Gartner Identity & Access Management Summit

Date: December 3-5, 2018
Venue: Caesars Palace, 3570 Las Vegas Blvd South, Las Vegas, NV 89109
Special rate: CISQ members save $325 off the registration fee! Apply the code GARTOMG at registration


Discover IAM best practices: From cloud to consumer IAM and beyond


Businesses demand that IAM protect assets, ensure compliance and enable great customer experience the “digital way”: agile, efficient and customer-friendly. At Gartner Identity & Access Management Summit 2018, you’ll learn how to deliver successful IAM programs that takes business wherever digital transformation leads.


Craft a robust cloud IAM strategy. Automate and simplify IAM processes for agility and efficiency. Meet changing customer needs with consumer IAM. Protect APIs and ramp up fraud protection. What’s the next step on your IAM journey?


Choose from 5 tracks designed to equip you for the next steps on your IAM journey.

  • IAM Strategy and Program Management
  • Identity Governance and Administration
  • Trust, Authentication and Fraud Prevention
  • Access Management and Authorization
  • Security, Risk and Privacy


CISQ announces new study: The Cost of Poor Software Quality in the US: A 2018 Report

This report was written by Herb Krasner, a member of CISQ’s Advisory Board. Herb spent many years at the University of Texas at Austin as Professor of Software Engineering, the Director of Outreach Services for the UT Center for Advanced Research in Software Engineering (ARiSE), and founder and CTO of the UT Software Quality Institute (SQI).


The report aggregates publicly available source material to arrive at a rough estimate of the cost of poor software quality in the United States today.  This report fills a gap in our understanding of the financial implications of poor-quality software effecting society today and into the future.


In summary, the cost of poor quality software in the US in 2018 is approximately $2.8 trillion, the main components of which are outlined in the body of the report.  If we remove the future principal cost of technical debt, the total then becomes $2.26 trillion.


It was our intention to use this report as a starting point for a community discussion.  Recommendations for improving the situation are also described.









CISQ Seminar: Software Measurement Standards and Delivery Trends


The Consortium for IT Software Quality (CISQ) is organizing a public event in Bangalore, India at the Tech Mahindra campus. Registration is complimentary.


Topics to be discussed:

  • Trends in software quality and productivity measurement
  • Measuring Agile and DevOps
  • Continuous improvement, quality and agility
  • Delivery trends – Automation, RPA, AI



  • Dr. Bill Curtis, Executive Director, CISQ
  • L. Ravichandran (“Ravi”), COO, Tech Mahindra
  • Abhijit Lahiri, Chief of Transformation, Tech Mahindra
  • Ushasri T S, Senior Vice President and GM, Manhattan Associates
  • Malay Shah, Executive Director, Advisory Services, EY


Admission is complimentary. Click here to register now.



Tech Mahindra Ltd.
Plot No. 45 – 47, KIADB Industrial Area
Phase – II, Electronic City
Bengaluru – 560100 (Karnataka) India
Phone:+ 91 80 67807777


If you have questions, please email CISQ program manager, Tracie Berardi, at



Thank you to our host




QA Government & Public Sector Forum: London 2018

The QA Government & Public Sector Forum: London 2018 is QA Media’s first conference for heads of software quality assurance and software risk management designed for the public sector. We are launching at a time when UK government agencies are reviewing their technology partnerships and considering options for future long-term investment in IT.


Delegates will enjoy a day of high-level networking and knowledge-sharing on technologies for continuous integration and deployment of apps. The emphasis will be on automation, including test service virtualization and the application of machine learning to quality assurance.


Paul Bentz, Director of Government and Industry Programs at CISQ, is speaking on the panel, The Changing Role of Third Party Software Vendors and the Public Sector, with Brigid McBride, Programme Director, Digital Change, Ofsted; Matt Villion, Head of Cyber Security Engagement, UK Home Office; and Chris Johnston, Senior Technology Advisor – Government Digital Service, The Cabinet Office.


Also on the agenda:

  • the impact of GDPR
  • benchmarking the quality of code
  • critical decisions around testing in the Cloud.


