Software Engineering Institute (SEI) News

Software Engineering Institute (SEI) News
  1. A Preview of the SATURN 2018 Technical Program
    April 16, 2018—The 14th SEI Architecture User Network (SATURN) Conference will take place May 7-8 in Plano, Texas, near Dallas. SATURN organizers have crafted a technical program designed to engage attendees on a host of relevant topics. “SATURN 2018 offers more than 40 peer-reviewed talks,” noted conference general chair William Pollak. “We’re also offering training courses and the popular Software Architecture Boot Camp sessions.” The conference sessions explore a wide range of topics relevant to practicing architects, including DevOps, blockchain, REST, machine learning, continuous delivery, technical debt, agility and architecture, cloud computing, refactoring, microservices, data privacy, and a panel discussion titled “Death of the Architect.” The program also features the following keynote addresses: Rebecca Parsons, chief technology officer at ThoughtWorks, will speak about the whys and hows of evolutionary architecture. In particular, she will focus on the central role of fitness functions in driving the architecture in the desired direction and how techniques such as refactoring databases and continuous delivery support architectural evolution. Ricardo Valerdi, associate professor at the University of Arizona, where he is director of the Sports Management Program, will speak about the use of virtual reality for football concussion education. Michael Nygard of Cognitect, Inc., will share his thoughts on the concept of Uncoupling. In addition to the keynotes, the program also includes a strong lineup of invited speakers: Vaughn Vernon of Comprehension, Inc. will present Reactive DDD: Modeling Uncertainty and discuss how the uncertainty introduced by distributed computing can be finessed into highly functioning, business-centric systems that teams can design, develop, and reason about. Independent technical consultant Daniel Bryant will address continuous delivery with containers. James Lewis of ThoughtWorks will present Betting on Evolutionary Architecture: A Note on Software Architecture as Code. Aroop Pandya of IBM Watson will discuss Watson Cognitive Services and Cloud Platform Architecture. Chris Richardson of Eventuate, a keynote speaker at SATURN in 2017, will present Managing Data Consistency in a Microservice Architecture Using Sagas. John Klein and Paulo Merson, technical co-chairs for SATURN 2018, have provided a more detailed preview of the keynotes, invited presentations, and technical program in a post on the SATURN Blog.  To learn more about SATURN 2018 or to register, visit
  2. Software and Cyber Solutions Symposium Explores Agile and DevOps
    April 16, 2018—Agile and DevOps topped the agenda at the 2018 Software and Cyber Solutions Symposium, hosted by the SEI on March 27 in Arlington, Virginia. The symposium and the accompanying tutorials explored the challenges and realities in acquiring and developing software solutions, with a specific focus on identifying effective practices in Agile and DevOps. The symposium attracted a wide range of attendees from organizations in industry, government, and the Department of Defense. Victor Gavin, Deputy Assistant Secretary of the Navy for Command, Control, Communications, Computers, Intelligence, Information Operations and Space, opened the symposium with the keynote address, “IT Acquisition: The New Team Sport.” In his remarks, Gavin explored how the pace of change in commercial IT is having a dramatic effect on the way the government acquires these capabilities. He noted how this situation is driving the creation of a new partnership with the Navy’s industrial providers that will involve Agile development practices aimed at improving agility, cost, and security. Other keynote speakers were Dr. Barry Boehm of the University of Southern California, who spoke about Agile cost modeling for the DoD, and Josh Corman, chief security officer and founder of PTC, who highlighted the high consequences of cyber-physical system failures of the past 18 months and the pending legislative and international responses. The technical agenda included talks and panel discussions on a variety of topics, including the application of modern software development practices in a mission-critical DoD program, challenges to implementing DevOps, and an examination of radically different approaches to IT. The March 27 technical agenda was bookended on March 26 and March 28 by optional programs of half-day tutorials addressing topics such as DevOps implementation Agile metrics at scale Blockchain and causal learning Addressing cybersecurity risk in an Agile and DevOps environment The program was well received. One attendee noted that “the workshops offered thorough, but clear explanations for people with little or no experience in Agile/DevOps and software, and the keynotes did a great job of bringing together the acquisition and development communities.” Another attendee appreciated the opportunity to engage with SEI consultants and