Software Engineering Institute (SEI) Webcast Series

Are you confused about what should be in your Software Acquisition Pathway program's Capability Needs Statement (CNS)? You are not alone! One of the most frequent requests we receive is for a sample CNS. If only it was that easy! Never fear; our recently released Tactical Guide called Cracking the CNS Code will provide you with the practical insight you need to develop a CNS that will be effective for your program. We'll also talk about the Cracking the CNS Code's complementary supplement called How Does a CNS Drive the Process for Creating Working Software? What Will Attendees Learn? •                       What a CNS is •                       Strategies for and approaches to creating a CNS •                       How to break down your approved CNS into backlog items

Software management is too frequently ignored or addressed piecemeal in systems. Cyber threat actors take advantage of gaps and errors in their attacks, which they can accomplish throughout the lifecycle. Exploiting these gaps and errors allows them to compromise processes, practices, and procedures that touch a system's design, component development, and supply chain to bypass controls and leverage available vulnerabilities. Key software assurance activities must be embedded within the acquisition lifecycle to effectively combat these threat actors. What Will Attendees Learn? How software assurance can be addressed with limited cost and schedule impact if it is effectively integrated into the acquisition lifecycle Which knowledge and resources are critical to software assurance and the risks that can be missed if they are underrepresented Key aspects of managing acquisition and development that are critical to software assurance and why they are important

AI is transforming both the threat landscape and our defensive capabilities. What does cyber mission readiness mean in this new environment? A researcher from the CERT Division of Carnegie Mellon University's (CMU's) Software Engineering Institute (SEI) describes the current challenges and emerging solutions that individuals and teams can use to build and sustain their cyber and AI-readiness. The webcast showcases Crucible, an open source framework that integrates learning management, hands-on labs, team exercises, competitions, threat sharing, and AI models into a unified cyber readiness platform. What Will Attendees Learn? How to leverage AI to build cyber capacity and effectively share threat information across organizations Techniques for motivating performance through cyber challenge competitions Methods for using AI to assist in developing cyber-skills mastery via guided self-assessment AI-driven strategies for forging elite teams that are prepared for cyber and cognitive operations amid nation-state competitions

Is your program really ready to adopt the SWP? Next in the Software Acquisition Go Bag series, we'll walk you through our new Tactical Guide called SWP: Ready, Set, Go! This guide provides proven techniques to assess the project's readiness to adopt the SWP; identify any shortfalls; and obtain the resources, information, and support needed for success. What Will Attendees Learn? • How to know if your acquisition program is really ready to adopt the SWP • What "Instill an Agile Culture" actually means for your program • How programs enter or transition to the SWP • A dispelled myth about adopting SWP

Many organizations practicing DevSecOps have collapsed under the weight of their own tooling. These organizations tried to solve delivery problems by stacking Kubernetes, Helm, GitOps controllers, scanners, and templating systems until no one can explain their own deployment path. This webcast cuts through that complexity and shows how right-sizing DevSecOps—reproducible environments, deterministic builds, type-safe configuration, and small iterative releases—restores velocity and reliability. We focus on what high-stakes teams actually need, not what vendors or compliance frameworks prescribe. What Will Attendees Learn? • Why complexity, not capability, is the primary barrier to fast, secure delivery • How reproducibility, pre-rendering, and type-safe configuration eliminate entire categories of deployment failure • How to design a "paved road" that scales across teams without drowning them in tooling • How to move from episodic, end-state-driven integration to continuous, incremental delivery

This webcast offers a solution to the problem of poorly defined requirements in system design that can lead to software flaws, cost and time overruns, and stakeholder dissatisfaction. We will tell you how to use a structured process called the ATAM (architectural tradeoffs analysis method) to develop a system design by eliciting requirements, scenarios, and priorities from stakeholders. Then, we will explain how to measure compliance with those requirements during testing using DevSecOps principles and tools, such as the SEI's Silent Sentinel. What Will Attendees Learn? What software quality attributes are and why they are important How to prioritize competing requirements How to ensure architectural requirements are satisfied during development in a DevSecOps toolchain

