CISQ Newsletter
January 2019



Standards Update

V2 of Code Quality Standards Coming Soon!

In December, the Embedded Extensions Working Group submitted an updated set of Automated Source Code Quality Measures to the Object Management Group (OMG) for measuring Security, Reliability, Performance Efficiency and Maintainability. This update includes a refresh of critical software weaknesses in each measure. The first set of measures were approved as OMG standards in 2015 and initially developed for enterprise and business systems. This update addresses the uptake of IoT and its security. We will make an announcement and present a webinar when the new measures are approved. 

The next time you visit the Common Weakness Enumeration (CWE) you will see a new CISQ view that maps the quality measure standards to the CWE. The CWE is a repository of 800+ software weaknesses (also known as "CWEs") that cause security issues. There are many CWEs, and these views provide guidelines to prioritize the mitigation of the most critical weaknesses. The CISQ view is alongside the CWE / SANS Top 25 and OWASP Top 10, referencing the CISQ standard for Security and other complementary measures for Reliability, Performance Efficiency and Maintainability inherently tied to the trustworthiness of software. 

I'd like to thank the CISQ team from CAST, Synopsys, MITRE, SEI, Northrop Grumman, CGI, Tech Mahindra, ISHPI, and Cognizant for your great work on the measures.

If you are establishing code quality standards in your organization, we recommend that you use the CISQ measures as a baseline for improving quality and security. 

Dr. Bill Curtis
Executive Director


Upcoming Webinar

Spotlight on IT Vendor Management 

Vendor-supplied software has become a high-value/high-risk acquisition to Vendor Management Offices (VMOs) in every industry vertical. The sourcing of Application Development and Maintenance (ADM) is shifting from time and material to outcome-based agreements. This webinar will discuss best practices and measures to use in managing your software vendors to ensure you are protecting your organization from unnecessary risk.  Register now!



Do you have plans to attend IAOP's Outsourcing World Summit (OWS19), February 17-20 in Orlando, FL? Lev Lesokhin, CISQ Governing Board Member, presents Acquiring Trustworthy Software with Software Quality Measurement Standards on Tuesday, February 19. 

Welcome New Sponsor!

University of Southern California Joins CISQ

Please join us in welcoming the University of Southern California, Center for Systems and Software Engineering as CISQ's first academic sponsor! 

Dr. Barry Boehm has joined the CISQ Governing Board to help lead the consortium. Dr. Boehm is USC's Distinguished Professor of Computer Science, Industrial and Systems Engineering and Astronautics. 

Ive been impressed with CISQs influence in systems and software qualities, both in getting them more emphasized in systems engineering, development, acquisition, and life cycle management. USC is a partner with the Stevens Institute in leading the DoD Systems Engineering Research Center, where Ive been the Chief Scientist and leader of a 5-year, 8-university project: Systems Qualities, Ontology, Tradespace, and Affordability, which identified Maintainability as a key to several other qualities, and Technical Debt as a key to improving maintainability, where we also found CAST and CISQ as leaders. I am looking forward to working within CISQ on these critical issues.

Read the press release

Become a Signatory  

Trustworthy Systems Manifesto

As businesses and governments automate more of their business and mission processes, the risks to which software-intensive systems expose the organization grows dramatically. IT-related incidents at Knight Capital, SWIFT, Target, and United Airlines far exceeded $100 million in damages.

The Trustworthy Systems Manifesto outlines 5 principles for senior executives that are charged with setting policy and need guidance on how to govern the risks of untrustworthy systems - 

  1. Engineering discipline in product and process
  2. Quality assurance to risk tolerance thresholds
  3. Traceable properties of system components
  4. Proactive defense of the system and its data
  5. Resilient and safe operations

Dr. Bill Curtis joined a Software Ate My Homework podcast on the subject of "Can We Trust Our Software?" You can listen to the podcast or read the transcript. There's also a webinar introducing the Manifesto with a link to download the deck or view the video.


Supply Chain Risk Management in the News

Both houses of the US legislature passed the SECURE Technology Act, which combines three existing bills to establish a Federal Acquisition Security Council to help reduce the supply chain threat for federal agencies, and establish a bug bounty and vulnerability disclosure program at the Department of Homeland Security (DHS). CISQ is discussing how to advise stakeholders on this subject. 

Pencil in a couple of meetings on your calendar:

If you are interested in participating in these meetings, please contact Tracie Berardi at  


Upcoming Events 

IAOP Outsourcing World Summit (OWS) 19, February 17-20, Orlando, FL. CISQ presents Acquiring Trustworthy Software with Software Quality Measurement Standards on Feb. 19.

Shared Services and Outsourcing Week (SSOW), March 11-14, Orlando, FL. CISQ members save 20% off the registration fee with the code 23SSOW_CISQ.

OMG Technical Meeting, March 18-22, Reston, VA. 

STAREAST, April 28 - May 3, Orlando, FL. CISQ members save $200 off the registration fee with the code SECM.

Software and Supply Chain Assurance (SSCA) Forum, May 7-8, MITRE in McLean, VA. 

Gartner Enterprise Architecture and Technology Innovation Summit, May 14-15, Orlando, FL. CISQ members save $350 off the registration fee with the code GARTCISQ.




CISQ Sponsors, Thanks for the Great Support!

CAST CGI ISHPI Tech-Mahindra
synopsys Northrop-Grumman
About CISQ
The Consortium for IT Software Quality™ (CISQ™) is an IT industry leadership group comprised of IT executives from the Global 2000, system integrators, outsourced service providers, and software technology vendors committed to introducing computable metrics standards for measuring software quality and size. CISQ is a neutral, open forum in which customers and suppliers of IT application software can develop an industry-wide agenda of actions for improving IT application quality and reduce cost and risk. 

This email may be considered to be commercial email, an advertisement or a solicitation. By accepting this email and not responding with an unsubscribe request, you have consented or opted in to receive additional correspondence and promotions from OMG and its associated partners and sponsors. You can change your subscription settings for marketing mailings or unsubscribe at any time. CISQ never shares your information with third parties. You can learn more by reading our privacy policy. If you have questions about your personal information email our team at