Process Achievement (SPA) Award 2009
(March 2011) This March 2011 report provides an overview of Infosys Technologies Limited and its practices, which led to the company receiving the IEEE’s SPA Award in 2009. (CMU/SEI-2011-TR-008)
Standard CMMI Appraisal Method for Process Improvement (SCAMPI) A, Version 1.3: Method Definition Document
(March 2011) The SCAMPI Method Definition Document describes the requirements, activities, and practices associated with each of the processes that compose the SCAMPI method. It is intended to be one of the elements of the infrastructure within which SCAMPI Lead Appraisers conduct a SCAMPI appraisal. (CMU/SEI-2011-HB-001)
CMMI for Acquisition (CMMI-ACQ) Primer, Version 1.3
(March 2011) Acquisition practices for the project level that help you get started with CMMI for Acquisition practices without using the whole model. (CMU/SEI-2011-TR-010)
A Framework for Evaluating Common Operating Environments: Piloting, Lessons Learned, and Opportunities
(February 2011) This report explores the interdependencies among common language, business goals, and soft-ware architecture as the basis for a common framework for conducting evaluations of software technical solutions. (CMU/SEI-2010-SR-025)
Function Extraction (FX) Research for Computation of Software Behavior: 2010 Development and Application of Semantic Reduction Theorems for Behavior Analysis
(February 2011) This 2011 report presents the findings of an SEI study that have been implemented in a system for malware analysis and improved capabilities for behavior computation in other applications. (CMU/SEI-2011-TR-009)
Results of SEI Independent Research and Development Projects (FY 2010)
(February 2011) This report describes results of independent research and development (IRAD) projects undertaken in fiscal year 2010. (CMU/SEI-2011-TR-002)
An Analysis of Technical Observations in Insider Theft of Intellectual Property Cases
(February 2011) This report provides an overview of techniques employed by malicious insiders to steal intellectual property, including the types of assets targeted and the methods used to remove the information from a victim organization’s control. The report closes with a brief discussion of mitigating factors and strategic items that an organization should consider when defending against insider attacks on intellectual property. (CMU/SEI-2011-TN-006)
Integrating the Master of Software Assurance Reference Curriculum into the Model Curriculum and Guidelines for Graduate Degree Programs in Information Systems
(February 2011) This report examines how the recommendations of the Master of Software Assurance Reference Curriculum might be integrated into the model curriculum recommendations for a Master of Science in Information Systems (MSIS). (CMU/SEI-2011-TN-004)
Network Monitoring for Web-Based Threats
(February 2011) This report provides detection and prevention methods to counter an approach that a focused attacker would need to take in order to breach an organization through web-based protocols. (CMU/SEI-2011-TR-005)
Trust and Trusted Computing Platforms
(January 2011) This technical note examines the Trusted Platform Module, which arose from work related to the Independent Research and Development project "Trusted Computing in Extreme Adversarial Environments: Using Trusted Hardware as a Foundation for Cyber Security." (CMU/SEI-2011-TN-005)
Performance Analysis of WS-Security Mechanisms in SOAP-Based Web Services
(January 2011) This paper presents the results of a series of experiments targeted at analyzing the performance impact of adding WS-Security, a common security standard used in IdM frameworks, to SOAP-based web services. (CMU/SEI-2010-TR-023)
Deriving Candidate Technical Controls and Indicators of Insider Attack from Socio-Technical Models and Data
(January 2011) This 2011 report seeks to demonstrate how a method for modeling previous insider crimes can create informed candidate technical controls and indicators. (CMU/SEI-2011-TN-003)
Software Supply Chain Risk Management: From Products to Systems of Systems
(January 2011) This 2010 report considers current practices in software supply chain analysis and suggests foundational practices that can reduce risk in the supply chain. (CMU/SEI-2010-TN-026)
Guide for SCAMPI Appraisals: Accelerated Improvement Method (AIM)
(December 2010) This report provides guidance for appraisers and appraisal teams unfamiliar with TSP+ when conducting SCAMPI appraisals within organizations that use TSP+ as a foundational practice. (CMU/SEI-2010-SR-021)
Implementation Guidance for the Accelerated Improvement Method (AIM)
(December 2010) This 2010 report describes the (AIM which helps an organization to implement high-performance, high-quality CMMI practices much more quickly than industry norms. (CMU/SEI-2010-SR-032)
Adaptive Flow Control for Enabling Quality of Service in Tactical Ad Hoc Wireless Networks
(December 2010) This report details the results from 18 experiments to investigate Adaptive Quality of Service, an approach to enable applications to fulfill their missions despite network infrastructure limitations. (CMU/SEI-2010-TR-030)
A Taxonomy of Operational Cyber Security Risks
(December 2010) This report presents a taxonomy of operational cyber security risks. This report discusses the harmonization of the taxonomy with other risk and security activities. (CMU/SEI-2010-TN-028)
Source Code Analysis Laboratory (SCALe) for Energy Delivery Systems
(December 2010) The Source Code Analysis Laboratory (SCALe) tests software applications for conformance to one of the CERT® secure coding standards. Though SCALe can be used in various capacities, it is particularly significant for conformance testing of energy delivery systems because of their critical importance. (CMU/SEI-2010-TR-021)
Beyond Technology Readiness Levels for Software: U.S. Army Workshop Report
(December 2010) This report synthesizes presentations, discussions, and outcomes from the "Beyond Technology Readiness Levels for Software" workshop from August 2010. (CMU/SEI-2010-TR-044)
The CERT Approach to Cybersecurity Workforce Development
(December 2010) This report describes a traditional model commonly used for developing and maintaining a competent cybersecurity workforce, explains some operational limitations associated with that model, and presents a new, continuous approach to cybersecurity workforce development. (CMU/SEI-2010-TR-045)
Combining Architecture-Centric Engineering with the Team Software Process
(December 2010) ACE methods and the TSP provides an iterative approach for delivering high quality systems on time and within budget. The combined approach helps organizations that must set an architecture/developer team in motion using mature, disciplined engineering practices that produce quality software quickly. (CMU/SEI-2010-TR-031)
A Workshop on Analysis and Evaluation of Enterprise Architectures
(November 2010) This report summarizes a workshop on the analysis and evaluation of enterprise architectures that was held at the SEI in April of 2010. (CMU/SEI-2010-TN-023)
Strategic Planning with Critical Success Factors and Future Scenarios: An Integrated Strategic Planning Framework
(November 2010) This report explores the value of enhancing typical strategic planning techniques with the CSF method and scenario planning. (CMU/SEI-2010-TR-037)
CMMI for Development, Version 1.3
(October 2010) This 2010 report details CMMI for Development (CMMI-DEV) V.1.3, which provides a comprehensive integrated set of guidelines for developing products and services. (CMU/SEI-2010-TR-033)
CMMI for Acquisition, Version 1.3
(October 2010) This 2010 report details CMMI for Acquisition (CMMI-ACQ) V.1.3, which provides a comprehensive integrated set of guidelines for acquiring products and services. (CMU/SEI-2010-TR-032)
CMMI for Services, Version 1.3
(October 2010) CMMI for Services, Version 1.3 (CMU/SEI-2010-TR-034)
Success in Acquisition: Using Archetypes to Beat the Odds
(September 2010) This report describes key elements in systems thinking, provides an introduction to general systems archetypes, and applies these concepts to the software acquisition domain. (CMU/SEI-2010-TR-016)
Integrated Measurement and Analysis Framework for Software Security
(September 2010) This report is the first in a series that addresses how to measure software security in complex environments using the Integrated Measurement and Analysis Framework (IMAF). (CMU/SEI-2010-TN-025)
Using TSP Data to Evaluate Your Project Performance
(September 2010) A set of measures was determined that allow analyses of TSP projects in terms of their fidelity to the TSP process and their project performance. These measures were applied to a data set of 41 TSP projects from an organization to identify their strengths and weaknesses. Software engineering teams already using TSP for soft-ware development can use the measures provided in this report to gain further insight into their projects. (CMU/SEI-2010-TR-038)
Program Executive Officer Aviation, Major Milestone Reviews: Lessons Learned Report
(September 2010) This report documents ideas and recommendations for improving the overall acquisition process and presents the actions taken by project managers in several programs to develop, staff, and obtain approval for their systems. (CMU/SEI-2010-TR-006)
Suggestions for Documenting SOA-Based Systems
(September 2010) This report provides suggestions for documenting service-oriented architecture-based systems based on the Views & Beyond (V&B) software documentation approach. (CMU/SEI-2010-TR-041)
Measuring Operational Resilience Using the CERT Resilience Management Model
(September 2010) This 2010 report begins a dialogue and establishes a foundation for measuring and analyzing operational resilience. (CMU/SEI-2010-TN-030)
Security Requirements Reusability and the SQUARE Methodology
(September 2010) This report discusses how security requirements engineering can incorporate reusable requirements. The CERT Program's SQUARE methodology has been adapted to accommodate reusability in a new version called R-SQUARE. (CMU/SEI-2010-TN-027)
Building Assured Systems Framework
(September 2010) This report presents the Building Assured Systems Framework (BASF) that addresses the customer and researcher challenges of selecting security methods and research approaches for building assured systems. (CMU/SEI-2010-TR-025)
Smart Grid Maturity Model: Model Definition
(September 2010) The SGMM provides a framework for understanding the current extent of smart grid deployment and capability within an electric utility, a context for establishing strategic objectives and implementation plans in support of grid modernization, and a means to evaluate progress over time toward those objectives. (CMU/SEI-2010-TR-009)
T-Check in System-of-Systems Technologies: Cloud Computing
(September 2010) The purpose of this report is to examine a set of claims about cloud computing adoption. (CMU/SEI-2010-TN-009)
Emerging Technologies for Software-Reliant Systems of Systems
(September 2010) The purpose of this report is to present an informal survey of technologies that are, or are likely to become, important for software-reliant systems of systems in response to current computing trends. (CMU/SEI-2010-TN-019)
Software Assurance Curriculum Project Volume I: Master of Software Assurance Reference Curriculum
(August 2010) This report contains a master of software assurance curriculum that educational institutions can use to create a degree program or track. (CMU/SEI-2010-TR-005)
Software Assurance Curriculum Project Volume II: Undergraduate Course Outlines
(August 2010) This report focuses on an undergraduate curriculum specialization for software assurance. (CMU/SEI-2010-TR-019)
Measurement and Analysis Infrastructure Diagnostic, Version 1.0: Method Definition Document
(August 2010) This 2010 report is a guidebook for conducting a Measurement and Analysis Infrastructure Diagnostic (MAID) evaluation. (CMU/SEI-2010-TR-035)
A Framework for Modeling the Software Assurance Ecosystem: Insights from the Software Assurance Landscape Project
(August 2010) This report describes the SEI Assurance Modeling Framework and discusses an initial piloting of the framework to prove its value and insights gained from that piloting for the adoption of selected assurance solutions. (CMU/SEI-2010-TR-028)
COVERT: A Framework for Finding Buffer Overflows in C Programs via Software Verification
(August 2010) This report presents COVERT, an automated framework aimed at finding buffer overflows in C programs using state-of-the-art software verification tools and techniques. (CMU/SEI-2010-TR-029)
Relating Business Goals to Architecturally Significant Requirements for Software Systems
(August 2010) This report attempts to facilitate better elicitation of high-pedigree quality attribute requirements by understanding how business goals influence quality attribute requirements and architectures. (CMU/SEI-2010-TN-018)
Risk Management Framework
(August 2010) This report details a framework that documents best practices for risk management and an approach for evaluating a program’s risk management practice in relation to this framework. (CMU/SEI-2010-TR-017)
Adapting the SQUARE Process for Privacy Requirements Engineering
(July 2010) This 2010 report explores how the SQUARE process can be adapted for privacy requirements engineering in software development. (CMU/SEI-2010-TN-022)
