Software and Supply Chain Assurance (SSCA) Fall Forum 2017

Location: MITRE-1, 7525 Colshire Drive, McLean, VA 22102


Cyber risk has become a topic of core strategic concern for business and government leaders worldwide and is an essential component of an enterprise risk management strategy. The Software and Supply Chain Assurance (SSCA) Forum and Working Groups provide a venue for government, industry, and academic participants from around the world to share their knowledge and expertise regarding software and supply chain risks, effective mitigation strategies, and any gaps related to the people, processes, or technologies involved.


The effort was initiated in 2003 as a Department of Homeland Security (DHS)-sponsored Cross-Sector Cyber Security Working Group (CSCSWG) established under auspices of the Critical Infrastructure Partnership Advisory Council (CIPAC) that provides legal framework for public-private collaboration and participation.


Originally called the Software Assurance (SwA) Forum and Working Groups, its purpose was to bring together a stakeholder community to protect the Nation’s key information technologies, most of which are enabled and controlled by software. The community evolved and broadened the scope to include additional focus on the supply chain and is currently co-sponsored by DHS, the Department of Defense (DoD) Office of the Secretary of Defense, Government Services Agency (GSA), and the National Institute of Standards and Technology (NIST).


SSCA events are held quarterly and are free and open to the public. In general, Summer and Winter sessions are intended for working group-type discussions while the Spring and Fall sessions are reserved for more traditional forum presentations. Interaction is always encouraged.


To receive information about upcoming meetings and related activities, please sign up for the sw.assurance mailing list, operated by NIST, by sending a blank email to






Cybersecurity Workshop at OMG Technical Meeting


Cyber threats facing an organization’s critical infrastructure, mission-critical systems, or any Industrial Internet of Things (IIoT) system, demand a cyber infrastructure that matches their combined enormity and complexity. Risk management solutions must be capable of understanding intricate attack patterns and assessing complex vulnerabilities to give stakeholders confidence in their system’s ability to withstand malicious attacks, operate as intended, and within the appropriate regulatory boundaries.


The OMG’s Cybersecurity Workshop on September 28, 2017 brings together practitioners developing IT standards targeted at the security engineering lifecycle and the digital transformation of business operations. Learn how to plan for, budget, and reduce costs associated with building/acquiring secure and resilient software.


Dr. Bill Curtis, Executive Director of CISQ, will present Code Quality Standards and Technical Debt Management.


This special event is part of the OMG Technical Meeting, September 25-29, 2017 in New Orleans, LA. The registration fee for the Cybersecurity Workshop is $149 and includes lunch and refreshments throughout the day. (Full meeting week registration includes the Workshop!)


The Workshop begins with a cybersecurity primer aimed at executive leadership, managers and engineers. The primer will cover key concepts needed to consistently apply cybersecurity processes across product lines and programs.


Presentations include:

  • Safe, Secure and Reliable Industrial Internet: A Standards Story – Robert A. Martin, Senior Principal Engineer, MITRE; Steering Committee Member, Industrial Internet Consortium
  • Security Views in the UAF (Unified Architecture Framework) – Matthew Hause, GTM Solutions Specialist, Fellow, PTC; Co-Chair, OMG UAF Task Force
  • Model-based Cybersecurity Assessment – Dr. Nikolai Mansourov, CTO, KDM Analytics
  • Federated Threat Analytics and Information Sharing – Cory Casanave, President and CEO, Model Driven Solutions; Co-chair, OMG Government Domain Task Force
  • Cyber Information Sharing and Safeguarding – Mike Abramson, President and CEO, Advanced Systems Management Group (ASMG Ltd.); Co-chair, OMG C4I Domain Task Force
  • Cloud Security and Data Residency Considerations – Claude Baudoin, Owner and Principal Consultant, cébé IT and Knowledge Management; Steering Committee Member, Cloud Standards Customer Council
  • Code Quality Standards and Technical Debt Management – Dr. Bill Curtis, Executive Director, Consortium for IT Software Quality (CISQ); SVP and Chief Scientist at CAST
  • Panel Discussion on Cybersecurity: Cost vs. Protection

AFCEA OKC Technology Day @ Tinker AFB


The AFCEA OKC Technology Day on August 17th brings together AFCEA members and Tinker AFB (Air Force Base) personnel to discuss Information Technology and Cybersecurity. View and demo some of the latest IT products from government and industry partners, attend educational sessions, and network with peers. Registration is complimentary. On Friday, August 18th, spend the day with the AFCEA OKC Chapter on the links at the Tinker Golf Course.