Learn more & register here

Cyber Resilience Summit Agenda for October 16 Published

Focus on crossroads of modernization and cybersecurity in US Federal Government; launch of CISQ Trustworthy Systems Manifesto


Needham, MA – September 26, 2018 – The Consortium for IT Software Quality™ (CISQ™), an IT industry leadership group that develops standards for automating software quality measurement, today announced the agenda is published and registration is open for the Cyber Resilience Summit. CISQ is co-hosting this full-day event in cooperation with the Object Management Group® (OMG®) and the IT Acquisition Advisory Council (IT-AAC) at the Army Navy Country Club in Arlington, Virginia on October 16, 2018.


In its 6th year, the Summit brings together federal IT leaders, the IT standards community, and industry to address how federal agencies are modernizing and securing legacy systems to improve digital services and stay ahead of cyber threats. This year, CISQ Executive Director Dr. Bill Curtis will also introduce the CISQ Trustworthy Systems Manifesto, which is a set of principles to reduce the risk that software-intensive systems pose to the business or mission. Summit participants will have the opportunity to become signatories to the Trustworthy Systems Manifesto.


Registration is required for all attendees. General admission is $250 but is complimentary for government employees and elected officials, not-for-profit organizations, and universities. Registration for the media is complimentary by entering the code CISQPRF18.


Agenda Highlights

The popular “Titans of Cyber” keynote panel returns, featuring presenters from the National Security Agency, Department of Homeland Security, and Office of the Director of National Intelligence who will discuss “Critical Success Factors for Modernizing and Securing Government IT.”


Joe Jarzombek, Director for Government, Defense and Aerospace Programs, Synopsys and CISQ Board Member, will moderate a panel from MITRE, Department of Defense, Department of Commerce and GSA to examine supply chain risk management.

A session is being planned on the Continuous Diagnostics and Mitigation (CDM) program at the Department of Homeland Security, one of the largest cybersecurity federal programs, now moving to phase 4, which targets protection of data and the application stack. Speakers from agencies successfully deploying CDM will participate.

A new agenda item is the Regulators Roundtable, a cross-industry panel that will discuss how cyber risk is measured and how policy is set and implemented in sectors outside of government, including financial services, healthcare, and utilities.

The Summit will conclude with subject matter experts from the standards community who will share their insights for producing cybersecure software followed by closing remarks.


Confirmed Speakers and Panelists

  • Dr. Bill Curtis, Consortium for IT Software Quality Executive Director and Program Chair
  • John Weiler, IT Acquisition Advisory Council Vice Chair and Program Chair
  • Don Davidson, Deputy Director, Cybersecurity Risk Management (+ Chief of SCRM Division), Office of the Deputy DoD-CIO for Cybersecurity
  • Susan Dorr, Director of Cybersecurity Division, Office of the Director of National Intelligence
  • Bethany Dugan, Deputy Comptroller for Operational Risk, Office of the Comptroller of the Currency
  • Dr. Seth Carmody, Cybersecurity Program Manager, FDA
  • Dr. Allan Friedman, Director, Cybersecurity Initiatives, National Telecommunications and Information Administration, U.S. Department of Commerce
  • Mark Hakun, Deputy Chief Information Officer, National Security Agency
  • Chris Hetner, Senior Cybersecurity Advisor to the Chairman, U.S. Securities and Exchange Commission
  • Joe Jarzombek, Director for Government, Defense and Aerospace Programs, Synopsys and Board Member, Consortium for IT Software Quality
  • Shon Lyublanovits, Senior Advisor for Cybersecurity, GSA
  • Robert Martin, Senior Principal Engineer, MITRE
  • Christopher Nissen, Director, Assymetric Threat Response, MITRE
  • Rodney Petersen, Director, National Initiative for Cybersecurity Education (NICE), NIST
  • Donald Saxinger, Chief, IT Supervision, Division of Risk Management Supervision, FDIC
  • Paul Seay, Northrop Grumman Fellow, Engineering Center of Excellence, NGMS Engineering, Sciences, and Technology, Northrop Grumman Corporation
  • Girish Seshagiri, EVP and CTO, ISHPI Information Technologies and Board Member, Consortium for IT Software Quality
  • Scott Tousley, Deputy Director, Cyber Security Division, U.S. Department of Homeland Security Science and Technology Directorate

The event is supported by CISQ sponsors: CAST, CGI, Cognizant, ISHPI Information Technologies, Northrop Grumman, Synopsys and Tech Mahindra.