Programmatic and Constructive Interdependence: Emerging Insights and Predictive Indicators of Development Resource Demand
(July 2010) This 2010 report describes a series of ongoing research efforts that investigate the role of interdependence in the acquisition of major defense acquisition programs. (CMU/SEI-2010-TR-024)
Team Software Process (TSP) Body of Knowledge (BOK)
(July 2010) The TSP BOK helps practitioners and employers assess and improve their skills, and shows academic institutions how to incorporate TSP into their engineering courses. (CMU/SEI-2010-TR-020)
Performance Effects of Measurement and Analysis: Perspectives from CMMI High Maturity Organizations and Appraisers
(June 2010) This 2010 report describes results from two recent studies conducted by the SEI to survey the measurement and analysis activities of software systems development organizations. (CMU/SEI-2010-TR-022)
Software Product Lines: Report of the 2010 U.S. Army Software Product Line Workshop
(June 2010) This report synthesizes presentations and discussions from a 2010 workshop to discuss product line practices and operational accomplishments. (CMU/SEI-2010-TR-014)
Considerations for Using Agile in DoD Acquisition
(June 2010) This 2010 report explores the questions: Can Agile be used in the DoD environment? If so, how? (CMU/SEI-2010-TN-002)
Team Software Process (TSP) Coach Mentoring Program Guidebook Version 1.1
(June 2010) This 2010 guidebook explains the steps for becoming an SEI-Certified TSP Coach or SEI-Certified TSP Mentor Coach, with emphasis on guiding individuals through the mentoring process. (CMU/SEI-2010-SR-016)
Data Rights for Proprietary Software Used in DoD Programs
(June 2010) This report examines how data rights issues were addressed in the TSAT program, reviews additional concerns posed by the use of commercial software in the TSAT program’s Space Segment, and reviews data rights concerns for software incorporated in the GPS program. (CMU/SEI-2010-TN-014)
Java Concurrency Guidelines
(June 2010) The CERT Oracle Secure Coding Standard for Java provides guidelines for secure coding in the Java programming language. This report documents the portion of those Java guidelines that are related to concurrency. (CMU/SEI-2010-TR-015)
Specifications for Managed Strings, Second Edition
(June 2010) This report describes a managed string library for the C programming language. (CMU/SEI-2010-TR-018)
Survivability Analysis Framework
(June 2010) Description of a framework (Survivability Analysis Framework) used to examine the elements of an operational process and evaluate the survivability and effectiveness of the linkage among roles, dependencies, constraints, and risks to achieve critical operational capabilities. (CMU/SEI-2010-TN-013)
CERT Resilience Management Model, Version 1.0
(May 2010) This report presents the CERT-RMM, an approach to managing operational resilience in complex, risk-evolving environments. (CMU/SEI-2010-TR-012)
Identifying Anomalous Port-Specific Network Behavior
(May 2010) A method for identifying network behavior that my be a sign of coming internet-wide attacks is presented. (CMU/SEI-2010-TR-010)
Managing Variation in Services in a Software Product Line Context
(May 2010) This report highlights the benefits of combining systematic reuse approaches from product line development with flexible approaches for implementing business processes in a SOA environment. (CMU/SEI-2010-TN-007)
Evaluating and Mitigating Software Supply Chain Security Risks
(May 2010) This 2010 report identifies software supply chain security risks and specifies the evidence that must be gathered to determine whether these risks have been mitigated. (CMU/SEI-2010-TN-016)
Case Study: Model-Based Analysis of the Mission Data System Reference Architecture
(May 2010) This report describes how AADL support an instantiation of a reference architecture, address architectural themes, and provide a foundation for the analysis of performance elements and system assurance concerns. (CMU/SEI-2010-TR-003)
Characterizing Technical Software Performance Within System of Systems Acquisitions: A Step-Wise Methodology
(April 2010) This report focuses on both qualitative and quantitative ways of determining the current state of SWP (software performance) in terms of both test coverage and confidence for SOA-based SoS environments. (CMU/SEI-2010-TR-007)
As-If Infinitely Ranged Integer Model, Second Edition
(April 2010) This report presents the as-if infinitely ranged (AIR) integer model that provides a largely automated mechanism for eliminating integer overflow and truncation and other integral exceptional conditions. (CMU/SEI-2010-TN-008)
Testing in Service-Oriented Environments
(April 2010) This 2010 report makes several recommendations for improving testing in service-oriented environments, including testing functionality, interoperability testing, security, performance, and more. (CMU/SEI-2010-TR-011)
Reports from the Field on System of Systems Interoperability Challenges and Promising Approaches
(March 2010) This report identifies challenges and successful approaches to achieving system of systems (SoS) interoperability. (CMU/SEI-2010-TR-013)
Extending Team Software Process (TSP) to Systems Engineering: A NAVAIR Experience Report
(March 2010) This 2010 report communicates status, progress, lessons learned, and results on a joint collaboration between the SEI and NAVAIR. (CMU/SEI-2010-TR-008)
A Research Agenda for Service-Oriented Architecture (SOA): Maintenance and Evolution of Service-Oriented Systems
(March 2010) This 2010 report describes the agenda of an SEI-led group that was formed to explore the business, engineering, and operations aspects of service-oriented architecture. (CMU/SEI-2010-TN-003)
Profiling Systems Using the Defining Characteristics of Systems of Systems (SoS)
(February 2010) This technical note identifies and describes the characteristics that have been used in various definitions of the term system of systems. (CMU/SEI-2010-TN-001)
Proceedings of the 3rd International Workshop on a Research Agenda for Maintenance and Evolution of Service-Oriented Systems (MESOA 2009)
(February 2010) This report contains selected papers from the 3rd International Workshop on a Research Agenda for Maintenance and Evolution of Service-Oriented Systems (MESOA 2009). (CMU/SEI-2010-SR-004)
Approaches to Process Performance Modeling: A Summary from the SEI Series of Workshops on CMMI High Maturity Measurement and Analysis
(January 2010) This report summarizes the results from the second and third high maturity measurement and analysis workshops. (CMU/SEI-2009-TR-021)
Evaluating the Software Design of a Complex System of Systems
(January 2010) The report examines the application of the life-cycle architecture milestone to the software and computing elements of the former Future Combat Systems program. (CMU/SEI-2009-TR-023)
Results of SEI Independent Research and Development Projects (FY 2009)
(December 2009) This report describes the independent research and development (IRAD) projects that were conducted during fiscal year 2009 (October 2008 through September 2009). (CMU/SEI-2009-TR-025)
Generalized Criteria and Evaluation Method for Center of Excellence: A Preliminary Report
(December 2009) Criteria and standards to certify an organization as a COE are presented in this Carnegie Mellon Software Engineering Institute preliminary report. (CMU/SEI-2009-TN-011)
Measurement and Analysis Infrastructure Diagnostic (MAID) Evaluation Criteria, Version 1.0
(December 2009) This 2009 report presents the criteria used during a MAID evaluation that act as a checklist to rate the quality of an organization's measurement and analysis practices. (CMU/SEI-2009-TR-022)
A Structured Approach for Reviewing Architecture Documentation
(December 2009) This 2009 technical note proposes a structured approach for reviewing architecture documentation that is centered on the documentation's stakeholders. (CMU/SEI-2009-TN-030)
System Architecture Virtual Integration: An Industrial Case Study
(December 2009) This report introduces key concepts of the SAVI paradigm, describe the POC scope, and discusses the series of development scenarios used in a POC demonstration to illustrate the feasibility of improving the quality of software-intensive aircraft systems. (CMU/SEI-2009-TR-017)
Proceedings of the Workshop on Software Engineering Foundations for End-User Programming (SEEUP 2009)
(November 2009) This report presents the papers that were given at SEEUP 2009, held at the 31st ICSE in Vancouver, British Columbia on May 23, 2009. (CMU/SEI-2009-SR-015)
CMMI and TSP/PSP: Using TSP Data to Create Process Performance Models
(November 2009) This report describes the fundamental concepts of process performance models (PPMs) and describes how they can be created using data generated by projects following the TSP. (CMU/SEI-2009-TN-033)
The Watts New Collection: Columns by the SEI’s Watts Humphrey
(November 2009) news@sei columns written by the SEI's Watts Humphrey between June 1998 and August 2008 (CMU/SEI-2009-SR-024)
Evaluating Artifact Quality from an Appraisal Perspective
(November 2009) This report explores the lack of agreement among SCAMPI Lead Appraisers about what “artifact quality” means in the SCAMPI process context. (CMU/SEI-2009-TN-021)
Evaluating Process Quality from an Appraisal Perspective
(November 2009) This report explores the lack of agreement among SCAMPI Lead Appraisers about what “process quality” means in the SCAMPI process context. (CMU/SEI-2009-TN-022)
A Method for Assessing Technical Progress and Quality Throughout the System Life Cycle
(November 2009) This 2009 paper provides a framework for evaluating a system from several perspectives for a comprehensive picture of progress and quality. (CMU/SEI-2009-TN-032)
Data Model as an Architectural View
(October 2009) This 2009 report describes the data model as an architectural style in an effort to help architects apply this style to create data model architectural views. (CMU/SEI-2009-TN-024)
A Bibliography of the Personal Software Process (PSP) and the Team Software Process (TSP)
(October 2009) This special report provides a bibliography of books, articles, and other literature concerning the PSP and TSP methodologies. (CMU/SEI-2009-SR-025)
Towards an Assurance Case Practice for Medical Devices
(October 2009) This report explores how the assurance case promises a technology answer for the challenge that manufacturers and federal regulators face in gaining confidence about the performance of software-dominated medical devices. (CMU/SEI-2009-TN-018)
Insights on Program Success
(October 2009) This 2009 report examines the reasons why some programs fail and studies the factors that lead to program success. (CMU/SEI-2009-SR-023)
Lessons Learned from a Large, Multi-Segment, Software-Intensive System
(September 2009) This 2009 report contains a series of observations and their associated lessons learned from a large, multi-segment, software-intensive system. (CMU/SEI-2009-TN-013)
The Personal Software Process (PSP) Body of Knowledge, Version 2.0
(August 2009) The Personal Software Process (PSP) body of knowledge (BOK) contained in this report provides guidance to software professionals who are interested in using proven-effective, disciplined methods to improve their personal software development process. (CMU/SEI-2009-SR-018)
A Proactive Means for Incorporating a Software Architecture Evaluation in a DoD System Acquisition
(August 2009) This technical note provides guidance on how to contractually incorporate architecture evaluations in an acquisition. (CMU/SEI-2009-TN-004)
Realizing and Refining Architectural Tactics: Availability
(August 2009) Tactics are fundamental elements of software architecture that an architect employs to meet a system's quality requirements. This report describes an updated set of tactics that enable the architect to build availability into a system. (CMU/SEI-2009-TR-006)
Formulation of a Production Strategy for a Software Product Line
(August 2009) This 2009 report describes a technique for formulating the production strategy of a production system. (CMU/SEI-2009-TN-025)
Privacy Risk Assessment Case Studies in Support of SQUARE
(July 2009) This report describes work being done toward enhancing the Security Quality Requirements Engineering (SQUARE) method to address privacy requirements. The report examines privacy definitions, privacy regulations, and risk assessment techniques for privacy. (CMU/SEI-2009-SR-017)
People CMM (Version 2)
(July 2009) People CMM (Version 2) (CMU/SEI-2009-TR-003)
Building Process Improvement Business Cases Using Bayesian Belief Networks and Monte Carlo Simulation
(July 2009) This SEI report describes the results of a joint effort to build a business case using high maturity measurement approaches that require limited measurement effort. (CMU/SEI-2009-TN-017)
Incremental Development in Large-Scale Systems: Finding the Programmatic IEDs
(June 2009) This paper explores how continued use of the acquisition roadmaps opens up the potential for running into program pitfalls (programmatic IEDs) that aren’t acknowledged on the map at hand. (CMU/SEI-2009-TN-015)
Incorporating Software Requirements into the System RFP: Survey of RFP Language for Software by Topic, v. 2.0