Marc Jones, Director of Federal Outreach at CISQ, will deliver a presentation:


Cyber and Operational Risk Standards and Policy Update.


International standards referenced by DOD & GSA are available now for automating the measurement of software size and structural quality (security, reliability, performance efficiency and maintainability.) Leveraging these measures in Software acquisition programs has been shown to elevate operational readiness and lower corrective maintenance cost of software-intensive IT and Mission systems. Learn how government organizations leverage these standards to quantify risk in multi-tier, multi-language systems at each software delivery to government. Explore how to use these measures in acquisition, benchmarking, vendor management and governance. Congress has mandated that all DOD programs have software measurement capability. CISQ is an acquisition ready standard.

CISQ is special interest group of the Object Management Group with engineering support from FFRDC’s Software Engineering Institute (SEI) and MITRE. CISQ’s work and standards are supported by DOD, GSA, NSA, NIST and DHS.


Attend this presentation to hear best practices for software quality measurement that can be leveraged in Tinker AFB programs.




Agile Dev, Better Software & DevOps East

Learn what you need to build better software now. The Agile Dev, Better Software, and DevOps East events hosted by Techwell are co-located from November 5-10, 2017 in Orlando, FL.  With over 100 learning and networking sessions, there will be a wide variety of new things to learn:

  • Projects and teams
  • Personal excellence
  • Going mobile
  • Business analysis and requirements
  • Internet of Things (IoT)
  • Process and metrics
  • Leadership
  • Software quality and testing


One registration gives you access to all three of these industry-leading events.


Register by October 6 using CISQ’s special promo code CECM to save up to an additional $200 off. Plus, this offer can be combined with early bird pricing for even more savings.








Measuring IT Project Performances in Texas: House Bill (HB) 3275 Implications

CISQ Advisory Board member, Herb Krasner, has released a position paper for Texas state CIOs and IT leaders seeking guidance on House Bill (HB) 3275 passed in June 2017 requiring the reporting of software quality measurement in Texas State IT projects. Krasner drafted the legislation that was signed into law by Texas governor, Greg Abbott. Directives go into effect on January 1, 2018.


The new law, HB 3275 is available on the CISQ website for review.


Abstract from the position paper, Measuring IT Project Performances in Texas: House Bill (HB) 3275 Implications:


“Texas’ usage of IT is big and getting bigger, but past project performances have a “checkered” history. In June 2017 HB 3275 became law in Texas. It requires state agencies to improve the measuring and monitoring of large IT projects to collect and report on performance indicators for schedule, cost, scope, and quality. If these indicators go out of bounds, more intense scrutiny is then triggered, potentially requiring corrective action. These indicators will be made visible to the public via an online, user-friendly dashboard, and will be summarized annually in a report to state leaders. This new law facilitates the early detection of troubled projects, and helps establish baselines for improvement initiatives. This position paper discusses the implications and challenges of implementing this new law for state and agency IT leadership.”


Professor Herb Krasner recently retired from the University of Texas at Austin. He was the Director of Outreach Services for the UT Center for Advanced Research in Software Engineering (ARiSE) and founder and CTO of the UT Software Quality Institute (SQI). As a systems excellence consultant, his mission, spanning five decades, has been to enable the development of superior software intensive systems, and to stamp out poor quality software, wherever found. Mr. Krasner is active in Texas state legislature IT improvement initiatives. Full bio







PNSQC 2017


Registration is now open! We are scaling new heights in quality software. Join us in Portland, Oregon, October 9-11.


CISQ is a supporting partner of PNSQC.