cross-governmental practitioners. “It was a great opportunity for collaboration and sharing lessons learned. Very, very valuable to have our site lead and SEI people who consult within our workspaces attending at the same time to level-set experience and knowledge.” “We were gratified by the positive response and feedback that we received from attendees,” said SCSS general chair Bill Pollak of the SEI. “These symposia provide a valuable opportunity for SEI technical staff to interact both formally and informally with SEI customers and external stakeholders about the software challenges that we all face.” The next SEI Software and Cyber Solutions Symposium will take place on September 12-13, 2018 at Waterford Receptions in Springfield, VA, with a focus on cybersecurity and acquisition. Details will be announced on the SEI website. Presentations from this year’s symposium and past symposia are available for viewing and download. Visit  
  3. SEI Research Combats Mounting Acquisition Costs
    April 9, 2018—When the DoD wants to build a new weapon system or expand an existing system’s capabilities, software increasingly plays a starring role. Software often demands the longest lead time of all system components, and it’s expected to evolve over the entire life of the system. And though software makes many new capabilities possible, it also expands system costs. In 1997, software accounted for about 45 percent of a system’s costs. In 2020, that number is projected to be 80 percent or more. Because we are now in an era in which software costs can limit military capability, understanding and controlling these costs is critical. The SEI is attacking the problem in several ways, starting with analyses that provide a clearer picture of the current state of software development. The SEI’s David Zubrow led the development of the DoD Software Factbook, which provides an analysis of the most extensive collection of software engineering data owned and maintained by the DoD. “The Factbook is important because it translates raw data into information that is frequently sought after across the DoD, including how much a software system might cost and how long it might take,” Zubrow said. “It provides practical heuristics to estimate and improve program funding and plans going forward.” Several other lines of research at the SEI are getting at the root cause of rising software costs. “While important, it’s not enough to know costs are going up or to accurately predict the increase,” said Robert Stoddard, who is leading efforts at the SEI to apply causal modeling to large volumes of software development data. “To contain costs, we need to understand which factors drive costs and which factors we can control.” By applying these new modeling and data mining techniques, Stoddard looks to uncover relationships that will provide a basis for better acquisition policy, practice, and management. Future anticipated rework, sometimes referred to as technical debt, has already been identified as a big contributor to rising software sustainment costs. The SEI is developing a clustering and ranking algorithm and prototype that can analyze and correlate data from multiple sources—including issue trackers, code repository histories, and static code analysis results—to identify the most significant design issues that contribute to technical debt and the associated amount of rework. “Enabling the identification of design issues and quantifying their impact on sustainment and modernization efforts will provide data the DoD needs to control lifecycle costs, mitigate technical risk, and reduce cycle times, all goals of the Better Buying Power initiative,” said the SEI’s Ipek Ozkaya. Another way of combating rising software acquisition costs is to improve efficiency by making sure contractors cooperate, which is becoming harder to do as government programs move away from the use of a lead systems integrator. Misaligned incentives between contractors or with the program management office can cause wasted effort, lost time, and poor results. The SEI’s William Novak is leading a research effort that uses game theory to frame these situations and then applies agent-based modeling to quantify and evaluate them. “Different types of incentives—financial, strategic, and social—affect contractors to different degrees,” said Novak, “and the combined impact of multiple incentives can be more effective across a range of contractors in changing their behavior.” This research allows the simulation of candidate incentive mechanisms in the context of an acquisition program model, to see which combinations of contractor incentives can produce the best acquisition outcomes. This approach, which is being piloted, shows promise for solving some of the incentive problems that can plague acquisition performance. The following publications offer more information about SEI research efforts to control software acquisition costs: Department of Defense Software Factbook, "Why Does Software Cost So Much? Toward a Causal Model," This article originally appeared in the 2017 SEI Year in Review.  
