Software Engineering Institute (SEI) Podcast Series

The COVID-19 pandemic has forced significant changes in enterprise work practices, including an increased use of telecommunications technologies required by the new work-from-home policies that most organizations have instituted in response. In this podcast, Phil Groce, a senior network defense analyst in the CERT Division of the Carnegie Mellon University Software Engineering Institute, discusses the security implications of this dramatic increase in the number of people in organizations who are working from home, examines the threats and vulnerabilities associated with the increase in remote work, and offers practical solutions to individuals and enterprises for operating securely in this new environment.

The Cybersecurity Maturity Model Certification (CMMC) 1.0 for Defense Industrial Base (DIB) suppliers defines specific cybersecurity practices across five levels of maturity while also measuring the degree to which those practices are institutionalized within an organization. The CMMC model draws on maturity processes and cybersecurity best practices from multiple standards, including the National Institute of Standards and Technology (NIST) frameworks and references, as well as input from DIB entities and the Department of Defense. CMMC requires that DIB organizations complete an assessment of all CMMC practices at a particular level and become certified by a CMMC third-party assessment organization. When fully implemented, CMMC will require all DIB companies to achieve certification at one of the five CMMC levels, which includes both technical security practices and maturity processes. In this SEI Podcast, Andrew Hoover and Katie Stewart, researchers at the Carnegie Mellon University Software Engineering Institute and architects of the model, discuss the CMMC assessment guides, how they were developed, and how they can be used.

The Cybersecurity Maturity Model Certification (CMMC) 1.0 for Defense Industrial Base (DIB) suppliers defines specific cybersecurity practices across five levels of maturity while also measuring the degree to which those practices are institutionalized within an organization. The CMMC model draws on maturity processes and cybersecurity best practices from multiple standards, including the National Institute of Standards and Technology (NIST) frameworks and references, as well as input from DIB entities and the Department of Defense. CMMC requires that DIB organizations complete an assessment of all CMMC practices at a particular level and become certified by a CMMC third-party assessment organization. When fully implemented, CMMC will require all DIB companies to achieve certification at one of the five CMMC levels, which includes both technical security practices and maturity processes. In this SEI podcast, Andrew Hoover and Katie Stewart, architects of the CMMC model and researchers at Carnegie Mellon University's Software Engineering Institute, discuss the Level 3 Assessment Guide for the CMMC and how it differs from the Level 1 Assessment Guide.

The Cybersecurity Maturity Model Certification (CMMC) 1.0 for Defense Industrial Base (DIB) suppliers defines specific cybersecurity practices across five levels of maturity while also measuring the degree to which those practices are institutionalized within an organization. The CMMC model draws on maturity processes and cybersecurity best practices from multiple standards, including the National Institute of Standards and Technology (NIST) frameworks and references, as well as input from DIB entities and the Department of Defense. CMMC requires that DIB organizations complete an assessment of all CMMC practices at a particular level and become certified by a CMMC third-party assessment organization. When fully implemented, CMMC will require all DIB companies to achieve certification at one of the five CMMC levels, which includes both technical security practices and maturity processes. In this SEI Podcast, Andrew Hoover and Katie Stewart, architects of the CMMC model, discuss the Level 1 Assessment Guide for the CMMC.

Authority to Operate (ATO) is a process that certifies a system to operate for a certain period of time by evaluating the risk of the system's security controls. ATO is based on the National Institute of Standards and Technology’s Risk Management Framework (NIST 800-37). In this podcast, Shane Ficorilli and Hasan Yasar, both with the Carnegie Mellon University Software Engineering Institute, discuss continuous ATO, including challenges, the role of DevSecOps, and cultural issues that organizations must address.

A pervasive belief in software engineering is that some programmers are much, much better than others (the times-10, or 10x, programmer), and that the skills, abilities, and talents of these programmers exert an outsized influence on that organizations’ success or failure. Bill Nichols, a researcher with the Carnegie Mellon University Software Engineering Institute, recently examined the veracity and relevance of this widely held notion. Using data from a study conducted at the SEI, Nichols found evidence that not only challenges the idea that some programmers are inherently far more skilled or productive than others but that the truth if far more nuanced. 