The At-a-Glance tells it all to let you make plans. The Keynote Speakers discuss what quality looks like in 2017 with Trends, Tricks and Traps, who exactly Owning Quality in Agile, and How to Build a Workplace People Love by adding Joy.


Invited speakers cover your doubts, your data collection, your product ecology and more.


The technical tracks keep us focused on Scrum, Lean Start Ups, AI, The Internet of Things and Golf. Over lunch we scale new heights with a Mazama and a builder, giving you lots to think over as you chew it over.


Turn plans to action and register before September 15 to receive early-bird discounts; groups of 4 or more receive an extra 15% off. Join us in Portland, register now!



How Outsourcing Can Mitigate Cyberrisks in DevOps


Dr. Erik Beulen, Principal, Amsterdam office (; Dr. Walter W. Bohmayr, Senior Partner, Vienna office (; Dr. Stefan A. Deutscher, Associate Director, Berlin office (; and Alex Asen, Senior Knowledge Analyst, Boston office (


DevOps agility requires organizational adjustments and additional tooling to ensure cybersecurity. At the same time, the challenges of the cybersecurity labor market drive the need to increase tooling’s impact and to consider outsourcing. In turn, these require carefully focusing on cybersecurity governance, including the assignment of accountability and responsibility.


In DevOps, the business is in the driver’s seat. DevOps characteristics (such as iterative prioritizing and deployment) plus the combined responsibility for development and operations present cybersecurity risks. They also create opportunities. DevOps tools, infrastructure, processes, and procedures can be used to fully automate patch deployments and continuously monitor, for example, open ports. Best practices are to automate information security platforms using at a minimum programmable APIs, but preferably automated to control access, containers and container orchestration combined with hypervisors or physical separation to avoid the impact of an attack on the OS kernel layer.


Market Developments


Our analysis of global startup activity in cybersecurity products reveals about 1,000 firms that represent more than $20 billion of investments. This explosion of competing cybersecurity products has driven enterprise reliance on best-of-breed solutions, which requires a lot of coordination and increases the risk of gaps in the cybersecurity landscape. Consolidation of cybersecurity product portfolios through mergers and acquisitions will still take some time—about three to five years. In the enterprise segment, we have to accept best-of-breed solutions and the associated increased complexity for the years to come.


Meanwhile, the service market is also evolving but still scattered. Managed security service providers (MSSPs) provide end-to-end protection, stabilize infrastructure, optimize IT operations, and provide rapid responses to security breaches. On one hand, MSSPs can be used to scale up required capabilities, reduce complexity, and innovate to achieve cyberresilience. On the other hand, the service market is not mature yet, so prior to contracting with an MSSP, companies should rigorously assess a solution’s robustness and vision. Companies should also determine  the number and seniority level of the cybersecurity experts at an MSSP.




Accountability for cyberresilience can never be outsourced. Organizations need to build a cybersecurity competence center that oversees the design and maintenance of strategy and requirements, assesses cybersecurity compliance, and evangelizes cybersecurity. (See Exhibit 1.) This competence center manages the business demands. It also directs in-house cybersecurity and MSSPs’ strategy and policies, including standards, frameworks, certification, risk tolerance levels, and attack procedures. The number of MSSPs a company should engage depends on the size of the organization, cybersecurity requirements, and the capability to manage suppliers. Rarely do organizations engage with more than three MSSPs to avoid coordination challenges and ensure unambiguous responsibilities.


Exhibit 1: Cybersecurity Competence Center Responsibilities
Click to view larger image





Responsibilities for cyberresilience have to be embedded from the board level down to each DevOps team. This is not straightforward and requires a constant and intense dialogue embedded in governance structures and involving all stakeholders. At the application level, product owners and scrum masters have to ensure cybersecurity is respected and embraced by the DevOps teams (“cybersecurity by design”). This doesn’t mean developers must become security experts. Rather, product owners must assign dedicated security experts to each DevOps team. This will not be a full-time role, and security experts can be allocated to multiple DevOps teams. However, cybersecurity remains a team responsibility. Scrum masters have to explicitly address cybersecurity in each step of the DevOps lifecycle. This starts with creating cybersecurity awareness by training developers using gamification (such as Microsoft EOP game[1]). Furthermore, continuously monitoring and measuring cybersecurity performance (service levels) is important. The end goal is to champion cybersecurity by deploying and maintaining software in accordance with the set risk tolerance levels and applicable security standards.




