search menu icon-carat-right cmu-wordmark
2021 Year in Review

Building a Roadmap for System Cybersecurity Improvement

System developers often consider security engineering a separate activity from software and systems engineering. They either address security inadequately or defer it until late in the engineering lifecycle or after deployment. Consequently, organizations operate software-reliant systems with high residual cyber risk. Operating software-reliant systems in system-of-systems environments compounds these problems. Systems engineering organizations need a roadmap to building security in, rather than bolting it on.

The SEI created such a roadmap: the Cybersecurity Engineering Review (CSER), an innovative assessment based on the SEI’s history in developing practice frameworks and models for acquisition, software engineering, and operational resilience.

The CSER documents leading cybersecurity engineering practices across the lifecycle and supply chain. It assesses a program’s integration of cybersecurity with software and systems engineering practices. The CSER shows programs how to bake security into their processes when acquiring and engineering highly complex software-reliant systems designed to operate in system-of-systems environments

The SEI worked with us to develop a phased approach to implement the recommendations, which enhanced product security.

Ed Coyle
Strategic Planning Division, DISA DSO

The SEI completed two CSER pilots in 2021: one for an Air Force Foreign Military Sales (FMS) program and a second for the Defense Information Systems Agency (DISA) Defense Spectrum Organization (DSO). The CSER identified gaps in both programs’ cyber practices and recommended improvements.

“The CSER conducted document reviews and interviewed key personnel associated with our program,” said Ed Coyle of DSO. “It provided recommendations focused on unique aspects of our program. The SEI worked with us to develop a phased approach to implement the recommendations, which enhanced product security. The CSER also provided recommendations for comprehensively integrating security across the program, increasing the security posture.”

The SEI plans to conduct more pilots and describe the CSER process in a technical paper. As organizations better merge cybersecurity engineering with systems and software engineering, the Department of Defense can have greater confidence in the security and resilience of deployed software-reliant systems.