Many organizations use the Common Vulnerability Scoring System (CVSS) to prioritize actions during vulnerability management. This podcast—which highlights the latest work in prioritizing actions during vulnerability management—presents a testable Stakeholder-Specific Vulnerability Categorization (SSVC) that avoids some problems with CVSS. SSVC takes the form of decision trees for different vulnerability management communities. During this podcast, CERT vulnerability researchers Eric Hatleback, Allen Householder, and Jonathan Spring discuss SSVC and also take audience members through a sample scoring vulnerability.

The Cybersecurity Maturity Model Certification (CMMC) 1.0 for Defense Industrial Base (DIB) suppliers defines specific cybersecurity practices across five levels of maturity while also measuring the degree to which those practices are institutionalized within an organization. The CMMC model draws on maturity processes and cybersecurity best practices from multiple standards, including the National Institute of Standards and Technology (NIST) frameworks and references, as well as input from DIB entities and the Department of Defense. CMMC requires that DIB organizations complete an assessment of all CMMC practices at a particular level and become certified by a CMMC third-party assessment organization. When fully implemented, CMMC will require all DIB companies to achieve certification at one of the five CMMC levels, which includes both technical security practices and maturity processes. In this SEI Podcast, Andrew Hoover and Katie Stewart, architects of the CMMC model, discuss the Level 5 process maturity requirements, which are standardizing and optimizing a documented approach for CMMC.

The Cybersecurity Maturity Model Certification (CMMC) 1.0 for Defense Industrial Base (DIB) suppliers defines specific cybersecurity practices across five levels of maturity while also measuring the degree to which those practices are institutionalized within an organization. The CMMC model draws on maturity processes and cybersecurity best practices from multiple standards, including the National Institute of Standards and Technology (NIST) frameworks and references, as well as input from DIB entities and the Department of Defense. CMMC requires that DIB organizations complete an assessment of all CMMC practices at a particular level and become certified by a CMMC third-party assessment organization. When fully implemented, CMMC will require all DIB companies to achieve certification at one of the five CMMC levels, which includes both technical security practices and maturity processes. In this SEI Podcast, Andrew Hoover and Katie Stewart, architects of the CMMC model, discuss reviewing and communicating CMMC activities and measuring those activities for effectiveness, which are requirements of Level 4 of the model.

Situational awareness makes it possible to get relevant information from across an organization, to integrate that information, and to disseminate it to help leaders make more informed decisions. In this SEI Podcast, Angela Horneman and Timothy Morrow, researchers in the SEI's CERT Division, discuss the importance of looking beyond the network to acquire situational awareness for cybersecurity.

While actual quantum computers are available from several different companies, we are currently in the Noisy Intermediate-Scale Quantum (NISQ) era. Working in the NISQ era presents a number of challenges, and the SEI is working to use NISQ devices not only to solve specific mission applications for the Department of Defense, but also to help determine when they will demonstrate so-called quantum advantage: a quantum computer solving a problem of practical interest faster than a classical computer. In this episode, the latest from the SEI Podcast Series, Dr. Jason Larkin, a researcher in the SEI's Emerging Technology Center, discusses the challenges of working in the NISQ era and the work that the SEI is doing in this area. Dr. Larkin also provides a list of resources in quantum computing. 

The Cybersecurity Maturity Model Certification (CMMC) 1.0 for Defense Industrial Base (DIB) suppliers defines specific cybersecurity practices across five levels of maturity while also measuring the degree to which those practices are institutionalized within an organization. The CMMC model draws on maturity processes and cybersecurity best practices from multiple standards, including the National Institute of Standards and Technology (NIST) frameworks and references, as well as input from DIB entities and the Department of Defense. CMMC requires that DIB organizations complete an assessment of all CMMC practices at a particular level and become certified by a CMMC third-party assessment organization. When fully implemented, CMMC will require all DIB companies to achieve certification at one of the five CMMC levels, which includes both technical security practices and maturity processes. In this SEI Podcast, Andrew Hoover and Katie Stewart, architects of the CMMC model, discuss how assessed DIB organizations are scored according to the model.

The Cybersecurity Maturity Model Certification (CMMC) 1.0 for the Defense Industrial Base (DIB) defines specific cybersecurity practices across five levels of maturity while also measuring the degree to which those practices are institutionalized within an organization. The CMMC model draws on maturity processes and cybersecurity best practices from multiple standards, including the National Institute of Standards and Technology (NIST) frameworks and references, as well as input from DIB entities and the Department of Defense. CMMC requires that DIB organizations complete an assessment of all CMMC practices at a particular level and become certified by a CMMC third-party assessment organization. When fully implemented, CMMC will require all DIB companies to achieve certification at one of the five CMMC levels, which includes both technical security practices and maturity processes. In this SEI Podcast, Andrew Hoover and Katie Stewart, architects of the CMMC model, present guidelines for developing an effective CMMC policy.

