Decision makers (such as development and acquisition program and project managers) lack confidence in the security of their software-reliant systems unless they have established methods to measure this security. We address this need through the Software Security Measurement and Analysis (SSMA) project.
Our main goal is to develop a risk-based approach for measuring and monitoring the security characteristics of interactively complex, software-reliant systems across the lifecycle and supply chain. To help achieve this goal, we have developed the SEI Integrated Measurement and Analysis Framework (IMAF) and the SEI Mission Risk Diagnostic (MRD).
Decision makers often have trouble "connecting the dots" among the detailed, disparate data available from interactively complex systems. As a result, they can find it difficult to understand a system's macro-level behavior.
The IMAF integrates performance data for individual components, including targeted analysis, status reporting, and measurement activities, to provide a consolidated view of the performance of software-reliant systems. The IMAF can also highlight where additional data need to be collected.
You can apply the framework in a variety of contexts, including software security, operational security, acquisition program management, and software development.
The Mission Risk Diagnostic is a versatile method for assessing risk in interactively complex software-reliant systems that can be applied across the lifecycle (acquisition, development, operations) and supply chain. It analyzes a set of systemic risk factors to aggregate decision-making data and provides decision makers with a benchmark of a system's current state. The resulting gap between a system's current and desired states points to specific areas where additional investment is warranted.
The SEI staff has used the MRD method to assess risk in a variety of domains, including software security, supply chain assurance, cyber security processes, software acquisition and development programs, and business portfolio management.
Our staff can