Software Assurance in Acquisition and Contract Language
Software Assurance in Acquisition and Contract Language
Software Assurance in Acquisition and Contract Language
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Based on 1.2, the result<strong>in</strong>g security category of<br />
the software system is {(confidentiality, moderate),<br />
(<strong>in</strong>tegrity, moderate), (availability, low)}.<br />
1.3 <strong>Software</strong> Security Requirements. Based on the<br />
security category for the software system, the<br />
m<strong>in</strong>imum security requirements specified <strong>in</strong> [NOTE:<br />
Reference the external document(s)] are required.<br />
[NOTE: M<strong>in</strong>imum security controls may be specified<br />
<strong>in</strong> this paragraph or <strong>in</strong> an external document similar<br />
to FIPS Pub 200; National Institute of St<strong>and</strong>ards <strong>and</strong><br />
Technology (NIST) SP 800–53; <strong>and</strong> DODI 8500.2,<br />
Enclosure 4].<br />
1.4 <strong>Software</strong> <strong>Assurance</strong> Case. The <strong>Software</strong> <strong>Assurance</strong><br />
Case shall be the primary <strong>in</strong>strument for ref<strong>in</strong><strong>in</strong>g <strong>and</strong><br />
monitor<strong>in</strong>g software assurance dur<strong>in</strong>g the life of this<br />
contract. The <strong>Software</strong> <strong>Assurance</strong> Case shall be<br />
developed <strong>and</strong> conform to the requirements of ISO/IEC<br />
15026, Systems <strong>and</strong> software eng<strong>in</strong>eer<strong>in</strong>g – Systems<br />
<strong>and</strong> software assurance – Part 2: <strong>Assurance</strong> Case.<br />
The supplier shall ref<strong>in</strong>e the <strong>Software</strong> <strong>Assurance</strong> Case<br />
throughout the development process <strong>and</strong> should be<br />
based on the software assurance requirements of<br />
this contract. The <strong>Contract</strong>or shall submit the case<br />
for review. [NOTE: Specify when the case should be<br />
reviewed, such as with the submission of the software<br />
design.] Lastly, the successful execution of the<br />
<strong>Software</strong> <strong>Assurance</strong> Case shall be a condition for f<strong>in</strong>al<br />
acceptance of the software product/service.<br />
SAMPLE LANGUAGE FOR SECURITY CONTROLS – The<br />
follow<strong>in</strong>g is sample language on implement<strong>in</strong>g security controls<br />
<strong>and</strong> st<strong>and</strong>ards that may be considered for Federal agency use<br />
<strong>and</strong> may be appropriately modified for other uses. Federal<br />
Information Systems <strong>and</strong> National Security Systems are those<br />
def<strong>in</strong>ed by the Federal Information Security Management<br />
Act (FISMA), NIST st<strong>and</strong>ards <strong>and</strong> publications, <strong>and</strong> other<br />
publications applicable to a particular Federal agency’s<br />
<strong>in</strong>formation systems. In us<strong>in</strong>g this language, Federal Information<br />
<strong>and</strong> National Security Systems need to be explicitly def<strong>in</strong>ed <strong>in</strong><br />
accordance with the regulations <strong>and</strong> publications followed by<br />
the organization/agency. <strong>Contract</strong>or assets may be <strong>Contract</strong>or<br />
<strong>in</strong>formation technology or other assets that <strong>in</strong>terface with Federal<br />
Information <strong>and</strong> National Security Systems. Paragraph (b) refers<br />
to certification <strong>and</strong> accreditation or other processes that an<br />
organization/agency may require. This should be explicitly stated<br />
<strong>in</strong> this paragraph as well.<br />
<strong>Language</strong> for Security Controls <strong>and</strong> St<strong>and</strong>ards<br />
(a) When mitigat<strong>in</strong>g or remediat<strong>in</strong>g risks to confidentiality,<br />
<strong>in</strong>tegrity, <strong>and</strong> availability of Federal Information Systems,<br />
National Security Systems, <strong>Contract</strong>or assets that enable<br />
possession, control, or otherwise enable access to Federal<br />
Information or National Security Systems, the <strong>Contract</strong>or<br />
shall implement controls <strong>and</strong> st<strong>and</strong>ards as effective or<br />
more effective than those implemented by the Agency for<br />
the same or substantially similar risks with the same or<br />
substantially similar potential measure of harm.<br />
(b) When select<strong>in</strong>g appropriate controls <strong>and</strong> st<strong>and</strong>ards for<br />
protect<strong>in</strong>g confidentiality, <strong>in</strong>tegrity, <strong>and</strong> availability of Federal<br />
Information <strong>and</strong> National Security Systems, the <strong>Contract</strong>or<br />
shall use the analyses, processes, <strong>and</strong> st<strong>and</strong>ards<br />
established for Federal Government systems established<br />
by the [current organization/agency <strong>and</strong> other applicable<br />
st<strong>and</strong>ards] publications.<br />
SAMPLE LANGUAGE FOR SECURE CONFIGURATION<br />
OF COMMERCIAL SOFTWARE – The follow<strong>in</strong>g language is<br />
quoted from Office of Management <strong>and</strong> Budget Memor<strong>and</strong>um<br />
M–07–18, Ensur<strong>in</strong>g New <strong>Acquisition</strong>s Include Common Security<br />
Configurations, dated 1 June 2007 (effective 1 February 2008).<br />
This is recommended language that may be supplemented as<br />
necessary. This language should also change when the software<br />
<strong>and</strong> associated regulations <strong>and</strong> suggestions for the configuration<br />
change. The use of common security configurations is <strong>in</strong>cluded<br />
<strong>in</strong> part 39 of the Federal <strong>Acquisition</strong> Regulation. An example for<br />
Vista <strong>and</strong> W<strong>in</strong>dows operat<strong>in</strong>g systems (OS) is <strong>in</strong>cluded below.<br />
Other Operat<strong>in</strong>g System (OS) types such as L<strong>in</strong>ux, Unix, etc.<br />
need to be configured securely as well:<br />
Vista <strong>and</strong> W<strong>in</strong>dows XP St<strong>and</strong>ard Secure Configuration<br />
(a) The provided <strong>in</strong>formation technology shall certify<br />
applications are fully functional <strong>and</strong> operate correctly as<br />
<strong>in</strong>tended on systems us<strong>in</strong>g the Federal Desktop Core<br />
Configuration (FDCC). This <strong>in</strong>cludes Internet Explorer<br />
7 configured to operate on W<strong>in</strong>dows XP <strong>and</strong> Vista (<strong>in</strong><br />
30<br />
<strong>Software</strong> <strong>Assurance</strong> Pocket Guide Series:<br />
<strong>Software</strong> <strong>Assurance</strong> <strong>in</strong> <strong>Acquisition</strong> <strong>and</strong> <strong>Contract</strong> <strong>Language</strong><br />
31<br />
<strong>Acquisition</strong> & Outsourc<strong>in</strong>g, Volume I – Version 1.1, July 31, 2009