The SEI’s three major priorities in 2002 were

1	to enhance its impact in the acquisition community. As a DoD-supported research and development center, the SEI works to ensure that the U.S. is ready to respond to constantly changing threats, and that the systems acquired and employed by the DoD are useful and reliable over extended periods of time in a wide variety of scenarios. The SEI helps to identify the engineering practices, knowledge, and technologies that enable organizations to acquire the software they need to achieve their missions.
2	to enhance the science and technology content of SEI work and ensure that the SEI stays on the leading edge of the field of software engineering. The SEI exercises leadership in software product lines, architecture-centered design, networked systems survivability, the assembly of systems from software components, and other key science and technology competencies.
3	to partner with the software engineering community. The SEI collaborates with the global community of software engineers in diverse market segments to build market awareness and to support the community’s adoption and use of best practices in software engineering.

Acquisition

The SEI enhanced its impact in the acquisition community in 2002 by establishing an Acquisition Support Program (ASP) to focus its work in ways that are strategically important to senior acquisition officials in each military service (Air Force, Army, and Navy). Assistant Secretary of the Army (Acquisition, Logistics and Technology) (ASA ALT) Claude Bolton created an Army Strategic Software Improvement Program in August that is based on a close working collaboration with the SEI. To help transition technology and best practices to the U.S. Army, the SEI also established an on-site office at the Army’s Aviation and Missile Command (AMCOM) in Huntsville, AL. (See the ASP section for more information.)

At the request of the office of ASA ALT and program executive officers for the various users of Force XXI Battle Command Brigade and Below (FBCB2), the principal tactical digital command-and-control system for the Army, the SEI performed an extensive study of the FBCB2 software architecture. The SEI also supported the Air Force, through technical projects for the Military Satellite Communications (MILSATCOM) System Program Office and the Electronic Systems Center (ESC); and the Navy, through work on the DD(X) Program and the Navy Open Architecture Initiative.

In January, the SEI hosted a DoD Software Collaborators Workshop for the DoD acquisition community at the SEI’s Arlington, VA, facility. Relationships established at this workshop led to memoranda of understanding for collaborations with key organizations such as the MITRE Corporation, the Aerospace Corporation, and the Applied Physics Laboratory at Johns Hopkins University.

The SEI’s work in information security continues to have worldwide impact, particularly in light of contemporary concerns about homeland security. The staff of the SEI’s CERT® Coordination Center (CERT/CC) provides trusted technical advice to the staff of the President’s Critical Infrastructure Protection Board (PCIPB) and other important government organizations. In 2002, the SEI also responded to requests for assistance and information from the National Threat Assessment Center, the National Security Council, the National Infrastructure Protection Center, the board’s Cyber Interagency Working Group, and the Office of Management and Budget/General Services Administration Electronic Government Initiatives.

The United States Secret Service (USSS) and the SEI’s CERT Analysis Center (CERT/AC) collaborated on a project called the Critical Systems Protection Initiative (CSPI), intended to strengthen the planning phase of the Secret Service’s protective mission by determining how critical information networks are related to physical protection activities. The analysis of critical systems and other forms of cyber security were integral components in the planning and execution of the security plans for both Super Bowl XXXVI in New Orleans, LA, and the 2002 winter games in Salt Lake City, UT. Both events were supported by the CERT/AC. The USSS and the CERT/AC also collaborated on the Insider Threat Study Advisory Board for the analysis of the physical and online behavior of malicious insiders before and during network compromises. Reports on this work will be available to the Department of Defense (DoD), law enforcement, and industry. The advisory board is composed of individuals from federal civilian agencies, academia, industry, and the DoD.

This year, the CERT/CC helped coordinate a worldwide response to vulnerabilities discovered in the simple network management protocol (SNMP). The CERT/CC contacted more than 280 vendors, many of whom contributed statements for CERT/CC Advisory CA-2002-03, which was published to enable the Internet community to protect itself. The day after the advisory was released, it had already been viewed on the Web more than 100,000 times, and the mailing list that the CERT/CC created specifically for the SNMP problem had more than 400 subscribers (see the SS section for more information).