(June 2009) The 2009 report defines and communicates software engineering and management events necessary to support the successful acquisition of software-intensive systems. (CMU/SEI-2009-SR-008)
Measurement for Improvement: Successful Measurement Practices Used in Army Software Acquisition
(June 2009) This report summarizes the findings of a study conducted for the Army to find and describe software measurement practices that are being used successfully. (CMU/SEI-2009-TN-008)
A Scenario-Based Technique for Developing SOA Technical Governance
(June 2009) Organizations can make the available SOA governance frameworks more effective in their organizations using the scenario-based tailoring technique introduced in this technical note. (CMU/SEI-2009-TN-009)
Impact of Army Architecture Evaluations
(April 2009) This 2009 report describes the results of a study of the impact that the ATAM evaluations and QAWs had on Army programs. (CMU/SEI-2009-SR-007)
Software Product Lines: Report of the 2009 U.S. Army Software Product Line Workshop
(April 2009) This report is a synthesis of the presentations and discussions that took place during the 2009 U.S. Army Software Product Line Workshop. (CMU/SEI-2009-TR-012)
A Framework for Categorizing Key Drivers of Risk
(April 2009) This 2009 report features a systemic approach for managing risk that takes into account the complex nature of distributed environments. (CMU/SEI-2009-TR-007)
Making the Business Case for Software Assurance
(April 2009) This report provides guidance for those who want to make the business case for building software assurance into software products during each software development life-cycle activity. (CMU/SEI-2009-SR-001)
A Workshop on Architecture Competence
(April 2009) This report summarizes a June 2008 architecture competence workshop where practitioners discussed key issues in assessing architecture competence in organizations. (CMU/SEI-2009-TN-005)
Deploying TSP on a National Scale: An Experience Report from Pilot Projects in Mexico
(March 2009) This report communicates status, progress, lessons learned, and next steps for the Mexican TSP Initiative. (CMU/SEI-2009-TR-011)
An Initial Comparative Analysis of the CMMI Version 1.2 Development Constellation and the ISO 9000 Family
(March 2009) A preliminary, high-level comparison of the CMMI Development constellation and the ISO 9001:2000 family of process improvement standards. (CMU/SEI-2009-SR-005)
U.S. Army Workshop on Exploring Enterprise, System of Systems, System, and Software Architectures
(March 2009) The workshop summarized in this report confirms that various architectural genres enjoy more commonalities than differences. Nevertheless, each one has its own important knowledge base, and openness among the various architectural tasks within an organization is growing in importance. (CMU/SEI-2009-TR-008)
Secure Design Patterns
(March 2009) This 2009 SEI report describes a set of secure design patterns, which are meant to eliminate the accidental insertion of vulnerabilities into code. (CMU/SEI-2009-TR-010)
CMMI for Services, Version 1.2
(February 2009) A model of best practices to improve the processes of service providers. (CMU/SEI-2009-TR-001)
Overview of the Lambda-* Performance Reasoning Frameworks
(February 2009) This report provides an overview of the Lambda-* performance reasoning frameworks, their current capabilities, and ongoing research. Lambda-* is a suite of performance reasoning frameworks for predicting the average and worst-case latency of tasks in real-time systems. (CMU/SEI-2008-TR-020)
Use and Organizational Effects of Measurement and Analysis in High Maturity Organizations: Results from the 2008 SEI State of Measurement and Analysis Practice Surveys
(February 2009) This 2009 report contains results from a survey of high maturity organizations conducted by the Software Engineering Institute (SEI) in 2008. (CMU/SEI-2008-TR-024)
Multi-View Decision Making (MVDM) Workshop
(February 2009) This report describes a workshop at which the value provided by multi-view decision making (MVDM) was presented and discussed. MVDM is a set of programmatic and engineering practices that reflect the realities of system-of-systems development, acquisition, fielding, and support for complex development efforts. (CMU/SEI-2008-SR-035)
High-Fidelity E-Learning: The SEI's Virtual Training Environment (VTE)
(January 2009) This 2009 document describes the tenets of high-fidelity e-learning, describes how VTE reflects these, and summarizes how organizations have used and are using VTE. (CMU/SEI-2009-TR-005)
Survey of Systems Engineering Effectiveness - Initial Results, A
(December 2008) This survey quantifies the relationship between the application of Systems Engineering (SE) best practices to projects and programs, and the performance of those projects and programs. (CMU/SEI-2008-SR-034)
Results of SEI Independent Research and Development Projects
(December 2008) This report describes the independent research and development (IRAD) projects that were conducted during fiscal year 2008 (October 2007 through September 2008). (CMU/SEI-2008-TR-025)
CMMI Roadmaps
(November 2008) The report guides organizations that are starting a CMMI for development implementation and deciding to use the continuous representation. The report offers guidance for how to decide what process areas to implement first. (CMU/SEI-2008-TN-010)
CMMI or Agile: Why Not Embrace Both!
(November 2008) This report describes how CMMI and Agile methods can be used together successfully. (CMU/SEI-2008-TN-003)
CMMI High Maturity Measurement and Analysis Workshop Report: March 2008
(November 2008) This report outlines a 2008 workshop, in which leaders discussed high maturity practices and how to sustain momentum for improvement. (CMU/SEI-2008-TN-027)
Can You Trust Your Data? Establishing the Need for a Measurement and Analysis Infrastructure Diagnostic
(November 2008) This report describes common errors in measurement and analysis, and discusses the need for a criterion-based assessment method that allows organizations to evaluate their measurement programs. (CMU/SEI-2008-TN-028)
Service Level Agreements in Service-Oriented Architecture Environments
(September 2008) This 2008 report surveys the state of practice in service level agreement specification and offers guidelines on how to assure that services are provided with high availability, security, performance, and other required qualities. (CMU/SEI-2008-TN-021)
Requirements and Their Impact Downstream: Improving Causal Analysis Processes Through Measurement and Analysis of Textual Information
(September 2008) This 2008 report attempts to provide an improved understanding of requirements and requirement-related issues in testing and maintenance, and more. (CMU/SEI-2008-TR-018)
T-Check in Technologies for Interoperability: Business Process Management in a Web Services Context
(September 2008) To gain advantage, an organization can use business process management (BPM) technologies to describe, analyze, execute, and monitor business processes. This technical note presents an investigation of the Business Process Execution Language, a popular BPM technology. (CMU/SEI-2008-TN-005)
Computer Forensics: Results of Live Response Inquiry vs. Memory Image Analysis
(August 2008) This 2008 report compares various approaches and tools used to capture and analyze evidence from computer memory. (CMU/SEI-2008-TN-017)
Preview of the Mission Assurance Analysis Protocol (MAAP): Assessing Risk and Opportunity in Complex Environments
(August 2008) The purpose of this 2008 document is to preview a core set of activities and outputs that define a MAAP assessment. (CMU/SEI-2008-TN-011)
A Data Specification for Software Project Performance Measures: Results of a Collaboration on Performance Measurement
(August 2008) This 2008 document contains a set of defined software project performance measures and influence factors that can be used by software development projects. (CMU/SEI-2008-TR-012)
Results of SEI Independent Research and Development Projects FY 2007
(August 2008) This report describes the independent research and development (IRAD) projects that were conducted during fiscal year 2007 (October 2006 through September 2007). (CMU/SEI-2008-TR-017)
SQUARE-Lite: Case Study on VADSoft Project
(August 2008) This 2008 report describes SQUARE and SQUARE-Lite, and presents the results of working with a client using SQUARE-Lite to develop security requirements for a financial application. (CMU/SEI-2008-SR-017)
SMART: Analyzing the Reuse Potential of Legacy Components in a Service-Oriented Architecture Environment
(June 2008) Is legacy system migration feasible for your organization as a means of SOA adoption? The Service Migration and Reuse Technique (SMART) assists an organization in determining what to migrate, the steps needed, and the costs involved. (CMU/SEI-2008-TN-008)
Proceedings of the International Workshop on the Foundations of Service-Oriented Architecture (FSOA 2007)
(June 2008) This report presents the results of the Foundations of Software-Oriented Architecture (FSOA) workshop held at the Third International Conference on Interoperability for Enterprise Software and Applications (I-ESA 2007). (CMU/SEI-2008-SR-011)
Evaluation of CERT Secure Coding Rules through Integration with Source Code Analysis Tools
(June 2008) This report describes a study to evaluate the efficacy of the CERT Secure Coding Standards and source code analysis tools in improving the quality and security of commercial software projects. (CMU/SEI-2008-TR-014)
SoS Navigator 2.0: A Context-Based Approach to System-of-Systems Challenges
(June 2008) This 2008 report introduces the fundamental concepts, processes, and techniques of the evolving SoS Navigator approach. It also summarizes case studies that illustrate the use of SoS Navigator processes and tools in healthcare, military, and civilian government systems-of-systems contexts. (CMU/SEI-2008-TN-001)
Proceedings of the First Workshop on Service-Oriented Architectures and Product Lines
(June 2008) This 2008 report includes an overview of the First Workshop on Service-Oriented Architectures and Product Lines, four invited presentations, details of the workshops outcomes, and the workshop position papers. (CMU/SEI-2008-SR-006)
CMMI for Acquisition (CMMI-ACQ) Primer, Version 1.2
(May 2008) This primer can be used by projects that acquire products or services in government and non-government organizations to improve acquisition processes. (CMU/SEI-2008-TR-010)
The "Big Picture" of Insider IT Sabotage Across U.S. Critical Infrastructures
(May 2008) (CMU/SEI-2008-TR-009)
Survivability Assurance for System of Systems
(May 2008) An SEI team built an analysis framework to
evaluate the quality of the linkage among roles, dependencies, constraints, and risks for critical
technology capabilities in the face of change. This report outlines the team's progress. (CMU/SEI-2008-TR-008)
Incorporating Security Quality Requirements Engineering (SQUARE) into Standard Life-Cycle Models
(May 2008) This 2008 report describes how SQUARE can be incorporated in standard life-cycle models for security-critical projects. (CMU/SEI-2008-TN-006)
Mission Diagnostic Protocol, Version 1.0: A Risk-Based Approach for Assessing the Potential for Success
(March 2008) This 2008 document describes the core set of activities and outputs that defines mission diagnostic protocol (MDP). (CMU/SEI-2008-TR-005)
Lessons Learned Applying the Mission Diagnostic
(March 2008) This technical note describes the adaptation of the Mission Diagnostic (MD) necessary for a customer and the lessons we learned from its use. (CMU/SEI-2008-TN-004)
Incident Management Mission Diagnostic Method, Version 1.0
(March 2008) This 2008 report provides a quick evaluation of the potential for success of an organization’s computer security or cyber-security incident
management capability (IMC). (CMU/SEI-2008-TR-007)
Models for Evaluating and Improving Architecture Competence
(March 2008) This report outlines the concepts of software architecture competence and describes four models for explaining, measuring, and improving the architecture competence of an individual or a software-producing organization. (CMU/SEI-2008-TR-006)
ASSIP Study of Real-Time Safety-Critical Embedded Software-Intensive System Engineering Practices
(February 2008) This report presents findings of a study of RTSCE software-intensive systems issues and develop recommendations for effectively dealing with those issues. (CMU/SEI-2008-SR-001)
Using the Vickrey-Clarke-Groves Auction Mechanism for Enhanced Bandwidth Allocation in Tactical Data Networks
(January 2008) This report describes an investigation of the potential for using computational mechanisms to improve the quality of a combat group's common operating picture, in a setting where network bandwidth is scarce. (CMU/SEI-2008-TR-004)
T-Check in Technologies for Interoperability: Web Services and Security--Single Sign-On
(January 2008) (CMU/SEI-2008-TN-026)
Moving Up the CMMI Capability and Maturity Levels Using Simulation
(January 2008) This report shows examples of how PSIM has been implemented within industry and government organizations to improve process consistency and results. (CMU/SEI-2008-TR-002)
Flow Latency Analysis with the Architecture Analysis and Design Language (AADL)