The culture of computers and information technology changes quickly. The Future of Cyber Podcast series explores the future of cyber and whether we can use the innovations of the past to address the problems of the future. In our latest episode, Bobbie Stempfley, director of the SEI’s CERT Division, interviews Dr. Diana Burley, executive director and chair of the Institute for Information Infrastructure Protection, or I3P, and vice provost for research at American University. Their discussion focused on educating the cybersecurity workforce in a way that closes the gap between what students are taught in school and the skills they’ll need to use in the workplace.

The Cybersecurity Maturity Model Certification (CMMC) 1.0 for the Defense Industrial Base (DIB) defines specific cybersecurity practices across five levels of maturity while also measuring the degree to which those practices are institutionalized within an organization. The CMMC model draws on maturity processes and cybersecurity best practices from multiple standards, including the National Institute of Standards and Technology (NIST) frameworks and references, as well as input from DIB entities and the Department of Defense. CMMC requires that DIB organizations complete an assessment of all CMMC practices at a particular level and become certified by a CMMC third-party assessment organization. When fully implemented, CMMC will require all DIB companies to achieve certification at one of the five CMMC levels, which includes both technical security practices and maturity processes. In this SEI Podcast, Andrew Hoover and Katie Stewart, architects of the CMMC model, discuss process documentation, a Level 2 requirement.

Software development is shifting to incremental delivery to meet the demand for software quicker and at lower costs. With the current cyber threat climate, the demand for cybersecurity is growing but existing compliance processes focus on a completed product and do not support incremental delivery. Cybersecurity must be carefully woven into each increment deliver results with sufficient security and quality. Previous SEI research has shown that improved quality results in improved cybersecurity. In this SEI Podcast, Dr. Carol Woody and Will Hayes discuss an approach that allows organizations to integrate cybersecurity into the agile pipeline.

The Cybersecurity Maturity Model Certification (CMMC) 1.0 defines specific cybersecurity practices across five levels of maturity while also measuring the degree to which those practices are institutionalized within an organization. The CMMC model draws on maturity processes and cybersecurity best practices from multiple standards, including the National Institute of Standards and Technology (NIST) frameworks and references, as well as input from Defense Industrial Base (DIB) entities and the Department of Defense. CMMC requires that DIB organizations complete an assessment of all the CMMC practices at a particular level and become certified by a CMMC third-party assessment organization. When fully implemented, CMMC will require all DIB companies to achieve certification at one of the five CMMC levels, which includes both technical security practices and maturity processes. In this SEI Podcast, Andrew Hoover and Katie Stewart, architects of the CMMC model, discuss CMMC Levels 1-3 and what steps organizations need to take to move beyond NIST 800-171.

For more than 30 years, the cybersecurity community has worked to increase the effectiveness of our cybersecurity and resilience efforts. Today we face an explosion of devices, the pervasiveness of software, the threat of adversarial capability, and the dependence of national capabilities on the cyber domain. These challenges demand that we think about how to achieve the future we need, which is the subject of a new series of podcasts, The Future of Cyber. In this episode, Bobbie Stempfley, director of the CERT Division of the SEI, explores the future of secure coding with Steve Lipner, the executive director of SAFECode and former director of software security at Microsoft, where he created Microsoft’s Security Development Lifecycle.   

In this SEI podcast, Hasan Yasar and Jose Morales discuss challenges to implementing DevOps in highly regulated environments (HREs), exploring issues such as environment parity, the approval process, and compliance. This podcast is the second to explore DevOps in HREs.

The culture of computers and information technology evolves quickly. In this environment, how can we build a culture of security through regulations and best practices when technology can move so much faster than legislative bodies?

The Future of Cyber Podcast Series explores whether we can use the innovations of the past to address the problems of the future. In this SEI Podcast, David Hickton, founding director of the University of Pittsburgh Institute for Cyber Law, Policy, and Security, sits down with Bobbie Stempfley, director of the SEI’s CERT Division, to talk about the future of cybercrime.