  4. SEI CERT Division Maps HIPAA Security Rule to Cyber Resilience Review
    April 02, 2018—Since 2005, organizations that create, receive, transmit, and store electronic protected health information (ePHI) have been charged with safeguarding that information. This requirement was mandated by the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. But in an environment of new and evolving threats, is compliance with the HIPAA Security Rule alone still good enough? “Compliance with any legislation is a problem when it comes to fast- moving areas such as cybersecurity,” said Matthew Trevors, a member of the Cybersecurity Assurance team in the SEI’s CERT Division. “How can a static piece of legislation, like HIPAA, prepare organizations for future threats?” To help organizations not only meet HIPAA requirements but also assess larger issues of cybersecurity preparedness and resilience, Trevors, his SEI colleague Robert Vrtis (also a member of the CERT Cybersecurity Assurance team), and Greg Porter of the Carnegie Mellon University Heinz College, recently collaborated on a mapping of the HIPAA Security Rule to the SEI Cyber Resilience Review (CRR), a no-cost, non-technical, voluntary assessment tool created by the SEI for the Department of Homeland Security (DHS). The CRR is designed to evaluate an organization’s operational resilience and cybersecurity practices. The team’s mapping of the HIPAA Security Rule to the CRR has just been published as an SEI Technical Note. “We wanted to provide small and mid-sized organizations the ability to use a one-day, lightweight assessment tool to help them develop a plan for HIPAA Security Rule compliance and also to improve their cyber resilience,” said Vrtis. “These organizations often lack the resources to initiate comprehensive assessment programs.” According to Vrtis, the CRR can be a useful tool for organizations preparing for a regulatory evaluation, and it is particularly useful for identifying potential gaps in their programs. “We felt it was important to emphasize that regulatory compliance alone is not sufficient to implement a robust cybersecurity management program,” he said. By understanding these gaps, organizations can begin creating processes to improve their security and resilience. “Just as good health emerges from healthy activities, exercise, good diet, rest, and avoiding risky behaviors, so too does cyber resilience and security result from good practices, such as asset management, incident management, training, and awareness,” said Vrtis. Though the SEI designed the CRR as a facilitated assessment, the SEI has produced a self-assessment at the request of DHS. “We would recommend a facilitated assessment with DHS,” said Vrtis, “and then use the self-assessment to monitor progress toward identified goals.” Interested organizations should visit the website for the DHS Critical Infrastructure Cyber Community Voluntary Program for information on how to request a CRR as well as where to find the CRR self-assessment. Vrtis stressed that the Security Rule-CRR mapping is not intended as an alternative interpretation of the HIPAA Security Rule. “Our intent,” he said, “was to simplify an organization’s efforts to not only assess their compliance with the security rule but to build a comprehensive cyber resilience program.” To download a copy of the HIPAA Security Rule-CRR mapping, visit  
  5. SEI CERT Division Launches Professional Certificate Program
    March 26, 2018—The SEI CERT Division announced it has launched the “CERT Cybersecurity Engineering and Software Assurance Professional Certificate” program. The CERT Division designed the program to arm software acquirers and developers, software and system assurance managers, systems engineers, and software engineers, with the skills and know-how to tackle the challenges of cybersecurity in acquired systems. “In the past, organizations have tended to focus only on capability and performance issues when evaluating software-reliant systems,” said Carol Woody, technical manager for the CERT Division’s Cybersecurity Engineering team. “However, in an environment that gets more complex every day, and which is under continuous threat from emerging and evolving risks, organizations need to look at quality attributes like security, reliability, and adaptability.” The new program aims to provide individuals responsible for software-reliant systems an understanding of these knowledge areas, which are critical to software assurance. It emphasizes applying these principles early in the development lifecycle and throughout the supply chain. The program consists of five components delivered through STEPfwd, the SEI’s cyber workforce research and development platform: Software Assurance Methods in Support of Cybersecurity Engineering Security Quality Requirements (SQUARE) Workshop Security Risk Analysis (SERA) Tutorial Supply Chain Risk Management Course Advanced Threat Modeling Course Those enrolled in the program have around-the-clock access to the course materials and 12 months in which to complete the coursework and pass the capstone examination. To learn more about the CERT Cybersecurity Engineering and Software Assurance Professional Certificate, visit


Background Image

Header Color


Content Color