(January 2008) This 207 report describes the ability of AADL to determine a lower bound for the worst-case end-to-end latency in a system. (CMU/SEI-2007-TN-010)
Software-Intensive Systems Producibility: A Vision and Roadmap (v 0.1)
(December 2007) This 2007 document is a draft in progress of a technology vision and roadmap to improve the ability of the DoD and industry to deliver needed SiS capability in a timely, cost-effective, and predictable manner. (CMU/SEI-2007-TN-017)
Programmatic Interoperability
(December 2007) This report introduces the concept of programmatic interoperability, which is the application of principles of interoperability to the acquisition management of systems. The report also discusses the orchestration of decisions and activities that are applicable to acquisition in a system-of-systems environment. (CMU/SEI-2008-TN-012)
Basic Principles and Concepts for Achieving Quality
(December 2007) This report extends the quality concepts first articulated in "A Software Quality Framework (SQF)" developed in the early 1980s for the DoD by Baker and colleagues. (CMU/SEI-2007-TN-002)
A Survey of Systems Engineering Effectiveness: Initial Results
(November 2007) This survey quantifies the relationship between the application of systems engineering best practices to projects and the performance of those projects. (CMU/SEI-2007-SR-014)
CMMI for Acquisition, Version 1.2
(November 2007) The CMMI-ACQ model provides guidance for the application of CMMI best practices by the acquirer. (CMU/SEI-2007-TR-017)
SCAMPI Lead Appraiser Body of Knowledge (SLA BOK)
(October 2007) The SLA BOK identifies the competencies needed to carry out the method requirements and
guidelines detailed in the MDD (Method Definition Document). (CMU/SEI-2007-TR-019)
COTS and Reusable Software Management Planning: A Template for Life-Cycle Management
(October 2007) This 2007 report presents a COTS and Reusable Software Management Plan that can serve as a guide for how to manage multiple COTS and other reusable software components in complex systems. (CMU/SEI-2007-TR-011)
Process Improvement Should Link to Security: SEPG 2007 Security Track Recap
(September 2007) This document summarizes the content shared at the 2007 SEPG conference and identifies several subsequent steps underway toward strengthening those ties. (CMU/SEI-2007-TN-025)
Using ArchE in the Classroom: One Experience
(September 2007) The ArchE (Architecture Expert) tool serves as a software architecture design assistant. This report describes the use of a pre-alpha release of ArchE in a graduate-level software architecture class at Clemson University. (CMU/SEI-2007-TN-001)
Modifiability Tactics
(September 2007) This report describes how architectural tactics are based on the parameters of quality attribute models. (CMU/SEI-2007-TR-002)
Certified Binaries for Software Components
(September 2007) This report presents an approach to certify binary code against expressive policies to achieve the benefits of PCC and CMC. (CMU/SEI-2007-TR-001)
Evaluating a Service-Oriented Architecture
(September 2007) This report contains technical information about SOA design considerations and tradeoffs that can help the architecture evaluator to identify and mitigate risks in a timely and effective manner. (CMU/SEI-2007-TR-015)
Using Aspect-Oriented Programming to Enforce Architecture
(September 2007) This report illustrates how to use AOP (aspect-oriented programming) to ensure conformance to architectural design, proper use of design patterns and programming best practices, conformance to coding policies and naming conventions. (CMU/SEI-2007-TN-019)
Ranged Integers for the C Programming Language
(September 2007) This 2007 report describes an extension to the C programming language to introduce the notion of ranged integers, that is, integer types with a defined range of values. (CMU/SEI-2007-TN-027)
Governing for Enterprise Security (GES) Implementation Guide
(September 2007) This 2007 implementation guide, geared toward senior leaders, provides prescriptive guidance for creating and sustaining an enterprise security governance program. (CMU/SEI-2007-TN-020)
How To Compare the Security Quality Requirements Engineering (SQUARE) Method with Other Methods
(September 2007) This 2007 report describes SQUARE, and outlines other methods used for identifying security requirements and compares them with SQUARE. (CMU/SEI-2007-TN-021)
Dependability Modeling with the Architecture Analysis & Design Language (AADL)
(July 2007) This 2007 report explains the capabilities of the Error Model Annex and provides guidance on the use of the AADL and the error model in modeling dependability aspects of embedded system architectures. (CMU/SEI-2007-TN-043)
Modeling of System Families
(July 2007) This report discusses how AADL can be used to model system families and configurations of system and component variants. (CMU/SEI-2007-TN-047)
Results of SEI Independent Research and Development Projects FY 2006
(July 2007) This report describes the IRAD projects that were conducted during fiscal year 2006 (October 2005 through September 2006). (CMU/SEI-2007-TR-006)
Introduction to the Architecture of the CMMI Framework
(July 2007) This 2007 document is an introduction to the CMMI Framework architecture, which guides how CMMI products are developed and integrated. (CMU/SEI-2007-TN-009)
Developing AADL Models for Control Systems: A Practitioner's Guide
(July 2007) This 2007 document helps practitioners use AADL and describes an approach for and the mechanics of constructing an architectural model that can be analyzed based on the AADL. (CMU/SEI-2007-TR-014)
Progress Toward an Organic Software Architecture Capability in the U.S. Army
(July 2007) This 2007 report describes the Software Architecture Initiative of the Army Strategic Software Improvement Program. (CMU/SEI-2007-TR-010)
Case Study: Accelerating Process Improvement by Integrating the TSP and CMMI
(June 2007) This report describes how two NAVAIR organizations integrated the use of the TSP methodology and the CMM framework to progress from maturity level 1 to maturity level 4 in 30 months. (CMU/SEI-2007-TR-013)
Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process
(May 2007) This 2007 report highlights the design considerations and requirements for OCTAVE Allegro based on field experience with existing OCTAVE methods. (CMU/SEI-2007-TR-012)
Introducing the CERT Resiliency Engineering Framework: Improving the Security and Sustainability Processes
(May 2007) This report explores the transformation of the disciplines of security and business continuity into processes designed to support and sustain operational resiliency. (CMU/SEI-2007-TR-009)
Quality-Attribute-Based Economic Valuation of Architectural Patterns
(May 2007) This 2007 report shows how an analysis of the options embodied within architectural patterns allows a software and system architect or manager to make reasoned choices about the future value of design decisions, considering this value along multiple quality attribute dimensions. (CMU/SEI-2007-TR-003)
Incident Management Capability Metrics Version 0.1
(May 2007) This document presents metrics to provide a baseline or benchmark of incident management practices. (CMU/SEI-2007-TR-008)
T-Check for Technologies for Interoperability: Open Grid Services Architecture (OGSA): Part 1
(May 2007) (CMU/SEI-2007-TN-016)
+SAFE, V1.2: A Safety Extension to CMMI-DEV, V1.2
(May 2007) This technical report describes how to use +SAFE to appraise an organization's capability in developing, sustaining, maintaining, and managing safety-critical products. (CMU/SEI-2007-TN-006)
Modeling and Analysis of Information Technology Change and Access Controls in the Business Context
(March 2007) This report presents an overview of CERT progress in developing a system dynamics
model of organizations’ typical use of change and access controls to support IT
operations. (CMU/SEI-2006-TN-040)
Management and Education of the Risk of Insider Threat (MERIT): Mitigating the Risk of Sabotage to Employers Information, Systems, or Networks
(March 2007) This 2006 report describes the MERIT insider threat model and simulation results. (CMU/SEI-2006-TN-041)
Understanding and Leveraging a Supplier's CMMI Efforts: A Guidebook for Acquirers
(March 2007) (CMU/SEI-2007-TR-004)
Global Information Grid Survivability: Four Studies
(March 2007) Four studies from 2006 that explore an issue relevant to the survivability of networks which are systems of systems. (CMU/SEI-2006-SR-008)
Executive Overview of SEI MOSAIC: Managing for Success Using a Risk-Based Approach
(March 2007) This 2007 report provides an overview of the concepts and foundations of MOSAIC, a suite of advanced, risk-based analysis methods for assessing complex, distributed programs, processes, and information-technology systems. (CMU/SEI-2007-TN-008)
A Practical Example of Applying Attribute-Driven Design (ADD), Version 2.0
(February 2007) This 2007 report describes an example application of the ADD method, an approach to defining a software architecture in which the design process is based on the quality attribute requirements the software must fulfill. (CMU/SEI-2007-TR-005)
A Proposed Taxonomy for Software Development Risks for High-Performance Computing (HPC) Scientific/Engineering Applications
(February 2007) This report classifies the sources of software development risk for scientific/engineering applications. (CMU/SEI-2006-TN-039)
Conditions for Achieving Network-Centric Operations in Systems of Systems
(January 2007) This 2007 report lists conditions that must prevail to achieve effective acquisition, development, and use of systems of systems. (CMU/SEI-2007-TN-003)
Case Study of the NENE Code Project
(January 2007) This report outlines the case studies of high-performance code development projects. This is the fifth case study in this series. (CMU/SEI-2006-TN-044)
Interpreting Capability Maturity Model Integration (CMMI) for Business Development Organizations in the Government and Industrial Business Sectors
(January 2007) This 2007 interpretation of CMMI best practices is for business development activities applicable to contractors doing business within the government (Department of Defense) and industrial business sectors. (CMU/SEI-2007-TN-004)
The State of Software Measurement Practice: Results of 2006 Survey
(December 2006) This paper reports the results of a February 2006 study to gauge the state of the practice in software measurement. (CMU/SEI-2006-TR-009)
Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis
(December 2006) This report examines the psychological, technical, organizational, and contextual factors thought to contribute to espionage and insider sabotage against critical IT systems. (CMU/SEI-2006-TR-026)
Technology Foundations for Computational Evaluation of Software Security Attributes
(December 2006) (CMU/SEI-2006-TR-021)
Army ASSIP System-of-Systems Test Metrics Task
(November 2006) This report contains presents the results of an effort to improve the acquisition of software-intensive systems by focusing on acquisition programs, people, and production/sustainment and by institutionalizing continuous improvement. (CMU/SEI-2006-SR-011)
Schedule Considerations for Interoperable Acquisition
(November 2006) This 2006 report examines the issue of schedule considerations for interoperable acquisition. (CMU/SEI-2006-TN-035)
Attribute-Driven Design (ADD), Version 2.0
(November 2006) This report revises the steps of the Attribute-Driven Design (ADD) method and offers practical guidelines for carrying out each step. (CMU/SEI-2006-TR-023)
System-of-Systems Governance: New Patterns of Thought
(October 2006) (CMU/SEI-2006-TN-036)
An Examination of a Structural Modeling Risk Probe Technique
(October 2006) This report examines a structural dynamic analysis modeling technique called Projective ANalysis that was used on an interoperability technical probe of a NATO modernization program. (CMU/SEI-2006-SR-017)
Topics in Interoperability: Structural Programmatics in a System of Systems
(October 2006) (CMU/SEI-2006-TN-037)
Assume-Guarantee Reasoning for Deadlock
(September 2006) This report shows how L^F can be used for compositional regular failure language containment and deadlock detection, using non-circular and circular assume-guarantee rules. (CMU/SEI-2006-TN-028)
Interoperable Acquisition for Systems of Systems: The Challenges
(September 2006) This 2006 report explores how systems-of-systems realities necessitate changes in the processes used to acquire, develop, field, and sustain operational capability. (CMU/SEI-2006-TN-034)
Defense-in-Depth: Foundations for Secure and Resilient Enterprises
(September 2006) Materials from the 2006 Defense-in-Depth Foundational Curriculum course are useful for system administrators and IT security personnel who would like to step up to the
management level. (CMU/SEI-2006-HB-003)
Evolutionary Systems Design: Recognizing Changes in Security and Survivability Risks
(September 2006) This 2006 report contains an example that illustrates the critical importance of recognizing the need for evolutionary design changes in secure and survivable systems. (CMU/SEI-2006-TN-027)
Risk Themes Discovered Through Architecture Evaluations
(September 2006) This 2006 report analyzes the output of 18 evaluations conducted using the Architecture Tradeoff Analysis (ATAM). The goal of the analysis was to find patterns in the risk themes identified during those evaluations. (CMU/SEI-2006-TR-012)
