40 Years of Advancing Software for National Security

1984

With the support of U.S. Rep. John Murtha of Pennsylvania, Congress and the U.S. Department of Defense award the contract for the Software Engineering Institute to Carnegie Mellon University in Pittsburgh, PA.

1986

An SEI team led by Watts S. Humphrey, in conjunction with the Air Force and the MITRE Corporation, develops a questionnaire to analyze software processes based on maturity. This is the first step in developing the Capability Maturity Model^® approach to process improvement.

1987

The SEI publishes the Ada Adoption Handbook: A Program Manager’s Guide by John Foreman and John Goodenough and distributes 2,000 copies of the first edition. Version 2 is published in 1992.

1988

At the urging of the Defense Advanced Research Projects Agency (DARPA), the SEI creates the first computer emergency response team after an Internet worm cripples 10% of computers on the Internet.

1989

Addison-Wesley begins publication of the SEI Series in Software Engineering.

1990

With funding from Congress, the SEI establishes a program in risk management to identify, quantify, and develop mitigation strategies for risks on weapons system software.

1992

The technical report Introduction to Software Process Improvement, by Watts S. Humphrey, includes recommendations for widespread dissemination of software process improvement practices.

1993

A Practitioner’s Handbook for Real-Time Analysis: Guide to Rate Monotonic Analysis (RMA) for Real-Time Systems describes the use of RMA techniques, which become widely adopted and are credited with helping NASA restart the Mars Pathfinder in 1998 after a system shutdown.

1994

The technical report An Introduction to Software Architecture, by David Garlan and Mary Shaw, describes the design problems inherent in large systems and provides an introduction to the emerging field of software architecture. This soon becomes a major focus area for the SEI.

1995

The People Capability Maturity Model is published, describing best practices in human resources, knowledge management, and organizational development. Other specialized models are published for software acquisition, systems engineering, and integrated product development.

1997

The Capability Maturity Model Integration (CMMI^®) project is initiated by the DoD to establish a framework to accommodate current and future models and bring the CMM approach into line with international industry standards.

1997

The SEI Architecture Tradeoff Analysis Method℠ (ATAM℠) framework is developed and used on the Army’s Mortar Fire Control Systems to identify critical architectural risks. The ATAM is now used worldwide to evaluate software architectures.

1998

The Software Engineering Information Repository (SEIR) is created to provide a forum for exchanging information concerning software engineering improvement activities.

1998

The first book on software architecture for practitioners, Software Architecture in Practice, is authored by SEI technical staff members and wins the prestigious JOLT award from Software Development magazine. This book is followed by three other SEI books on software architecture, which together have sold more than 40,000 copies.

Get the latest edition.

1999

The SEI Framework for Software Product Line Practice℠, a web-based compendium of activities and practices necessary to succeed with software product lines, is published.

2000

The SEI COTS Usage Risk Evaluation℠ (CURE℠) methodology is developed to help managers prepare to oversee commercial off-the-shelf (COTS)-based programs. CURE is a focused examination of the COTS- related aspects of a system development project.

2000

The SEI develops the SEI Product Line Technical Probe℠ (PLTP℠) methodology to determine the product line readiness of a major commercial organization. This diagnostic method has since been used to evaluate the product line practices of commercial and government organizations in a wide variety of domains.

2001

The SEI establishes the Acquisition Support Program to help the DoD and other government organizations improve their practices in acquiring software-intensive systems.

See the latest work on this topic.

2002

The first International Conference on COTS-Based Software Systems (ICCBSS) is held. It is the first conference series to focus on the exchange of ideas about current best practices and promising research directions in creating and maintaining systems that incorporate COTS software products.

2003

The U.S. Department of Homeland Security partners with the CERT Coordination Center to establish US-CERT, a coordination point for prevention, protection, and response to cyber attacks across the Internet. This work includes the US-CERT National Cyber Alert System, which provides all citizens with timely, actionable information to better secure their computer systems.

2003

The SEI launches its six-course software architecture curriculum and certificate programs for software practitioners and technical managers.

2004

The SEI forms the International Process Research Consortium, a team of recognized leaders in the field of process research, to explore the frontiers of process research and lay the groundwork for future process technologies.

2004

Under SEI technical leadership, the Society for Automotive Engineers (SAE) publishes the Architecture Analysis and Design Language (AADL) standard for embedded real-time systems. AADL enables the development and predictable integration of highly evolvable systems, as well as analysis of existing systems.

2009

The SEI developed the CERT Resilience Management Model to improve operational resilience. Since 2009, organizations in the DoD, the U.S. defense industrial base, U.S. federal civilian agencies, the financial services sector, and academia have been using the CERT-RMM to institutionalize improved processes for managing operational resilience and measure their benefit.