Adoption of the SEI’s approach for evaluating information-security risks, the Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVESM) method, increased in 2002. Addison-Wesley published the book Managing Information Security Risks: The OCTAVE Approach in 2002 as part of the SEI Series in Software Engineering. More than 1,000 copies of the OCTAVE Method Implementation Guide were distributed and four public sessions of the OCTAVE training course were offered to individuals and teams during 2002. In addition, the first OCTAVE Users’ Forum was held in September 2002 in Washington, DC, and the SEI developed an initial version of OCTAVE-S, an information-security assessment technique tailored for small organizations.

The General Services Administration is using another SEI assessment approach, the e-Authentication risk and requirements analysis (e-RA), to assist the 24 federal electronic government initiatives to define standardized levels of authentication and identity and to define requirements for an authentication gateway.

A Sept. 18, 2002, Washington Post article titled “Key Players in U.S. Government’s Cybersecurity Efforts” lists Richard D. Pethia, director of the SEI Networked Systems Survivability Program, which includes the CERT/CC and CERT/AC, as one of the key players. Among others listed are Richard Clarke, then cybersecurity adviser to President Bush; Ron Dick, director of the National Infrastructure Protection Center; and—from the private sector—Scott Charney, Microsoft’s chief security strategist. In an Aug. 15, 2002, article titled “Sleuths Invade Military PCs With Ease,” the Washington Post also referred to the CERT/CC as “the leading clearinghouse of information about intrusions, viruses, and computer crimes.”

The World Bank Financial Sector released a policy publication in June 2002 (Electronic Security: Risk Mitigation in Financial Transactions) commending the Internet Security Alliance and the CERT/CC for providing the kind of public–private sector cooperation it says is needed to improve electronic security worldwide. The Internet Security Alliance is a collaboration between the CERT/CC and the Electronic Industries Alliance.

Process Improvement

To help manage risks in the use of commercial off-the-shelf (COTS) products, the SEI developed the COTS Usage Risk EvaluationSM (CURESM). This two-day assessment involves site visits by SEI personnel to the program office and contractor for COTS-based acquisitions. The SEI released CURE Version 2.0 in 2002 and applied it on four program evaluations.

The Addison-Wesley SEI Series in Software Engineering provides software engineering practitioners with current, in-depth information to help them use and apply mature and continually improving software engineering practices. Six books were published this year in the SEI Series, including Software Product Lines: Practices and Patterns, written by Paul Clements and Linda Northrop, which describes how leading-edge software development organizations have retooled for product lines (for more information about software product lines, the PLP section); and Documenting Software Architectures: Views and Beyond, by Clements and other SEI staff members, written to help practicing architects produce comprehensive documentation packages for software architectures.

The SEI collaborates on many science and technology projects with the academic units of Carnegie Mellon University, including the Carnegie Institute of Technology and its Center for Computer and Communications Security; the School of Computer Science and its Master of Software Engineering program and High-Dependability Computing research program; the Graduate School of Industrial Administration; and the H. John Heinz III School of Public Policy and Management and its CIO Institute.

The SEI also participated with Carnegie Mellon University in providing educational resources to historically black colleges and universities and Hispanic-serving institutions. This program enables PhD computer scientists to teach survey-level courses in information security to advanced undergraduate and first-year graduate students at their universities, helping to create a next generation of Internet-security experts. Partners with Carnegie Mellon in the program, funded by the National Science Foundation (NSF), included Howard University, Morgan State University, and the University of Texas at El Paso.

The SEI continues to stimulate the creation and growth of worldwide communities and to generate worldwide interest in best software practices by means of conferences that the SEI sponsors or co-sponsors. Examples include the International Conference on COTS-Based Software Systems, the Software Product Line Conference, the Software Engineering Process Group Conference, and the European Software Engineering Process Group Conference.

Increased partnering with the community is also reflected in the large number of affiliates, visiting scientists, and transition partners (DoD and industry organizations that help others adopt new technology) who worked with the SEI in 2002. The SEI had 17 affiliates and 73 visiting scientists on staff and entered into licensing agreements with 66 new transition partners in FY2002.