konklone
commented
6 years ago [Inlining a best-effort version of the attached comment below. If there were links in the original, they are not maintained in the below version. Download the original attachment in the issue above to see the original comment.]
-
In sourcing modernization work, Federal agencies should evaluate the capability of their contractors using publicly available frameworks such as CMMI to ensure that the selected contractor has a disciplined process that can deliver high quality on time and budget. The agency should conduct an onsite review of the preferred contractor to ensure the accuracy of previous process assessments and to identify any improvements that should be incorporated into the contract. Key personnel clauses should be incorporated into the contract to ensure that the most knowledgeable and experienced staff are retained for the duration of the contracted work.
-
Acquisition contracts for software-intensive systems should include the equivalent of service level agreements stating quantitative targets that the system must achieve in acceptance testing for measures of software attributes such as reliability, security, and other quality characteristics. The Consortium for IT Software Quality has produced quality measures of source code that quantify the risk the code possesses in areas such as Reliability, Security, Performance Efficiency, and Maintainability. These measures should be considered as candidates for inclusion in the FISMA measures. All software products received from third parties should undergo thorough acceptance testing prior to entering operations. In addition to standard functional testing, this testing should include static and dynamic analysis and penetration testing. The static analysis should include calculation of the CISQ measures as indicators of the risk inherent in the software of these systems.
-
Systems migrated to the cloud must be secured against unanticipated interactions with unknown software existing in the cloud. All systems should be statically analyzed to ensure the code is sufficient cybersecure and the data sufficiently insulated from unanticipated interactions, and that the system is cloud-ready. All paths through the system should be analyzed to ensure there are no unauthorized paths to the data.
Mr. Liddell, Mr. Wilmer,
My name is Tracie Berardi, program manager of the Consortium for IT Software Quality (CISQ).
I read the IT Modernization report in support of EO 13,800. Thank you for making the notification and feedback loop on this plan as open, easy and efficient as possible. It’s great to write to you!
Key message up front: The Federal Government should use standards developed by CISQ to control the cyber security, resiliency, and overall risk of software-intensive systems developed internally or acquired by third parties.
The CISQ Metrics for Security, Reliability, Performance Efficiency and Maintainability, developed over the last nine years by subject matter experts in government and industry across US and Europe, are used to measure the occurrence of critical coding and architectural flaws in the source code of software-intensive systems. It’s the only actionable standard for measuring software characteristics, and it builds on other industry work, such as CWE, and maps to ISO 25000.
This year, the standards are being cited directly in Federal IT contracts.
From GSA, May 2017, Office of the CIO for the Office of Public Buildings statement of work for Project Based IT Services –
"PB-ITS (Project Based IT Services) is seeking to establish code quality standards for its existing code base, as well as new development tasks. As an emerging standard, PB-ITS references the Consortium for IT Software Quality (CISQ) for guidance on how to measure, evaluate and improve software."
The State Department’s $750M Consular Systems Modernization project in acquisition now cites a requirement for software quality standards.
New Texas State legislation has introduced software measurement standards into State IT performance and cybersecurity reporting, led by CISQ Advisor, Herb Krasner.
These examples are trailblazers and we expect to see more of them.
Jack – we look forward to hosting you at the Oct 19 Cyber Resilience Summit: Modernizing and Securing Government IT. How timely! Will be a good brief on CISQ. www.it-cisq.org
Dr. Bill Curtis, CISQ Executive Director, also read the report and asked that I forward you his comments – attached.
Best regards, Tracie
Tracie Berardi Program Manager Consortium for IT Software Quality (CISQ) Fed IT Modernization - CISQ comments.docx