Press Release

CISQ Updates Automated Source Code Quality Measures with Embedded Extensions


NEEDHAM, MA – April 4, 2019 – The Consortium for Information & Software Quality™ (CISQ™) today announced that its updated set of Automated Source Code Quality Measures (ASCQM ) has been approved for finalization by the Object Management Group® (OMG®), a not-for-profit technology standards consortium. First adopted as four separate specifications by OMG in 2016, the four structural quality characteristic measures for Reliability, Security, Performance Efficiency, and Maintainability quantified risk in enterprise and business systems. Today’s announcement extends their applicability to embedded software for the growing implementation of embedded devices and the Internet of Things.

“Functionality that has traditionally been implemented in the source code of IT and business systems is now being moved to embedded systems,” said Dr. Bill Curtis, CISQ Executive Director. “Since most of the weaknesses included in the revised measures apply to all forms of software, the CISQ community recognized the need to revise the specification to reflect that embedded software is included.”

The CISQ Automated Source Code Quality Measures, which are being finalized as an OMG standard, are based on assessing critical violations of good architectural and coding practices in the source code. The Security measure, for example, includes such violations as SQL injection, cross-site scripting, and buffer overflows. These measures conform to the software quality model in ISO 25010 and supplement software measures in ISO 25023.

The Embedded Extensions working group at CISQ included leadership from Synopsys, MITRE, CAST, Carnegie Mellon University, Northrop Grumman, CGI, ISHPI, Tech Mahindra, and Cognizant. The team expanded the previous CISQ measures by adding an additional 35 weaknesses to expand coverage to embedded systems. The specification team, composed of experts from CISQ sponsors, completed the expanded specification within a year.

Joe Jarzombek, Synopsys’ Director for Government, Aerospace & Defense Programs and member of the CISQ Governing Board said, “With IoT, the line has blurred between embedded systems and enterprise systems. Because these CISQ ASCQM enable an assessment of critical violations in software, these measures provide an effective means for determining technical debt in terms of residual risks attributable to exploitable software in network-connectable devices and enterprise systems. Any software that enables safety critical functions, or processes privacy sensitive data, should be checked against these measures. As such, anyone involved with auditing or testing software to determine compliance with regulatory regimes should be using these measures.”

Paul Seay, Northrop Grumman Corporation, stated, “As an organization committed to software quality, we contributed to the advancement of the CISQ standards to address the need to understand the depth of software quality management tools and to encourage tool usage across government and industry. This significant standard revision introduces attributes in software quality measurement that improve software delivery trust in the embedded and IoT technologies.”

Development teams can use the standards to set quality targets that must be achieved before moving a system to production. Additionally, vendor managers can reference the standards as requirements for software quality in their contracts and acceptance criteria. The standards provide strong indicators of the quality of a software system that are highly correlated with the probability of operational or cost of ownership problems.

The CISQ team will present a webinar to introduce the updated standards on May 15, 2019 from 2:00 – 3:00pm ET.

The CISQ measures have been leveraged in IT modernization projects at the U.S. State Department and General Services Administration, as well as in Regulation Systems Compliance and Integrity (Regulation SCI) from the Securities and Exchange Commission.


About CISQ

The Consortium for Information & Software Quality™ (CISQ™) is an industry leadership group that develops international standards for automating the measurement of software size and structural quality from the source code. The standards written by CISQ enable organizations developing or acquiring software-intensive systems to measure the operational risk software poses to the business, as well as estimate the cost of ownership. CISQ was co-founded by the Object Management Group® (OMG®) and Software Engineering Institute (SEI) at Carnegie Mellon University. For more information, visit /.


Ann McDonough
[email protected]
+1 781-444-0404



Note to editors: CISQ is an Object Management Group program. Object Management Group and OMG are registered trademarks of the Object Management Group. For a listing of all OMG trademarks, visit All other trademarks are the property of their respective owners.