Certifying the Absence of Buffer Overflows
(September 2006) This report presents a technique for certifying the safety of buffer manipulations in C programs. (CMU/SEI-2006-TN-030)
Quantitative Methods for Software Selection and Evaluation
(September 2006) This 2006 report describes methods for selecting candidate commercial off-the-shelf packages for further evaluation, possible methods for evaluation, and other factors besides requirements to be considered. (CMU/SEI-2006-TN-026)
Workshop on Model-Driven Architecture and Program Generation
(September 2006) This report summarizes the results of a June 2006 workshop, held to explore business and technical aspects of program generation in the context of the Object Management Group's model-driven architecture development approach. (CMU/SEI-2006-TN-031)
Proceedings of the Second Software Architecture Technology User Network (SATURN) Workshop
(September 2006) This report describes the second SATURN workshop format, discussion, and results, as well as plans for future SATURN workshops. (CMU/SEI-2006-TR-010)
CMMI for Development, Version 1.2
(August 2006) This report is an upgrade of CMMI-SE/SW/IPPD/SS, Version 1.1 and represents the model portion of the CMMI Product Suite. (CMU/SEI-2006-TR-008)
Systems of Systems: Scaling Up the Development Process
(August 2006) (CMU/SEI-2006-TR-017)
A Comparison of Requirements Specification Methods from a Software Architecture Perspective
(August 2006) In this report, five methods for the elicitation and expression of requirements are evaluated with respect to their ability to capture architecturally significant requirements. (CMU/SEI-2006-TR-013)
Techniques for Developing an Acquisition Strategy by Profiling Software Risks
(August 2006) (CMU/SEI-2006-TR-002)
Performance Results of CMMI-Based Process Improvement
(August 2006) This report summarizes the performance results that can occur as a consequence of CMMI-based process improvement. Ten case studies are also presented in which organizations have achieved notable results using CMMI. (CMU/SEI-2006-TR-004)
Appraisal Requirements for CMMI, Version 1.2 (ARC, V1.2)
(August 2006) The report defines the Appraisal Requirements for CMMI (ARC) V1.2 requirements that are considered to be essential to appraisal methods intended for use with Capability Maturity Model Integration (CMMI) models. (CMU/SEI-2006-TR-011)
Risk Management Considerations for Interoperable Acquisition
(August 2006) This report addresses interoperable risk management: the interoperability of organizations that engage in risk management in the context of a system of systems. (CMU/SEI-2006-TN-032)
Standard CMMI Appraisal Method for Process Improvement (SCAMPI) A, Version 1.2: Method Definition Document
(August 2006) This 2006 report provides benchmark quality ratings relative to Capability Maturity Model Integration (CMMI) models. (CMU/SEI-2006-HB-002)
QUASAR: A Method for the Quality Assessment of Software-Intensive System Architectures
(July 2006) This 2006 handbook documents the QUASAR (QUality Assessment of System ARchitectures) method for assessing the quality of the architecture of a software-intensive system. (CMU/SEI-2006-HB-001)
Adapting CMMI for Acquisition Organizations: A Preliminary Report
(June 2006) This 2006 document presents the initial draft CMMI-ACQ, which adapts CMMI for acquisition organizations. (CMU/SEI-2006-SR-005)
Model Problems in Technologies for Interoperability: Web Services
(June 2006) This 2006 report presents the results of applying the model problem approach in an initial investigation of the potential of Web services to enable interoperability. (CMU/SEI-2006-TN-021)
Joint Capabilities and System-of-Systems Solutions: A Case for Crossing Solution Domains
(June 2006) This 2006 report presents a case for the investigation and adaptation of structural and dynamic modeling techniques to the engineering of systems of systems. (CMU/SEI-2006-TN-029)
Specifying Initial Design Review (IDR) and Final Design Review (FDR) Criteria
(June 2006) This 2006 report presents definitions of IDR and FDR, their context in the acquisition life cycle, a comparison of engineering emphasis during IDR and FDR, IDR and FDR pre- and post-conditions, and IDR and FDR criteria and how to apply it. (CMU/SEI-2006-TN-023)
Information Assurance: Building Educational Capacity
(June 2006) This 2006 report describes SEI and CERT Program efforts to increase the capacity of institutions of higher education to offer IA and IS courses. (CMU/SEI-2006-SR-007)
Security Quality Requirements Engineering (SQUARE): Case Study Phase III
(May 2006) In this report, we describe our experience using the SQUARE process with three clients during
the summer of 2005. (CMU/SEI-2006-SR-003)
Applying OCTAVE: Practitioners Report
(May 2006) This document describes how the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) method has been used and tailored to fit a wide range of organizational risk assessment needs. (CMU/SEI-2006-TN-010)
PROxy Based Estimation (PROBE) for Structured Query Language (SQL)
(May 2006) This 2006 report outlines a method for applying the PROxy Based Estimation (PROBE) technique to Structured Query Language (SQL). (CMU/SEI-2006-TN-017)
Sustaining Software-Intensive Systems
(May 2006) This report, published in 2006, discusses questions about sustaining new and legacy systems; the report presents definitions, related issues, future considerations, and recommendations for sustaining software-intensive systems. (CMU/SEI-2006-TN-007)
Model Problems in Technologies for Interoperability: OWL Web Ontology Language for Services (OWL-S)
(April 2006) This 2006 report presents the results of applying the model problem approach to examine the feasibility of using OWL-S to allow applications to automatically discover, compose, and invoke services in a dynamic services-oriented environment. (CMU/SEI-2006-TN-018)
System-of-Systems Navigator: An Approach for Managing System-of-Systems Interoperability
(April 2006) (CMU/SEI-2006-TN-019)
Autonomic Computing
(April 2006) This report examines selected aspects of autonomic computing and explores some of the strengths and weaknesses of that technology. (CMU/SEI-2006-TN-006)
Common Elements of Risk
(April 2006) This 2006 report explores the questions, "What constitutes risk?" and "What factors put operational missions at risk?" (CMU/SEI-2006-TN-014)
Detecting Scans at the ISP Level
(April 2006) This 2006 report presents an approach to detecting scans against, or passing through, very large networks. (CMU/SEI-2006-TR-005)
Sustaining Operational Resiliency: A Process Improvement Approach to Security Management
(April 2006) This report, published in 2006, describes the fundamental elements and benefits of a process approach to security and operational resiliency and provides a notional view of a framework for process improvement. (CMU/SEI-2006-TN-009)
On System Scalability
(March 2006) This 2006 report presents an analysis of what is meant by scalability and a description of factors to be considered when assessing the potential for system scalability. (CMU/SEI-2006-TN-012)
Product Line Acquisition in a DoD Organization—Guidance for Decision Makers
(March 2006) This 2006 report chronicles the decisions a program manager might face in considering the adoption of a product line approach. (CMU/SEI-2006-TN-020)
Mapping TSP to CMMI
(March 2006) This 2004 report provides an essential element to facilitate the adoption of the TSP in organizations using CMMI, namely, a mapping of ideal TSP practices into the specific and generic practices of CMMI. (CMU/SEI-2004-TR-014)
R2PL 2005 Proceedings of the First International Workshop on Reengineering Towards Product Lines
(March 2006) This 2006 report contains the proceedings from the First International Workshop on Reengineering Towards Product Lines (R2PL) 2005, which was held in November 2005. (CMU/SEI-2006-SR-002)
Toward Measures for Software Architectures
(March 2006) This report describes the results of a preliminary investigation into measures for software architecture. (CMU/SEI-2006-TN-013)
An Emergent Perspective on Interoperation in Systems of Systems
(March 2006) This 2006 report facilitates discussion and reasoning about interoperation within systems of systems by showing some of the interdependencies among systems, emergence, and interoperation. (CMU/SEI-2006-TR-003)
Requirements Management in a System-of-Systems Context: A Workshop
(March 2006) This 2006 report summarizes the results of a workshop focused on requirements management in a system of systems. (CMU/SEI-2006-TN-015)
Acquiring Evolving Technologies: Web Services Standards
(March 2006) This technical note discusses some of the challenges of using Web services standards and presents the results generated by an assessment tool used to track the appropriateness of using this technology. (CMU/SEI-2006-TN-001)
SAT-Based Software Certification
(February 2006) This 2006 report presents a technique that uses proofs to certify software. (CMU/SEI-2006-TN-004)
The Architecture Analysis & Design Language (AADL): An Introduction
(February 2006) (CMU/SEI-2006-TN-011)
Proceedings of the First International Research Workshop for Process Improvement in Small Settings, 2005
(January 2006) This 2006 report includes papers from the Proceedings of the First International Research Workshop for Process Improvement in Small Settings workshop, and presents conclusions and next steps for process improvement in small settings. (CMU/SEI-2006-SR-001)
Handbook for Conducting Standard CMMI Appraisal Method for Process Improvement (SCAMPI) B and C Appraisals, Version 1.1
(January 2006) This 2005 document defines the boundaries of tailoring and provides guidance for the application of the SCAMPI B and SCAMPI C methods. (CMU/SEI-2005-HB-005)
Software Acquisition Planning Guidelines
(December 2005) This 2005 handbook presents guidance for acquisition planning and strategy topics in a condensed form, and references the primary resources available for each topic. (CMU/SEI-2005-HB-006)
Relationships Between CMMI and Six Sigma
(December 2005) (CMU/SEI-2005-TN-005)
Secure Software Development Life Cycle Processes: A Technology Scouting Report
(December 2005) (CMU/SEI-2005-TN-024)
Categorizing Business Goals for Software Architectures
(December 2005) This report provides a categorization of possible business goals for software-intensive systems, so that individuals have some guidance in the elicitation, expression, and documentation of business goals. (CMU/SEI-2005-TR-021)
Results of SEI Independent Research and Development Projects and Report on Emerging Technologies and Technology Trends
(December 2005) This report describes the IR&D projects that were conducted during fiscal year 2005 (October 2004 through September 2005). In addition, this report provides information on what the SEI has learned in its role as a technology scout for developments over the past year in the field of software engineering. (CMU/SEI-2005-TR-020)
CERT Function Extraction Experiment: Quantifying FX Impact on Software Comprehension and Verification, The
(December 2005) This report describes the results of a controlled experiment that was performed to compare traditional manual methods of comprehension with automated behavior computation using an FX prototype. (CMU/SEI-2005-TN-047)
Verification of Evolving Software via Component Substitutability Analysis
(December 2005) This 2005 report describes the application of the SEI Architecture Tradeoff Analysis Method (ATAM) to the U.S. Army's Warfighter Information Network-Tactical (WIN-T) system. (CMU/SEI-2005-TR-008)
Case Study: Accelerating Process Improvement by Integrating the TSP and CMMI (2005)
(December 2005) This report describes how two NAVAIR organizations integrated the use of the Team Software Process methodology and the CMM framework to progress from Maturity Level 1 to Maturity Level 4 in 30 months. (CMU/SEI-2005-SR-012)
Security Quality Requirements Engineering
(November 2005) This 2005 report presents the Security Quality Requirements (SQUARE) Methodology for eliciting and prioritizing security requirements in software development projects (CMU/SEI-2005-TR-009)
Software Product Lines: Experience from the Eighth DoD Software Product Line Workshop
(November 2005) This 2008 report includes an overview of the First Workshop on Service-Oriented Architectures and Product Lines, workshop position papers, and more. (CMU/SEI-2005-TR-023)
Topics in Interoperability: Concepts of Ownership and Their Significance in Systems of Systems
(November 2005) (CMU/SEI-2005-TN-046)
Topics in Interoperability: Infrastructure Replacement in a System of Systems
(November 2005) (CMU/SEI-2005-TN-031)
Safety-Critical Systems and the TSP
(November 2005) This 2005 report provides a brief overview of recent work in software safety, discusses the problems and implications of using the TSP for developing safety-critical systems, and presents some conclusions. (CMU/SEI-2005-TN-011)
U.S. Army Acquisition: The Program Office Perspective
(November 2005) (CMU/SEI-2005-SR-014)
Software Vulnerabilities in Java
(October 2005) This report briefly describes these potential software vulnerabilities in Java version 5. (CMU/SEI-2005-TN-044)
Building Information Assurance Educational Capacity: Pilot Efforts to Date