The SEI contributed its expertise to the development of the Software Acquisition Pathway (SWP), which the Department of Defense (DoD) issued in 2020 as DoD Instruction 5000.87. Since the SWP's issuance, SEI researchers have collaborated with DoD program teams and policy owners to effectively implement the pathway in different program contexts, identify barriers and challenges, and monitor outcomes. Throughout that work, we've identified common questions and stumbling blocks that programs encounter as they adopt the SWP. Answering these questions often warrants additional tools and resources that enable programs to position their SWP programs for success. With that in mind, the SEI announces the launch of the Software Acquisition Go Bag. Our SEI team has helped hundreds of DoD programs deliver software-enabled capability through our unique integration of data-driven insights, software engineering research, and acquisition science. We're "packing" that experience into Go Bag kits so program teams can implement proven practices.

Experts agree that quantum computing will likely become powerful enough to break modern-day encryption within the next 10–15 years on "Q Day." Once encryption is defeated, the computing world will never be the same. Organizations need to identify the correct courses of action to take today so that the sudden onset of quantum computing does not threaten their critical assets. In this webcast, Brett Tucker, Dan Justice, and Matthew Butkovic discuss the challenges expected with the realization of quantum computing capabilities. Furthermore, the group will provide possible responses to mitigate future impacts from the onset of quantum computing. What Will Attendees Learn? what Q Day is events that may occur leading up to the actual day itself challenges that must be overcome in quantum computing (attendees need to learn and appreciate the factors that may influence the successful emergence of quantum computing) actions that can be taken today to build resilience from this technological disruption

Finding and fixing weaknesses and vulnerabilities in source code has been an ongoing challenge. There is a lot of excitement about the ability of large language models (LLMs, e.g., GenAI) to produce and evaluate programs. One question related to this ability is: Do these systems help in practice? We ran experiments with various LLMs to see if they could correctly identify problems with source code or determine that there were no problems. This webcast will provide background on our methods and a summary of our results. What Will Attendees Learn? • how well LLMs can evaluate source code • evolution of capability as new LLMs are released • how to address potential gaps in capability

Often, agile implementations are a struggle. Dedicated agile teams focus hard and deliver value on a regular cadence. But when results are tallied, the value teams produce may not fit neatly into the expectations of senior stakeholders. Why? In this webcast, Peter Capell addresses the importance of a practical vision to express outcomes, so that the program's "target picture" is clear to all parties involved. Peter highlights the value of tools such as Model-Based Systems Engineering (MBSE) in engineering processes, and how the combination of architecture and MBSE can anchor the implementation within those expectations. What Attendees Will Learn: • The concept of "just enough" • How speed of delivery is only relevant when delivery is on target • How the "targets" for team success begin with the program vision • How modeling and architecture can serve as valuable tools to accomplish a practical vision

Finding and growing AI and Data talent is essential for mission success, but many skilled workers remain unseen because they lack traditional credentials. This session introduces practical strategies and prototype tools that help individuals demonstrate what they know while helping managers identify and evaluate emerging talent in these fields. Attendees will explore micro-assessments reflecting real data science and AI workflows, see how skills can be measured meaningfully at scale, and gain insights on fostering AI and Data readiness across the federal workforce. Whether you're building your career or building your team, come learn how to connect talent with opportunity in the evolving AI landscape. What Attendees Will Learn: • Common barriers to finding and recognizing hidden AI and Data talent. • The role of a practical work role rubric in aligning skills with mission needs. • How prototype assessments and discovery tools can help surface and showcase talent.

Threat modeling is intended to help defend a system from attack. It tops the list of techniques recommended by the National Institute of Standards and Technology (NIST) to secure critical systems. In a world where people with malicious intent have deadlier tools at their disposal, defenders need to take advantage of Model-Based Systems Engineering (MBSE) to form mitigation strategies effective from early in the systems engineering lifecycle. This webcast will preview a workshop to be held during the 2025 Secure Software by Design conference to be held on August 19 and 20. What Attendees Will Learn: How MBSE can aid cybersecurity analysis and design The value of MBSE for cyber threat modeling An overview of threat modeling techniques using MBSE

DevSecOps generates a lot of data valuable for better decision making. However, decision makers may not see all they need to in order to make best use of the data for continuous improvement. The SEI open source Polar tool unlocks the data, giving DevSecOps teams greater capability to automate, which in turn means they can innovate rapidly – without lessening quality or reducing security. What Attendees Will Learn: Issues from complex DevSecOps pipelines What observability adds for DevSecOps efforts The way in which a new open-source tool, Polar, helps