2011

The SEI's CERT Division and U.S. Department of Homeland Security (DHS) launched the External Dependencies Management (EDM) Assessment. This in-person, DHS-facilitated evaluation measures how well an organization can handle cyber disruptions in key services provided by third parties. Any external dependency presents a risk, from service agreements for cloud computing to business relationships that depend on a third party's computing infrastructure and security.

2014

The SEI's CERT Division introduced the Tapioca tool to check Android apps for vulnerabilities. In the first year of use, Tapioca was used to check more than one million Android apps.

2014

SEI researchers used their Uncertainty in Early Lifecycle Cost Estimation (QUELCE) method in a workshop with a live major defense acquisition program (MDAP). This milestone along the way to transitioning innovation into the acquisition lifecycle is the result of focused research and development.

2015

The SEI developed the SAE Architecture Analysis and Design Language standard in 2004, which was chosen for an aerospace initiative in 2008 and used to detect potential integration issues in the Joint Multi-Role helicopter program in 2015.

2015

The SEI's implementation of tactical cloudlets, KD-Cloudlet, allows developers to turn any system running Linux—from a laptop to a more powerful server—into a discoverable source that can be used by nearby mobile devices for computation offload and data staging.

2016

In 2016, the DoD identified a need for a transparent and modernized vulnerability disclosure program and asked the SEI’s CERT Division to help develop and implement such a program.

2017

CERT researchers developed tools to automatically detect and repair two common software-coding errors: integer overflows that lead to buffer overflow and reads of stale and potentially sensitive memory. These tools help developers reduce the number of vulnerabilities in a codebase, freeing them to focus on fixing the remaining coding errors, developing secure code, and achieving their organization’s software assurance goals.

2017

The SEI released OOZanalyzer, part of the Pharos Binary Static Analysis Framework, a suite of tools that help reverse engineers and malware analysts gain insights into software binaries when source code is not available.

2018

Since 2010, the SEI has challenged the software engineering research community to find ways to manage technical debt by convening the annual Managing Technical Debt Workshop series. In 2018, the workshops evolved into an annual Conference on Technical Debt co-located with the ACM/IEEE International Conference on Software Engineering. Those events have produced more than 100 publications in the Association for Computer Machinery (ACM)/Institute of Electrical and Electronics Engineers (IEEE) digital libraries and spawned more than 2,000 citations in other published papers.

2019

The SEI researched modern platform theory and design to develop Foundry, a next-generation cyber-training asset-management portal. Foundry connects cyber training content users, sponsors, and developers in a shared environment where available content is registered for users to consume, rate, and add to playlists.

2020

The SEI released Crucible and GHOSTS tools that help cyber simulation developers create simulated virtual environments and non-player characters (NPCs). Cybersecurity content developers can use Crucible and GHOSTS with their existing tools to create realistic simulations, reduce knowledge gaps within their organizations, evaluate cyber-mission readiness, and cultivate expert cyber teams.

2021

The SEI created the Source Code Analysis Integrated Framework Environment (SCAIFE), a research prototype for a modular architecture that supports static analysis classification and prioritization. SCAIFE is designed to enable a wide variety of tools, systems, and users to use artificial intelligence (AI) classifiers for static-analysis results (meta-alerts) at relatively low cost and effort.

2022

The SEI created the Platform-Independent Model (PIM), which uses a model-based systems engineering (MBSE) approach to formalize the requirements, capabilities, and maturity of DevSecOps and provide relevant guidance. This first-of-its-kind model helps organizations visualize their pipeline infrastructure, decide how to structure the planning process, and ensure that the pipeline and its associated products are implemented in a secure, safe, and sustainable way.

2023

In November 2023, the SEI developed the first Artificial Intelligence Security Incident Response Team (AISIRT) to respond to the risks associated with artificial intelligence (AI) that can pose a threat to national security. The AISIRT identifies, analyzes, and responds to the threats, vulnerabilities, and incidents that emerge from the ongoing advances in AI and machine learning and supports the Department of Defense and other federal agencies in effectively and securely developing, adopting, and using AI.

2024

To enable expert researchers to study and demonstrate how artificial intelligence and machine learning technologies can be used to improve the performance of autonomous systems, the SEI formally established the AI for Autonomy Lab in late 2023 and, in 2024, began focusing on sponsored work and expanding its relationships with Department of Defense agencies, academic research groups, federally funded research and development centers, university-affiliated research centers, and vendors of AI and autonomy solutions.