(September 2005) This report describes efforts by the SEI to increase the capacity of institutions of higher education to offer IA and IS courses, to expand existing IA and IS offerings, and to include IA and IS topics and perspectives in other courses. (CMU/SEI-2005-SR-009)
Designing an Effective Survey
(September 2005) This 2005 document presents a seven-stage, end-to-end process for conducting a survey. (CMU/SEI-2005-HB-004)
Proceedings of the First Software Architecture Technology User Network (SATURN) Workshop
(September 2005) This report describes the format, discussion, and results of the first SATURN workshop, and outlines the plans for future SATURN workshops. (CMU/SEI-2005-TN-037)
Integrated Diagnostics: Operational Missions, Diagnostic Types, Characteristics, and Capability Gaps
(September 2005) This 2005 report attempts to fill in these gaps in knowledge and experience by presenting an overview of the operational diagnostic life cycle of a system. (CMU/SEI-2005-TN-035)
Lessons Learned Model Checking an Industrial Communications Library
(September 2005) This 2005 report describes the application of a reasoning framework to the design of an industrial communications library and the problems that were found. (CMU/SEI-2005-TN-039)
Mission Assurance Analysis Protocol (MAAP): Assessing Risk in Complex Environments
(September 2005) This 2005 report presents the concepts and underlying theories behind the Mission Assurance Analysis Protocol (MAAP), highlights results from early piloting of the technique, and outlines future research directions. (CMU/SEI-2005-TN-032)
First Responders Guide to Computer Forensics: Advanced Topics
(September 2005) This 2005 handbook covers technical operations and is designed for experienced security/network professionals who already have a fundamental understanding of forensic methodology. (CMU/SEI-2005-HB-003)
Elements of a Usability Reasoning Framework
(September 2005) This note describes an ARL implementation of two usability scenarios: displaying progress feedback and allowing cancel. (CMU/SEI-2005-TN-030)
Experience Using the Web-Based Tool Wiki for Architecture Documentation
(September 2005) This 2005 report discusses the benefits and challenges of using a wiki-based collaborative environment to create software architecture documentation. (CMU/SEI-2005-TN-041)
Exploring Programmatic Interoperability: Army Future Force Workshop
(September 2005) This report documents the proceedings of the Future Force Workshop held at the SEI in 2004. (CMU/SEI-2005-TN-042)
SMART: The Service-Oriented Migration and Reuse Technique
(September 2005) (CMU/SEI-2005-TN-029)
A Taxonomy of Operational Risks
(September 2005) This report presents a taxonomy-based method for identifying and classifying risks to operational aspects of an enterprise. (CMU/SEI-2005-TN-036)
SAT-Based Predicate Abstraction of Programs
(September 2005) This note presents technical details of a SAT-based predicate abstraction technique used in ComFoRT (component formal reasoning technology). (CMU/SEI-2005-TR-006)
Preparing for Automated Derivation of Products in a Software Product Line
(September 2005) This 2005 report provides an end-to-end view of the activities that are needed to support the automatic derivation of products within a software product line. (CMU/SEI-2005-TR-017)
The U.S. Army's Common Avionics Architecture System (CAAS) Product Line: A Case Study
(September 2005) This report offers a case study of organizations that have adopted a software product line approach for developing a family of software-intensive systems. (CMU/SEI-2005-TR-019)
QuARS: A Tool for Analyzing Requirement
(September 2005) This 2005 report describes a disciplined method and a related automated tool that can be used for the analysis of natural language requirements documents. (CMU/SEI-2005-TR-014)
Using the SEI Architecture Tradeoff Analysis Method to Evaluate WIN-T: A Case Study
(September 2005) This report describes the application of the SEI ATAM (Architecture Tradeoff Analysis Method) to the U.S. Army's Warfighter Information Network-Tactical (WIN-T) system. (CMU/SEI-2005-TN-027)
Variability in Software Product Lines
(September 2005) This 2005 report by Felix Bachmann and Paul C. Clements describes the concepts needed when creating core assets with included variability. (CMU/SEI-2005-TR-012)
Quality Attributes and Service-Oriented Architectures
(September 2005) This report examines the relationship between service-oriented architectures (SOAs) and quality attributes. (CMU/SEI-2005-TN-014)
Using Containers to Enforce Smart Constraints for Performance in Industrial Systems
(August 2005) (CMU/SEI-2005-TN-040)
Some Current Approaches to Interoperability
(August 2005) This 2005 report examines some of the complexities of interoperability and some recent research approaches to achieving it. (CMU/SEI-2005-TN-033)
Self-Assessment and the CMMI-AM--A Guide for Government Program Managers
(August 2005) This 2005 report provides program managers with general information about the CMMI-AM, details about the self-assessment technique, and the questions used in a self-assessment. (CMU/SEI-2005-TN-004)
Personal Software Process (PSP) Body of Knowledge, Version 1.0, The
(August 2005) (CMU/SEI-2005-SR-003)
Comparing the SEI's Views and Beyond Approach for Documenting Software Architectures with ANSI-IEEE 1471-2000
(July 2005) This report summarizes the V&B and 1471 approaches to architecture description, and shows how a software architecture document prepared using V&B can be made compliant with 1471. (CMU/SEI-2005-TN-017)
Product Line Adoption in a CMMI Environment
(July 2005) This 2005 technical note addresses product line adoption in the context of an organization that is using the CMMI models to guide its process improvement effort. (CMU/SEI-2005-TN-028)
Designing for Reuse of Configurable Logic
(July 2005) This 2005 report provides an overview of a generic FPGA firmware design process and identifies the resulting work products that may be suitable for reuse in future development efforts. (CMU/SEI-2005-TR-016)
Impact of Function Extraction Technology on Next-Generation Software Engineering, The
(July 2005) This 2005 report summarizes FX research and development and investigates the impact of FX on software engineering. (CMU/SEI-2005-TR-015)
Reasoning Frameworks
(July 2005) This report describes a vehicle for encapsulating the quality attribute knowledge needed to understand a system's quality behavior as a reasoning framework that can be used by nonexperts. (CMU/SEI-2005-TR-007)
Using Earned Value Management (EVM) in Spiral Development
(June 2005) (CMU/SEI-2005-TN-016)
Governing for Enterprise Security
(June 2005) This 2005 report examines governance thinking, principles, and approaches and applies them to the subject of enterprise security. (CMU/SEI-2005-TN-023)
Information Asset Profiling
(June 2005) This 2005 report describes IAP, a documented and repeatable process for developing consistent asset profiles. (CMU/SEI-2005-TN-021)
A Process for Context-Based Technology Evaluation
(June 2005) This report describes a process called context-based evaluation that determines the fitness of a technology within a specific context. (CMU/SEI-2005-TN-025)
Report on Annual Regional Information Assurance Symposia
(June 2005) (CMU/SEI-2005-SR-007)
Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector
(June 2005) This 2004 report outlines the ITS, a study of insider incidents to examine actual cases identified through public reporting or as a computer fraud case investigated by the Secret Service. (CMU/SEI-2004-TR-021)
System Quality Requirements Engineering (SQUARE): Case Study on Asset Management System, Phase II
(May 2005) (CMU/SEI-2005-SR-005)
Model Problems in Technologies for Interoperability: Model-Driven Architecture
(May 2005) This 2005 report looks at Model-Driven Architecture (MDA) as one of many technologies for
accomplishing interoperability. (CMU/SEI-2005-TN-022)
CMMI Acquisition Module (CMMI-AM), Version 1.1
(May 2005) This report documents acquisition practices that should be performed by government acquisition projects acquiring systems or services. (CMU/SEI-2005-TR-011)
Pin Component Technology (V1.0) and Its C Interface
(April 2005) This 2005 report describes the main concepts of Pin and documents the C-language interface to Pin V1.0. (CMU/SEI-2005-TN-001)
Robustness Testing of Software-Intensive Systems: Explanation and Guide
(April 2005) This 2005 technical note provides guidance and procedures for performing robustness testing as part of DoD or federal acquisition programs that have a software component. (CMU/SEI-2005-TN-015)
Eliciting and Analyzing Quality Requirements: Management Influences on Software Quality Requirements
(March 2005) This 2005 report documents the ways in which the organizational and project management environment for system development can support or reject improved quality requirements elicitation mechanisms. (CMU/SEI-2005-TN-010)
U.S. Army Acquisition: The Program Executive Officer Perspective
(March 2005) (CMU/SEI-2005-SR-002)
First Responders Guide to Computer Forensics
(March 2005) This 2005 handbook targets performing basic forensic data collection. a critical training gap in the fields of information security, computer forensics, and incident response. (CMU/SEI-2005-HB-001)
Software Product Lines: Experiences from the Seventh DoD Software Product Line Workshop
(March 2005) This 2005 report summarizes discussions and presentations from the Seventh Department of Defense (DoD) Product Line Practice Workshop. (CMU/SEI-2005-TR-001)
Software Process Improvement Journey: IBM Australia Application Management Services
(March 2005) This 2004 report describes the history and experiences of the process improvement initiatives that transformed the AMS Australia organization. (CMU/SEI-2005-TR-002)
Including Interoperability in the Acquisition Process
(March 2005) This 2005 report explores achieving interoperability in the acquisition process. (CMU/SEI-2005-TR-004)
Topics in Interoperability: System-of-Systems Evolution
(March 2005) (CMU/SEI-2005-TN-002)
Software Architecture in DoD Acquisition: An Approach and Language for a Software Development Plan
(February 2005) This report discusses the Software Development Plan (SDP), providing an example approach and corresponding SDP language that enable software architecture to play a central role in the technical and organizational management of a software development effort. (CMU/SEI-2005-TN-019)
Software Architecture in DoD Acquisition: A Reference Standard for a Software Architecture Document
(February 2005) This 2005 report provides an example reference standard for a Software Architecture Document (SAD). (CMU/SEI-2005-TN-020)
The Structured Intuitive Model for Product Line Economics (SIMPLE)
(February 2005) This 2005 report presents SIMPLE, a general-purpose business model that supports the estimation of the costs and benefits in a product line development organization. (CMU/SEI-2005-TR-003)
Interpreting SCAMPI for a People CMM Appraisal at Tata Consultancy Services
(February 2005) This 2005 report includes the draft interpretation guide used for four mini-appraisal pilots and the final enterprise-wide Class A appraisal at Tata Consultancy Services (TCS). (CMU/SEI-2005-SR-001)
Structured Approach to Classifying Security Vulnerabilities, A
(January 2005) This 2005 report proposes a classification scheme that uses attribute-value pairs to provide a multidimensional view of vulnerabilities. (CMU/SEI-2005-TN-003)
OCTAVE-S Implementation Guide, Version 1
(January 2005) This 2004 report provides the detailed guidelines for
conducting an OCTAVE-S evaluation. (CMU/SEI-2004-HB-003)
Systems Quality Requirements Engineering (SQUARE) Methodology: Case Study on Asset Management System
(December 2004) (CMU/SEI-2004-SR-015)
Managing for Enterprise Security
(December 2004) This 2004 report itemizes characteristics of common approaches to security that limit effectiveness and success. (CMU/SEI-2004-TN-046)
CMMI-Based Professional Certifications: The Competency Lifecycle Framework
(December 2004) This report describes how a competency life-cycle framework can be used as the basis for the CMMI-based professional certifications. (CMU/SEI-2004-SR-013)
Rapid Integration Tools for Rapid Application Development A Case Study on Legacy Integration
(December 2004) (CMU/SEI-2004-TR-023)
Discovering Architectures from Running Systems: Lessons Learned
(December 2004) This report describes a technique that uses automatically generated runtime observations of an executing system to construct an architectural view of the system. (CMU/SEI-2004-TR-016)
Promising Technologies for Future Systems
(December 2004) This 2004 report presents of a few of the many programs, technologies, and research efforts that are addressing the challenges faced by future systems. (CMU/SEI-2004-TN-043)
Approaches to Constructive Interoperability
(December 2004) This report outlines several approaches to constructing systems of systems that have interoperability requirements, with respect to syntactic and semantic interoperability. (CMU/SEI-2004-TR-020)
SQUARE Project: Cost/Benefit Analysis Framework for Information Security Improvement Projects in Small Companies
(November 2004) This 2004 report describes a general framework for hierarchical cost/benefit analysis aimed at providing acceptable estimations for small companies in their information security improvement projects. (CMU/SEI-2004-TN-045)
