CISQ & IT Risk Management: Minimizing Risk in Government IT Acquisition


6On March 15, CISQ hosted the Cyber Resilience Summit in Washington, D.C., bringing together nearly 200 IT innovators, standards experts, U.S. Federal Government leaders and attendees from private industry. The CISQ quality measures have been instrumental in guiding software development and IT organization leaders concerned with the overall security, IT risk management and performance of their technology. It was invigorating to be amongst like-minded professionals who see the value in standardizing performance measurement.

IT Risk Management – CISQ Cyber Resilience Summit, Washington, D.C.

The Summit covered topics from the layered cybersecurity defense approach taken by the NSA, to the impact of acquisition policy on the reliability and security of Federal software-intensive systems. I had the privilege of presenting alongside Emile Monette of the U.S. General Services Administration, John Weiler of IT-AAC, and Richard Spires, currently of Learning Tree International and recently CIO of the U.S. Department of Homeland Security.

Our panel was focused on IT Acquisition and driving down cyber risk. As we analyzed the current status quo, we made four key findings:


  1. Federal acquisition goals differ from those of the Private Sector. While Private Sector companies are more concerned with increasing revenue and reducing inefficiencies, Government acquisition policy is focused on ensuring fairness and providing fiscal stimulus to underprivileged American businesses. This means low cost, secure solutions is not always the primary focus.
  2. Goals of acquisition and IT teams need to be aligned. In addition to not prioritizing the bottom line, Government IT acquisition leaders and CIOs have different incentives, with CIOs focusing on development and deployment. These groups must align their goals in order to get reliability and security built into the foundation of federal software.
  3. There is a lack of framework. Current federal guidelines like NIST are useful in establishing cybersecurity standards, but a more specific framework of reliability and security standards, one that can be cited as a requirement is needed to support successful IT Acquisition.
  4. The Private Sector is beating Federal IT in acquisition practices. Private companies are getting more bang for their buck in acquisition, and shareholders are getting more ROI than the taxpayer.

CAST is working closely with industry groups such as CISQ to implement best-in-class measurement standards that will aid both the private and public sector. The software measurement standards that pertain to software risk and resilience - those focused on the full application and transactions rather than only code quality - are of particular importance to industry.

Poor quality code makes it harder to build onto systems over time, and it exposes software to more threats from hackers. Too often security is not a key factor in the beginning stages of software development, creating a difficult environment to secure and protect.

At CAST, we have established five key measurement qualities: Robustness, Efficiency, Security, Changeability and Transferability. Customers around the globe are identifying and mitigating security flaws before they turn into risks, saving immeasurable time and resources. As we continue to work with our government customers on IT risk management, we look forward to seeing the taxpayer reap the benefits of quality software.

  This report describes the effects of different industrial factors on  structural quality. Structural quality differed across technologies with COBOL  applications generally having the lowest densities of critical weaknesses,  while JAVA-EE had the highest densities. While structural quality differed  slightly across industry segments, there was almost no effect from whether the  application was in- or outsourced, or whether it was produced on- or off-shore.  Large variations in the densities in critical weaknesses across applications  suggested the major factors in structural quality are more related to  conditions specific to each application. CRASH Report 2020: CAST Research on  the Structural Condition of Critical Applications Report
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
Making sense of cloud transitions for financial and telecoms firms Cloud  migration 2.0: shifting priorities for application modernization in 2019  Research Report
Lev Lesokhin
Lev Lesokhin EVP, Strategy and Analytics at CAST
Lev spends his time investigating and communicating ways that software analysis and measurement can improve the lives of apps dev professionals. He is always ready to listen to customer feedback and to hear from IT practitioners about their software development and management challenges. Lev helps set market & product strategy for CAST and occasionally writes about his perspective on business technology in this blog and other media.
Load more reviews
Thank you for the review! Your review must be approved first
You've already submitted a review for this item