Software Engineering Institute (SEI) Podcast Series

The Cybersecurity Maturity Model Certification (CMMC) 1.0 defines specific cybersecurity practices across five levels of maturity while also measuring the degree to which those practices are institutionalized within an organization. The CMMC model draws on maturity processes and cybersecurity best practices from multiple standards, including the National Institute of Standards and Technology (NIST) frameworks and references, as well as input from Defense Industrial Base (DIB) entities and the Department of Defense. CMMC requires that DIB organizations complete an assessment of all the CMMC practices at a particular level and become certified by a CMMC third-party assessment organization. When fully implemented, CMMC will require all DIB companies to achieve certification at one of the five CMMC levels, which includes both technical security practices and maturity processes. In this SEI Podcast, Andrew Hoover and Katie Stewart, architects of the CMMC model, discuss CMMC Levels 1-3 and what steps organizations need to take to move beyond NIST 800-171.

For more than 30 years, the cybersecurity community has worked to increase the effectiveness of our cybersecurity and resilience efforts. Today we face an explosion of devices, the pervasiveness of software, the threat of adversarial capability, and the dependence of national capabilities on the cyber domain. These challenges demand that we think about how to achieve the future we need, which is the subject of a new series of podcasts, The Future of Cyber. In this episode, Bobbie Stempfley, director of the CERT Division of the SEI, explores the future of secure coding with Steve Lipner, the executive director of SAFECode and former director of software security at Microsoft, where he created Microsoft's Security Development Lifecycle.

In this SEI podcast, Hasan Yasar and Jose Morales discuss challenges to implementing DevOps in highly regulated environments (HREs), exploring issues such as environment parity, the approval process, and compliance. This podcast is the second to explore DevOps in HREs.

The culture of computers and information technology evolves quickly. In this environment, how can we build a culture of security through regulations and best practices when technology can move so much faster than legislative bodies? The Future of Cyber Podcast Series explores whether we can use the innovations of the past to address the problems of the future. In this SEI Podcast, David Hickton, founding director of the University of Pittsburgh Institute for Cyber Law, Policy, and Security, sits down with Bobbie Stempfley, director of the SEI's CERT Division, to talk about the future of cybercrime.

Artificially intelligent (AI) systems hold great promise to empower us with knowledge and enhance human effectiveness. As a senior research scientist in human-machine interaction at the Software Engineering Institute's Emerging Technology Center, Carol Smith works to further understand how humans and machines can better collaborate to solve important problems and also understand our responsibilities and how that work continues once AI systems are operational. In this podcast, Smith discusses a framework that builds upon the importance of diverse teams and ethical standards to ensure that AI systems are trustworthy and able to effectively augment warfighters.

In this podcast, Allen Householder and David Warren discuss the CERT Guide to Coordinated Vulnerability Disclosure, which is intended for use by security researchers, software vendors, and other stakeholders in navigating the complexities of informing others about security vulnerabilities.

Computers and information technology are getting more and more integrated into our daily lives, so they need to be easy to use. But recent, historically large data breaches have demonstrated the need to make systems more secure and to protect information about individuals. How will the security−privacy−usability triangle successfully accommodate the challenges that the future will bring? In this podcast, Dr. Lorrie Faith Cranor, director of CyLab, sits down with Bobbie Stempfley, director of the SEI's CERT Division, to talk about the future of cyber in security and privacy.

For more than 30 years, the cybersecurity community has worked to increase the effectiveness of our cybersecurity and resilience efforts. Today we face an explosion of devices, the pervasiveness of software, the threat of adversarial capability, and the dependence of national capabilities on the cyber domain. These challenges demand that we think about how to achieve the future we need. In this podcast, the first in a series exploring The Future of Cyber, Bobbie Stempfley, director of the CERT Division of the SEI, and Dr. Michael McQuade, vice-president for research at Carnegie Mellon University, explore past and present technologies that have helped to secure our digital infrastructure and how past advancements will help us secure future architectures.

In this podcast, Jeff Gennari and Cory Cohen discuss updates to the Pharos Binary Analysis Framework in GitHub, including a new plug-in to import OOAnalyzer analysis into the NSA's recently released Ghidra software reverse engineering tool suite.

Successful management of incidents that threaten an organization's computer security is a complex endeavor. Frequently an organization's primary focus is on the response aspects of security incidents, which results in its failure to manage incidents beyond simply reacting to threatening events. In this SEI Podcast, Robin Ruefle and Mark Zajicek discuss recent work that provides a baseline or benchmark of incident management practices for an organization and detail how important it is to focus on preparation for incident management along with coordination and communication of analysis and response activities.