An Industry Consortium to Advance Software Quality
The mission of the Consortium for Information & Software Quality™ (CISQ™) is to develop international standards to automate software quality measurement and to promote the development and sustainment of secure, reliable, and trustworthy software. Through the work of CISQ, industry-supported standards have been developed to measure software size, structural quality, and technical debt from source code. These standards are used by IT organizations, IT service providers, and software vendors in contracting, developing, testing, accepting, and deploying software applications.
- Software sizing is used to estimate development projects and measure productivity
- Structural quality refers to the software's security, reliability, performance efficiency and maintainability
- Technical debt is an estimate of corrective maintenance due to weaknesses in the code and architecture
Three new standards development initiatives are underway and we are seeking participation from enterprises, government agencies, universities, suppliers, and vendors engaged in:
Members are IT executives from the Global 2000, system integrators, outsourced service providers, and software technology vendors. CISQ's roadmap includes the development of new standards, certification programs, and deployment activities to advance the state of practice in software engineering. There are two membership levels - individual membership and corporate membership. A benefit of corporate membership is the ablity to participate in standards development.
Over 1500 software-intensive organizations have joined CISQ as members.
History of CISQ's formation
CISQ was co-founded in 2010 by the Object Management Group® (OMG®) and the Software Engineering Institute (SEI) at Carnegie Mellon University. Both organizations were being approached by system integrators and asked to develop standards for measuring the software attributes of reliability and security, as these were starting to appear in development and outsourcing contracts as the equivalent of service level agreements and every customer had a different definition for measurement. Establishing a global standard was an important step for enabling these measures to be used in acquiring IT applications from suppliers or for apples-to-apples comparison in benchmarking applications.
Dr. Bill Curtis joined CISQ as Executive Director and leads the working groups. Dr. Curtis is SVP and Chief Scientist at CAST Research Labs. He is best-known for leading development of the original Capability Maturity Model for software at SEI and is the American lead on the ISO 25000 series of standards.
CISQ strives to maintain consistency with ISO/IEC standards to the extent possible, and in particular with the ISO/IEC 25000 series that replaces ISO/IEC 9126 and defines quality measures for software systems. In order to maintain consistency with the quality model presented in ISO/IEC 25010, software quality characteristics are defined for the purpose of this specification as attributes that can be measured from the static properties of software and can be related to the dynamic properties of a computer system as affected by its software. The 25000 series, and in particular ISO/IEC 25023 which elaborates quality characteristic measures, does not define these measures at the source code level. Thus, this and other CISQ quality characteristic specifications supplement ISO/IEC 25023 by providing a deeper level of software measurement, one that is rooted in measuring software attributes in the source code." - Dr. Bill Curtis
CISQ leverages the Common Weakness Enumeration (CWE) managed by MITRE and other industry bodies of work to specify quality measures for automation. CISQ submits its specifications to OMG and ISO for approval as international standards.
CISQ launched with the name of "Consortium for IT Software Quality" and changed its name to "Consortium for Information and Software Quality" in 2019.
Automation is Critical For Speed and Scale
CISQ brought together world-renowned software engineering experts to define a set of best practices to guarantee optimum reliability, performance efficiency, security, and maintainability. Each quality measure is comprised of a set of checks on source code through static analysis at the unit and system level. A requirement for each measure is that it be automatable in the development toolchain and in supply chain assessment as manual review is infeasible for large multi‐layer, multi‐language, multi‐platform systems. Additionally, DevOps greatly speeds up the deployment of applications, some changing on a daily or even hourly basis, which may result in unintended vulnerabilities without automation.
Deployment of the Standards
CISQ hosts outreach events, influences policy, and briefs analysts and the media on software quality.
- The Cyber Resilience Summit is hosted annually in Washington, DC to influence the cybersecurity and resilience of mission-critical Federal applications
- Events are hosted in cities across North America, Europe and Asia with the support of sponsors
- CISQ launched a Trustworthy Systems Manifesto for executives that set corporate policy to govern the development and maintenance of trustworthy software
- CISQ submits position papers and requests for information regarding policy from several government agencies
Become a member to receive updates and participate in discussion. If your organization would like to contribute to standards development and support this work, take a look at corporate membership.
CISQ is a program managed by the Object Management Group (OMG), a technology standards organization. Read this paper for an introduction to other standards programs.