About the Event Hosts


The Consortium for IT Software Quality™ (CISQ™) is an IT leadership group that develops international standards for automating the measurement of software size and structural quality from the source code. The standards written by CISQ enable IT and business leaders to measure the risk IT applications pose to the business, as well as estimate the cost of ownership. CISQ was co-founded by the Object Management Group® (OMG®) and Software Engineering Institute (SEI) at Carnegie Mellon University. For more information, visit


The Object Management Group® (OMG®) is an international, open membership, not-for-profit technology standards consortium with representation from government, industry and academia. OMG Task Forces develop enterprise integration standards for a wide range of technologies and an even wider range of industries. OMG modeling standards enable powerful visual design, execution and maintenance of software and other processes. Visit for more information.


The IT Acquisition Advisory Council (IT-AAC) is a public/private “do tank” composed of leading IT public interest groups, standards bodies and government agencies working together to fundamentally transform how the government acquires and manages IT and Cyber solutions. As the “architect of FITARA”, we are ushering in agile standards of practice and innovations emanating from the $4T Global IT market.



Ann McDonough
+1 781-444-0404




Note to editors: CISQ is an Object Management Group program. Object Management Group and OMG are registered trademarks of the Object Management Group. For a listing of all OMG trademarks, visit All other trademarks are the property of their respective owners.

CISQ Hosts September 10 Webinar: Expecting Secure, High-Quality Software: Mitigating Risks throughout the Lifecycle

Speaker: Joe Jarzombek, Director for Government, Aerospace and Defense Programs, Synopsys, Inc.

Date: September 10, 2018 from 2:00 – 3:00pm ET (check your time zone)



This CISQ webinar is brought to you by our sponsor, Synopsys


As the cyber threat landscape evolves and external dependencies grow more complex, managing risk in the supply chain must focus on the entire lifecycle. The Internet of Things (IoT) is contributing to a massive proliferation of a variety of types of software-reliant, connected devices throughout critical infrastructure sectors. With IoT increasingly dependent upon third-party software of unknown provenance and pedigree, software composition analysis and other forms of testing are needed to determine ‘fitness for use’ and trustworthiness. Application vulnerability management should leverage automated means for detecting weaknesses and vulnerabilities. Addressing software supply chain dependencies enables enterprises to harden their attack surface by: comprehensively identifying exploitable components and providing more responsive mitigations. Security automation tools and services, and testing and certification programs now provide means upon which organizations can use to reduce risk exposures attributable to exploitable software in IoT devices.


Attendees will learn:

  • How external dependencies create risks throughout the IoT/software supply chain;
  • How software composition, static code analysis, fuzzing, and other forms of testing can be used to determine weaknesses and vulnerabilities that represent vectors for attack and exploitation;
  • How testing can support procurement and enterprise risk management to reduce risk exposures attributable to exploitable software in IoT devices.


The webinar presentation will be available on this webpage to view or download after the event.


register now






College Degrees Now Available for Secure Software Development

Tracie Berardi, Program Manager, Consortium for IT Software Quality (CISQ)


Cybersecurity training and workforce development is a common theme and solution that’s proposed at conferences that discuss the challenges of cybersecurity and the future as we know it – developing, architecting and living within digital IT ecosystems. Who’s steering the ship? Do leaders understand the security threats and do their teams know how to develop secure, resilient and trustworthy systems for the future? For years, IT was siloed and focused predominantly on functionality. Web-based applications and services expanded the attack surface.


Amidst these fast-paced technological changes, there is good news for workforce development, because with a skills gap, comes opportunity.


The Software Engineering Institute (SEI) at Carnegie Mellon University is one of the premiere universities in the U.S. for software engineering.  The SEI has developed Software Assurance Curricula with support from the U.S. Department of Homeland Security.  The courses available include –


  • Master of Software Assurance Curriculum
  • Undergraduate Software Assurance Curriculum
  • Community College Software Assurance Curriculum
  • Software Assurance for Executives


I spoke with Girish Seshagiri, EVP and CTO of ISHPI Information Technologies, who explained that in the United States we now have three community colleges that offer an Associate Degree in Secure Software Development based on the SEI curriculum and adoption guidelines.