CMMI Interpretive Guidance Project: What We Learned
(October 2004) This report summarizes the results of the Capability Maturity Model Integration (CMMI) Interpretive Guidance Project, and summarizes and analyzes 7500 comments received regarding CMMI adoption that were reported by CMMI users and potential users. (CMU/SEI-2004-SR-008)
Defining Incident Management Processes for CSIRTs: A Work in Progress
(October 2004) This report presents a prototype best practice model for performing incident management processes and functions. (CMU/SEI-2004-TR-015)
Illuminating Patterns of Perception: An Overview of Q Methodology
(October 2004) This 2004 technical note describes ways for applying Q methodology, a research method with a proven history for illuminating agreement and differences among individual and group perceptions, to assist software engineering processes. (CMU/SEI-2004-TN-026)
Results of SEI Independent Research and Development Projects and Report on Emerging Technologies and Technology Trends (FY 2004)
(October 2004) This report describes the IR&D projects that were conducted during fiscal year 2004 (October 2003 through September 2004). In addition, this report provides information on what the SEI has learned in its role as a technology scout for developments over the past year in the field of software engineering. (CMU/SEI-2004-TR-018)
Software Product Line Adoption Roadmap
(September 2004) This 2004 report introduces the Adoption Factory pattern, which provides a generic roadmap to guide a manageable, phased product line adoption strategy. (CMU/SEI-2004-TR-022)
Risk Based Diagnostics
(September 2004) The SEI has constructed a tentative "roadmap" for personnel involved in the systems and software acquisition community. This report describes the characteristics that determine whether a risk diagnostic method qualifies for the roadmap. (CMU/SEI-2004-TN-013)
Roadmap of Risk Diagnostic Methods: Developing an Integrated View of Risk Identification and Analysis Techniques, A
(September 2004) (CMU/SEI-2004-TN-002)
Security and Survivability Reasoning Frameworks and Architectural Design Tactics
(September 2004) The SEI approach to disciplined software architecture design includes a collection of quality attribute reasoning frameworks. This 2004 report is an initial attempt to use the same method for the related quality attributes of security and survivability. (CMU/SEI-2004-TN-022)
Software Component Certification: 10 Useful Distinctions
(September 2004) This 2004 report discusses 10 useful distinctions that can help in understanding different aspects of certification in the context of software components. (CMU/SEI-2004-TN-031)
Software Process Improvement and Product Line Practice: Building on Your Process Improvement Infrastructure
(September 2004) This 2004 report describes how a process improvement infrastructure can provide a foundation for product line adoption. (CMU/SEI-2004-TN-044)
Integrating Software-Architecture-Centric Methods into Extreme Programming (XP)
(September 2004) The report presents a summary of XP (Extreme Programming) and examines the potential uses of the SEI's architecture-centric methods. (CMU/SEI-2004-TN-036)
Applications of the Indicator Template for Measurement and Analysis
(September 2004) This report presents guidance for utilizing an indicator template – a SEI-developed tool to describe an indicator's construction, interpretation, and how it can be best utilized. (CMU/SEI-2004-TN-024)
Creating and Using Software Architecture Documentation Using Web-Based Tool Support
(September 2004) This report describes a design prototype that demonstrates a web-based approach to creating, communicating, and using software architecture throughout the life of the system. (CMU/SEI-2004-TN-037)
Performance Property Theories for Predictable Assembly from Certifiable Components (PACC)
(September 2004) (CMU/SEI-2004-TR-017)
Code of Professional Conduct for SEI Services, Version 1.0
(September 2004) This report provides a set of expectations and practices for those operating under license or other applicable agreement with Carnegie Mellon University, acting through its Software Engineering Institute. (CMU/SEI-2004-SR-009)
Benefits of Improvement Efforts
(September 2004) This special report surveys the process improvement efforts undertaken by programs and projects that incorporate software-intensive systems. (CMU/SEI-2004-SR-010)
Assumptions Management in Software Development
(August 2004) This technical note explores assumptions management as a method for improving software quality. (CMU/SEI-2004-TN-021)
A Model Problem for an Open Robotics Controller
(July 2004) This report describes the model problem created to support the continued enhancement and development of the PECT reasoning frameworks for an industrial trial in the domain of industrial robotics. (CMU/SEI-2004-TN-030)
Integrating Software-Architecture-Centric Methods into the Rational Unified Process
(July 2004) This report presents a summary of the RUP (Rational Unified Process) and examines the potential uses of the SEI's architecture-centric methods. (CMU/SEI-2004-TR-011)
Critical Success Factor Method: Establishing a Foundation for Enterprise Security Management, The
(July 2004) This report describes the critical success factor method and presents various theories and experience in applying it to enterprise security management. (CMU/SEI-2004-TR-010)
Integrating the Quality Attribute Workshop (QAW) and the Attribute-Driven Design (ADD) Method
(July 2004) This technical note reports on a proposal to integrate the SEI Quality Attribute Workshop (QAW) and the SEI Attribute-Driven Design (ADD) method. (CMU/SEI-2004-TN-017)
A Process for COTS Software Product Evaluation
(July 2004) This 2003 report focuses on COTS product evaluations conducted for the purpose of selecting products to meet a known need in a system. (CMU/SEI-2003-TR-017)
Embedded Systems Architecture Analysis Using SAE AADL
(June 2004) This 2004 report discusses the role and benefits of using the AADL in the process of analyzing an existing avionics system. (CMU/SEI-2004-TN-005)
Dependability Cases
(May 2004) This 2004 report explains how to create a dependability case for a system that helps identify and keep track of details of large systems. (CMU/SEI-2004-TN-016)
Case Study: A Measurement Program for Product Lines
(May 2004) This report documents NUWC's approach for measurement by describing the Goal-Driven Software Measurement approach and providing early results of the measurement program. (CMU/SEI-2004-TN-023)
Survivable Functional Units: Balancing an Enterprise's Mission and Technology
(May 2004) This 2004 report describes a way to think about enterprise networks and is intended to
aid system administrators so that they can more easily see how technology supports the enterprise’s mission. (CMU/SEI-2004-TN-004)
Advanced Engineering Environments for Small Manufacturing Enterprises: Volume II
(May 2004) This report documents the Self-Assessment Tool for Engineering Environments (SAT-EE) and the Self-Assessment Tool for Engineering Tool Capabilities (SAT-ETC). (CMU/SEI-2004-TR-007)
Selecting Advanced Software Technology in Two Small Manufacturing Enterprises
(May 2004) This 2003 report documents two small manufacturing enterprises’ (SMEs’) efforts to select
advanced software technologies for their business operations. (CMU/SEI-2003-TN-020)
Overview of ComFoRT: A Model Checking Reasoning Framework
(April 2004) This 2004 report describes ComFoRT, a reasoning framework that packages the effectiveness of state-of-the-art model checking in a form that enables users to apply the analysis technique without being experts in its use, and its incorporation in a PECT. (CMU/SEI-2004-TN-018)
Measuring Systems Interoperability: Challenges and Opportunities
(April 2004) This 2004 report presents best practices for measuring systems interoperability and assisting military planners in the acquisition, development, and implementation of interoperable C4I systems. (CMU/SEI-2004-TN-003)
Documenting Component and Connector Views with UML 2.0
(April 2004) This 2004 report explores how changes in UML 2.0 affect UML's suitability for documenting component and connector views. (CMU/SEI-2004-TR-008)
System of Systems Interoperability (SOSI): Final Report
(April 2004) This technical report documents the findings of an internal research and development effort on system of systems interoperability (SOSI). (CMU/SEI-2004-TR-004)
An Alternative to Technology Readiness Levels for Non-Developmental Item (NDI) Software
(April 2004) This report explores the difficulties in using TRLs as they apply to NDI software technology and products, and explores an alternative set of readiness criteria. (CMU/SEI-2004-TR-013)
Standard Systems Group (SSG) Technology Adoption Planning Workshop
(April 2004) This 2004 report presents the results of the SSG Technology Adoption Planning Workshop, which was held in October 2003 in Alabama. (CMU/SEI-2004-SR-003)
Integrated Approach to Software Process Improvement at Wipro Technologies: veloci-Q, An
(March 2004) This report details Wipro's process improvement activities and evolution of processes and systems over a period of time. (CMU/SEI-2004-TR-006)
Current Perspectives on Interoperability
(March 2004) This 2004 report describes current research within the software engineering community on the topic of interoperability between software systems. (CMU/SEI-2004-TR-009)
Software Product Lines: Experiences from the Sixth DoD Software Product Line Workshop
(March 2004) This 2004 report summarizes the presentations and discussions from the Sixth Department of Defense (DoD) Product Line Practice Workshop in September 2003. (CMU/SEI-2004-TN-011)
Advanced Information Assurance Handbook
(March 2004) This handbook helps technical staff members who are charged with administering and securing information systems and networks. (CMU/SEI-2004-HB-001)
A Study of Product Production in Software Product Lines
(March 2004) This 2004 report presents the results of a study that focused on how product line organizations create products. (CMU/SEI-2004-TN-012)
Army Strategic Software Improvement Program (ASSIP) Survey of Army Acquisition Managers
(March 2004) This report analyzes a survey that covered four areas of the acquisition system: the acquirer's environment, the developer's environment, communication between the acquirer and developer, and external factors that could affect the acquisition system. (CMU/SEI-2004-TR-003)
Case Study: IRS Business System Modernization Process Improvement
(March 2004) This report provides an overview of applying the SA-CMM to the IRS modernization effort to establish and implement more effective acquisition management processes and practices. (CMU/SEI-2004-TR-002)
CMMI Acquisition Module (CMMI-AM) Version 1.0
(March 2004) This report contains the acquisition practices that should be performed by government acquisition organizations acquiring systems and/or services. (CMU/SEI-2004-TR-001)
Working with Small Manufacturing Enterprises: An Analysis of TIDE
(February 2004) This 2004 paper documents some of the challenges and risks facing programs or organizations trying to help small manufacturing enterprises (SMEs). (CMU/SEI-2004-TR-005)
Architecture Reconstruction Guidelines, Third Edition
(February 2004) This report describes the process of architecture reconstruction using the Dali architecture reconstruction workbench. (CMU/SEI-2002-TR-034)
COTS Acquisition Evaluation Process: Preacher's Practice
(January 2004) This paper outlines a successful effort to apply COTS-based engineering principles to a software acquisition by various groups at the SEI. (CMU/SEI-2004-TN-001)
Advanced Engineering Environments for Small Manufacturing Enterprises: Volume I
(December 2003) This report provides an overview of AEE technologies, their benefits for subject matter experts, and the technical considerations for AEE adoption. (CMU/SEI-2003-TR-013)
SACAM: The Software Architecture Comparison Analysis Method
(December 2003) The report outlines the first version of the Software Architecture Comparison
Analysis Method (SACAM). This method was created to provide rationale for an architecture selection
process by comparing the fitness of architecture candidates for required systems. (CMU/SEI-2003-TR-006)
Common Concepts Underlying Safety, Security, and Survivability Engineering
(December 2003) This report presents information models that identify and define the foundational concepts underlying safety, security, and survivability engineering. (CMU/SEI-2003-TN-033)
Integrating the Architecture Tradeoff Analysis Method (ATAM) with the Cost Benefit Analysis Method (CBAM)
(December 2003) This technical note reports on a proposal to integrate the SEI ATAM (Architecture Tradeoff Analysis Method) and the CBAM (Cost Benefit Analysis Method). (CMU/SEI-2003-TN-038)
Organizational Models for Computer Security Incident Response Teams (CSIRTs)
(December 2003) This 2003 report describes different organizational models for implementing incident handling capabilities, including each model's advantages and disadvantages and the kinds of incident management services that best fit with it. (CMU/SEI-2003-HB-001)
Interpreting Capability Maturity Model Integration (CMMI) for Service Organizations: A Systems Engineering and Integration Services Example