Ensure cybersecurity in DevOps by taking these steps: empowering your product owners and scrum masters, building a competence center, partnering with no more than three MSSPs, using automation, and, of course, making cybersecurity a business agenda item. Also follow the World Economic Forum Working Group,[2] which kicked off cyberresilience through brainstorming!








Gartner Catalyst Conference 2017

Gartner Catalyst Conference gives a comprehensive view into the technologies that will power the future of your digital business.


Technically focused and committed to pragmatic, how-to content, Gartner Catalyst Conference, provides practical solutions, actionable advice and principled objectivity. With access to more than 150 sessions built on forward-thinking Gartner for Technical Professionals (GTP) research, attendees will leave with a framework for project planning and execution and their own professional development.


Through six conference tracks and four “journeys” tailored to specific roles, you’ll learn how to:

  • Build data and analytics architectures
  • Leverage DevOps to increase data center agility
  • Create scalable security and identity architectures
  • Develop innovative software architectures and practices
  • Formulate and execute your IoT strategy
  • Make sense of blockchain and how to use it
  • Understand the impact of AI and machine learning
  • Take mobility from strategy to execution
  • Achieve digital workplace productivity
  • Explore public and hybrid cloud strategies and cloud-native solutions




STARWEST – Software Testing Conference

October 1-6, 2017

Disneyland Hotel in Anaheim, CA



Wondering why you should attend the STARWEST software testing conference from October 1-6 in Anaheim this year? With over 100 learning and networking sessions, there will be a wide variety of new things to learn, including finding the best solutions to your software testing challenges. Register for the STARWEST software testing conference by September 1 using promo code SWCM to save up to an additional $200 off. Plus, this offer can be combined with early bird pricing for even more savings.




Conference highlights include:

  • Pre-conference training classes
  • In-depth half- and full-day tutorials
  • Keynotes featuring recognized thought-leaders
  • Concurrent sessions covering major issues and solutions
  • The Expo, bringing you the latest in software development solutions
  • Networking events: receptions, breakfasts, breaks, and lunches included
  • A full day to explore unique challenges at the Testing & Quality Leadership Summit


Explore the program here







Gartner Sourcing & Strategic Vendor Relationships Summit

September 13-15
Gaylord Opryland Resort & Convention Center
Nashville, TN


Special CISQ rate: CISQ members save $325 off the registration fee. Apply the code GARTOMG at registration.


Lead Sourcing and Vendor Management to the Core of Digital Business


Gartner Sourcing & Strategic Vendor Relationships Summit will address how Sourcing, Procurement and Vendor Management can proactively become agents and enablers of digital business. The agenda will focus on both traditional run-the-business sourcing and vendor management best practices as well as new models to increase sourcing’s proactiveness in supporting the organization’s digital business transformation.


The agenda features dedicated tracks for sourcing managers, procurement/contract managers, IT vendor managers, and a track on emerging trends and disruptive technologies. In addition, Gartner’s exclusive Program for Senior Sourcing Executives provides a forum for the most senior level delegates to engage with Gartner analysts and peers in a series of presentations and discussions. Drill down on your hottest sourcing topics based on your role, experience level and key focus.


2017 Agenda tracks
Track A: Sourcing Leaders:
Sourcing for the Digital Platform and Business Value


Track B: Sourcing and Procurement​ Managers
Selecting and Contracting for Agility, Innovation and Value


Track C: Vendor Managers
Maturing Vendor Management for the Digital Age


Track D: All Roles
Embracing Disruptive and Innovative Technology to Gain Competitive Advantage


CISQ members save $325 off the registration fee! Apply the code GARTOMG at registration.