Girish is passionate about this subject. He is on CISQ’s Board, co-chair of the National Initiative for Cybersecurity (NICE) apprenticeship sub-working group, and co-founder of the Community Initiative Center of Excellence for Secure Software (CICESS). CICESS promotes a dual model apprenticeship in partnership with community colleges. Girish’s employer, ISHPI, was an early adopter of the apprenticeship model at the ISHPI AIS Software Development Division in Peoria, IL. Students take college courses while participating in paid, on-the-job experience.


The CICESS GP project won the 2018 Innovations in Cybersecurity Education Award (curriculum category) by the National CyberWatch Center, a National Science Foundation-funded Advanced Technological Education Center at Prince George’s Community College in Largo, Maryland.


Here’s a recent article in Community College Daily:


9th Annual Billington Cybersecurity Summit


Launched around the time of the formation of the U.S. Cyber Command in 2010, Billington CyberSecurity is a leading independent media company.  It produces the leading Fall forum on cybersecurity in the nation’s capital, a newsletter, white papers, the annual International Cybersecurity Summit and the recently launched, Billington Cybersecurity Leadership Council.


The 9th Annual Billington Cybersecurity Summit is September 6, 2018 at the Walter E. Washington Convention Center in Washington, DC. The program is from 7:00 – 5:00. View the agenda here.






IAOP Outsourcing World Summit (OWS) 19


Level Up Your Collaborative Partnerships


The Outsourcing World Summit (OWS) series is hosted by the International Association of Outsourcing Professionals (IAOP).


It is happening fast. Old ways give to new business models, processes and philosophies; collaboration is imperative; innovation is not optional; the workplace is modernized. Technology, like RPA, cognitive, AI and blockchain, are at the forefront of this disruption, but it’s not just tech. Geopolitics have stormed to center stage, turning globalization on its head. The ‘gig economy’ is changing the labor force.


The race to deliver the most affordable and efficient services is on, how do you make sense of the opportunities and then maximize them?


Join IAOP and hundreds of customers, service providers, advisors and academics, on February 17-20, at the Marriott World Center Orlando, in Orlando, Florida, as we examine these and other topics critical to your success.


We are pleased to announce that Dr. Bill Curtis, CISQ Executive Director, is delivering a presentation, Acquiring Trustworthy Software with Software Quality Measurement Standards.




Software and Supply Chain Assurance (SSCA) Fall Forum 2018

Cyber risk has become a topic of core strategic concern for business and government leaders worldwide and is an essential component of an enterprise risk management strategy. The Software and Supply Chain Assurance Forum (SSCA) provides a venue for government, industry, and academic participants from around the world to share their knowledge and expertise regarding software and supply chain risks, effective practices and mitigation strategies, tools and technologies, and any gaps related to the people, processes, or technologies involved.


The effort is co-led by the National Institute of Standards and Technology (NIST), the Department of Homeland Security (DHS), the Department of Defense (DoD), and the Government Services Agency (GSA). Participants represent a diverse group of career professionals including government officials, chief information security officers, those in academia with cybersecurity and supply chain specialties, system administrators, engineers, consultants, vendors, software developers, managers, analysts, specialists in IT and cybersecurity, and many more fields.


SSCA forums are held 2-3 times/year and are free and open to all interested parties.


While the general intent is to share information, the SSCA Forum also offers government and private sector participants, including international participants, an opportunity to openly collaborate by presenting and receiving feedback on current and potential future work. Most events are two to three days long and contain a mixture of discussion and presentation; interaction is always strongly encouraged. To encourage open interaction, SSCA Forum meetings operate under the Chatham House Rule, meaning “participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed,” though many speakers allow NIST to post their presentations on this website.


To receive information about upcoming meetings and related publications and activities, please sign up for the sw.assurance mailing list, operated by NIST, by sending a blank email to


Visit to view upcoming meetings.