Organizations looking to build and adopt artificial intelligence (AI)–enabled systems face the challenge of identifying the right capabilities and tools to support Machine Learning Operations (MLOps) pipelines. Navigating the wide range of available tools can be especially difficult for organizations new to AI or those that have not yet deployed systems at scale. This webcast introduces the MLOps Tool Evaluation Rubric, designed to help acquisition teams pinpoint organizational priorities for MLOps tooling, customize rubrics to evaluate those key capabilities, and ultimately select tools that will effectively support ML developers and systems throughout the entire lifecycle, from exploratory data analysis to model deployment and monitoring. This webcast will walk viewers through the rubric's design and content, share lessons learned from applying the rubric in practice, and conclude with a brief demo. What Attendees Will Learn: • How to identify and prioritize key capabilities for MLOps tooling within their organizations • How to customize and apply the MLOps Tool Evaluation Rubric to evaluate potential tools effectively • Best practices and lessons learned from real-world use of the rubric in AI projects

DevSecOps practices foster collaboration among software development, security, and operations teams to build, test, and release software quickly and reliably. A high-stakes, high-security environment has challenged the implementation of these practices within the Department of Defense (DoD). The DoD Chief Information Officer (CIO) organization partnered with the Software Engineering Institute (SEI) to conduct the first study to baseline the state of DoD DevSecOps, highlight successes, and offer insights for next steps. George Lamb, DoD's Director of Cloud and Software Modernization, joins the SEI team to discuss key results and how they will help the DoD ensure that its software ecosystem is effective, scalable, and adaptable to meet the challenges of today and tomorrow. What Attendees Will Learn: Highlights from important success stories in DoD's DevSecOps journey How the DoD is harvesting grassroot successes by individual software organizations to implement those successes at scale Keys to using data and building effective measurement strategies to enable optimization of software delivery

Did you know there are 500 million tweets per day? 3 billion monthly active Facebook users? 1 billion LinkedIn members? Are you one of them? In this webcast, Destiney Marie Plaza reveals how a hacker can use seemingly benign public information to customize an attack on a victim by showing a scenario-based attack and demo (using free and open-source tools). Additionally, you will learn how hackers can gather information about you, common mistakes that put your information at risk, and how to protect yourself. What Attendees Will Learn: how to use open-source tools used to crack passwords, along with a methodology for how hackers may gain access to your accounts what makes a strong password and how such passwords can stave off automated cracking tools how a hacker sees you, so that you can take appropriate steps to protect yourself

Today, we have seen our national security organizations working to adopt modern software practices, particularly Agile methods and DevSecOps practices, efforts challenged by a mismatch of tempos between operational needs and development processes. The newly mandated Software Acquisition Pathway helps to align those tempos. However, to sustain a competitive advantage through software, we need to see our defense organizations recall and reapply disciplined engineering practices. What Attendees Will Learn: An assessment of current efforts to adopt modern software practices Why and where the pace of adoption faces challenges Characteristics of the needed new level of performance

An organization's cyber risk management practices must be rooted in organizational goals to be truly effective. In this webcast, Matt Butkovic, Greg Crabbe and Beth-Anne Bygum explore how best to align business and resilience objectives.

The Defense Industrial Base (DIB) is a core element of the national security ecosystem. This point of intersection between private industry and the Department of Defense is a perpetual target for the Nation's adversaries. In this Intersect, Matthew Butkovic and John Haller explore the development, and implementation, of the Cyber Maturity Model Certification (CMMC) as a means to better protect the DIB.

When it comes to recognizing threats, cybersecurity professionals may become distracted by big promises or ignore some obvious inspections. New claims made by the latest and greatest new apps draw attention away from network situational awareness best practices—like a dog distracted when it spots a squirrel. We also may deviate from making routine inspections that point toward further investigation—overlooking obvious needs right under our noses. Either becoming distracted or missing obvious inspections can cause us not to detect threats. What Attendees Will Learn: • The distinction between anomalies and threats • Steps to analyze data to detect a threat • The benefits of completing work on one threat