(November 2003) This 2003 technical note presents one organization's interpretation of CMMI best practices for organizations that primarily provide services. (CMU/SEI-2003-TN-005)
Real-Time Application Development with OSEK: A Review of the OSEK Standards
(November 2003) This 2003 report examines the OSEK OS, OSEK COM, and OSEK OIL specifications from the perspective of a real-time application developer. (CMU/SEI-2003-TN-004)
Architecture Reconstruction of J2EE Applications: Generating Views from the Module Viewtype
(November 2003) This report outlines the application of architecture reconstruction techniques to the Sun Microsystems' Duke's Bank system- Java2 Platform, Enterprise Edition/Enterprise JavaBeans (J2EE/EJB) application implemented mainly in Java. (CMU/SEI-2003-TN-028)
Deriving Enterprise-Based Measures Using the Balanced Scorecard and Goal-Driven Measurement Techniques
(October 2003) This 2003 report describes the application of the balanced scorecard and goal-driven measurement methodologies to ways to measure an organization's health and performance. (CMU/SEI-2003-TN-024)
Measures for Software Product Lines
(October 2003) This 2003 report by David Zubrow and Gary Chastek characterizes the status of measurement associated with the operation of a software product line. (CMU/SEI-2003-TN-031)
A Template for Documenting Prediction-Enabled Component Technologies
(October 2003) This report suggests a template for documenting a PECT, and provides guidelines and a few
examples to help PECT developers consolidate the broad range of information produced into the PECT development process in a single, organized volume. (CMU/SEI-2003-TN-030)
Demonstrating the Impact and Benefits of CMMI: An Update and Preliminary Results
(October 2003) This 2003 report demonstrates credible quantitative evidence that CMMI-based process improvement can result in better project performance and higher quality products. (CMU/SEI-2003-SR-009)
CMMI Interpretive Guidance Project: Preliminary Report
(October 2003) The SEI collected data to learn more about how CMMI is being accepted by various organizations. This report describes those activities and includes summaries of the data collected. (CMU/SEI-2003-SR-007)
State of the Practice of Computer Security Incident Response Teams (CSIRTs)
(October 2003) This 2003 report provides an objective study of the state of the practice of incident response, based on information about how CSIRTs around the world are operating. (CMU/SEI-2003-TR-001)
Quality Attribute Workshops (QAWs), Third Edition
(October 2003) This report describes the newly revised QAW (Quality Attribute Workshop) and describes potential uses of the refined scenarios generated during it. (CMU/SEI-2003-TR-016)
SEI Independent Research and Development Projects (FY 2003)
(September 2003) This report describes the IR&D projects that were conducted during fiscal year 2003 (October 2002 through September 2003). (CMU/SEI-2003-TR-019)
Product Line Analysis for Practitioners
(September 2003) This 2003 technical report describes the addition of development requirements to product line analysis. (CMU/SEI-2003-TR-008)
The Team Software Process (TSP) in Practice: A Summary of Recent Results
(September 2003) This 2003 report provides results and implementation data from projects and individuals that have adopted the TSP. (CMU/SEI-2003-TR-014)
Preliminary Design of ArchE: A Software Architecture Design Assistant
(September 2003) This 2003 report presents a procedure for moving from a set of quality attribute scenarios to an architecture design that satisfies those scenarios. (CMU/SEI-2003-TR-021)
Interpreting Capability Maturity Mode Integration (CMMI) for COTS-Based Systems
(September 2003) This 2003 report shows that developing and maintaining COTS-based systems is more than selecting products and managing vendor relationships. (CMU/SEI-2003-TR-022)
A Model Problem Approach to Measurement-to-Track Association
(September 2003) This report illustrates the use of model problems in the design of a system. (CMU/SEI-2003-TR-020)
Identifying Commercial Off-the-Shelf (COTS) Product Risks: The COTS Usage Risk Evaluation
(September 2003) This 2003 report describes the development of an approach to reduce the number of program failures attributable to COTS software: the COTS Usage Risk Evaluation (CURE). (CMU/SEI-2003-TR-023)
Requirements Engineering for Survivable Systems
(September 2003) This 2003 report describes the current state of requirements engineering for survivable systems--systems that are able to complete their mission in a timely manner, even if significant portions are compromised by attack or accident. (CMU/SEI-2003-TN-013)
A Life-Cycle View of Architecture Analysis and Design Methods
(September 2003) This report examines the architecture-centric analysis and design methods that were created at the SEI between 1993 and 2003. (CMU/SEI-2003-TN-026)
DoD Experience with the C4ISR Architecture Framework
(September 2003) This report discusses the context for using the C4ISRAF, the observations made during the interviews about its use, and the strengths and challenges of using it. (CMU/SEI-2003-TN-027)
Building Relationships between Small Manufacturing Enterprises and Vendors: Findings from the TIDE Program
(August 2003) This report presents findings to help vendors, VARs, and SMEs develop mutually beneficial and successful relationships. (CMU/SEI-2003-TN-011)
CMM-Based Process Improvement and Schedule Deviation in Software Maintenance
(July 2003) This study evaluates the predictive validity of the Capability Maturity Model (CMM) for Software (SW-CMM) as applied to software maintenance. (CMU/SEI-2003-TN-015)
Documenting Software Architectures in an Agile World
(July 2003) (CMU/SEI-2003-TN-023)
Predicting When Product Line Investment Pays
(July 2003) This 2003 report defines key factors to consider in taking an incremental approach to fielding a product line. (CMU/SEI-2003-TN-017)
Using the Architecture Tradeoff Analysis Method (ATAM) to Evaluate the Software Architecture for a Product Line of Avionics Systems: A Case Study
(July 2003) This 2003 technical note describes an ATAM evaluation of the software architecture for an avionics system developed for the Technology Applications Program Office (TAPO) of the U.S. Army Special Operations Command Office. (CMU/SEI-2003-TN-012)
What About Ada? The State of the Technology in 2003
(July 2003) This 2003 report documents a recent investigation which characterized the technical and programmatic risks in reusing significant quantities of legacy Ada code in a new system. (CMU/SEI-2003-TN-021)
International Liability Issues for Software Quality
(July 2003) This 2003 report focuses on international law related to cybercrime, international information security standards, and software liability issues as they relate to information security for critical infrastructure applications. (CMU/SEI-2003-SR-001)
3rd International Workshop on Adoption-Centric Software Engineering
(June 2003) This report contains a set of papers that focus on overcoming barriers to adopting research tools. The papers were presented at the Third International Workshop on Adoption-centric Software Engineering (ACSE). (CMU/SEI-2003-SR-004)
Snapshot of CCL: A Language for Predictable Assembly
(June 2003) This 2003 report presents a snapshot of the construction and composition language (CCL) by examining a small example CCL specification. (CMU/SEI-2003-TN-025)
The Software Engineering Institute's Second Workshop on Predictable Assembly: Landscape of Compositional Predictability
(June 2003) To further its work in predictable assembly focusing on compositional reasoning techniques, the Software Engineering Institute (SEI) held its second Predictable Assembly from Certifiable Components (PACC) Workshop on January 10-11, 2003. (CMU/SEI-2003-TN-029)
Proceedings of the System of Systems Interoperability Workshop (February 2003)
(June 2003) This report documents the model of interoperability presented and the findings from the System of Systems Interoperability Workshop, held in February 2003. (CMU/SEI-2003-TN-016)
Integration of Computer-Aided Design and Finite Element Analysis Tools in a Small Manufacturing Enterprise
(June 2003) This 2003 report summarizes two case studies of tool integration activities at one small manufacturer. (CMU/SEI-2003-TR-015)
Interactions Among Techniques Addressing Quality Attributes
(June 2003) This report provides software architects a chart for determining the relationships among techniques that promote different architectural qualities. (CMU/SEI-2003-TR-003)
The Evolution of Product Line Assets
(June 2003) The focus of this 2003 technical report is how evolutionary changes affect the various types of assets in a software product line. (CMU/SEI-2003-TR-005)
Fifth DoD Product Line Practice Workshop Report
(June 2003) This 2003 document summarizes the presentations and discussions from the Fifth Department of Defense (DoD) Product Line Practice Workshop, held in August 2002. (CMU/SEI-2003-TR-007)
Overcoming Barriers to Technology Adoption in Small Manufacturing Enterprises (SMEs)
(June 2003) This 2003 report summarizes technology demonstrations, workforce development activities, and technology development efforts of the SEI's TIDE Program. (CMU/SEI-2003-TR-012)
A Basis for an Assembly Process for COTS-Based Systems (APCS)
(May 2003) This paper describes a generic process framework for developing software systems based on commercial off-the-shelf (COTS) products. (CMU/SEI-2003-TR-010)
Case Study: Computer Supplier Evaluation Practices of the Parenteral Drug Association
(May 2003) This case study describes the development of a method for evaluating computer and software suppliers for the pharmaceutical industry. (CMU/SEI-2003-TR-011)
Volume III: A Technology for Predictable Assembly from Certifiable Components
(April 2003) This 2003 report, the final in a three-volume series on CBSE, identifies the key technical concepts of PACC, with an emphasis on the theory of prediction-enabled component technology (PECT). (CMU/SEI-2003-TR-009)
Architecture Reconstruction Case Study
(April 2003) This report outlines an architecture reconstruction carried out at the SEI on a software system called VANISH, which was developed for prototyping visualizations. (CMU/SEI-2003-TN-008)
Handbook for Computer Security Incident Response Teams (CSIRTs)
(April 2003) This 2003 document provides guidance on forming and operating a CSIRT, and helps an organization to define and document the nature and scope of a computer security incident handling service, which is the core service of a CSIRT. (CMU/SEI-2003-HB-002)
Relating the Team Software Process (TSP) to the Capability Maturity Model for Software (SW-CMM)
(March 2003) This 2002 report helps process professionals, process managers, project leaders, and organizational managers establish process improvement strategies and plans. (CMU/SEI-2002-TR-008)
Application of Options Analysis for Reengineering in a Lead System Integrator Environment
(March 2003) This note describes the use of OAR to guide decision making on mining assets within an LSI (lead system integrator) context. (CMU/SEI-2003-TN-009)
DoD Architecture Framework and Software Architecture Workshop Report
(March 2003) This report summarizes the activities of the Workshop on the Department of the 2003 Defense Architecture Framework and Software Architecture workshop. (CMU/SEI-2003-TN-006)
A Federation Object Model (FOM) Flexible Federate Framework
(March 2003) This 2003 report describes an approach to designing a domain framework that encapsulates expertise in developing an HLA federate by hiding RTI internal operations from the developer. (CMU/SEI-2003-TN-007)
Deriving Architectural Tactics: A Step Toward Methodical Architectural Design
(March 2003) This 2003 technical report provides the status on the work being done by the SEI to understand the relationship between quality requirements and architectural design. (CMU/SEI-2003-TR-004)
Applying FSQ Engineering Foundations to Automated Calculation of Program Behavior
(February 2003) This report summarizes research on Flow Structures and describes the application of their function-theoretic mathematical foundations to the problem of program behavior calculation. (CMU/SEI-2003-TN-003)
Rendering Tcl/Tk Windows as HTML
(February 2003) Tcl is a programming language having a Toolkit library that provides a standard set of GUI widgets. Since these are aimed at direct presentation via a window manager, Tcl/Tk applications are not compatible with web-based service delivery environments. Several tools provide help, but do not provide a migration path for eventual full conversion to web-based delivery. This 2003 report suggests a new approach. (CMU/SEI-2003-TN-002)
On the Suitability of Tcl/Tk for SYS
(February 2003) This 2003 report reviews various websites and
considers other factors that should influence the choice of Tcl/Tk as a tool for further development of SYS. (CMU/SEI-2003-TN-001)
Outsourcing Managed Security Services
(January 2003) The practices recommended in this 2003 report provide organizations with the guidance
necessary to knowledgeably engage MSSPs, so they can make informed use of such
services. (CMU/SEI-2003-SI-m01)
Find Us Here
Share This Page
For more information
Email: info@sei.cmu.edu
Call: 412-268-2358
