Software Assurance in Acquisition and Contract Language
Software Assurance in Acquisition and Contract Language
Software Assurance in Acquisition and Contract Language
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
7.0 GOVERNMENT INDEPENDENT TESTING. The<br />
Government will perform periodic vulnerability test<strong>in</strong>g<br />
to evaluate the security of {AGENCY}. The process<br />
<strong>in</strong>volves an active analysis of the system for any<br />
potential vulnerabilities that may result from poor or<br />
improper system configuration, known <strong>and</strong>/or unknown<br />
hardware or software flaws, or operational weaknesses<br />
<strong>in</strong> process or technical countermeasures. The <strong>in</strong>tent<br />
of test<strong>in</strong>g is to determ<strong>in</strong>e feasibility of an attack <strong>and</strong><br />
the amount of bus<strong>in</strong>ess impact of a successful exploit,<br />
if discovered. The frequency of the test<strong>in</strong>g will be at a<br />
m<strong>in</strong>imum quarterly <strong>and</strong> on dem<strong>and</strong> based on the risk<br />
associated with newly discovered vulnerabilities.<br />
Conclusion<br />
This pocket guide compiles example RFP/<strong>Contract</strong> language<br />
for <strong>in</strong>tegrat<strong>in</strong>g SwA <strong>in</strong>to the acquisition life cycle to support riskbased<br />
decision mak<strong>in</strong>g by buyers <strong>and</strong> software evaluators. For<br />
the latest updates <strong>and</strong> details, visit the web sites listed <strong>in</strong> the<br />
preced<strong>in</strong>g pages <strong>and</strong> resource box.<br />
The <strong>Software</strong> <strong>Assurance</strong> Pocket Guide Series is developed <strong>in</strong><br />
collaboration with the SwA Forum <strong>and</strong> Work<strong>in</strong>g Groups <strong>and</strong><br />
provides summary material <strong>in</strong> a more consumable format. The<br />
series provides <strong>in</strong>formative material for SwA <strong>in</strong>itiatives that seek<br />
to reduce software vulnerabilities, m<strong>in</strong>imize exploitation, <strong>and</strong><br />
address ways to improve the rout<strong>in</strong>e development, acquisition<br />
<strong>and</strong> deployment of trustworthy software products. Together,<br />
these activities will enable more secure <strong>and</strong> reliable software<br />
that supports mission requirements across enterprises <strong>and</strong> the<br />
critical <strong>in</strong>frastructure.<br />
For additional <strong>in</strong>formation or contribution to future material <strong>and</strong>/or<br />
enhancements of this pocket guide, please consider jo<strong>in</strong><strong>in</strong>g any<br />
of the SwA Work<strong>in</strong>g Groups <strong>and</strong>/or send comments to <strong>Software</strong>.<br />
<strong>Assurance</strong>@dhs.gov. SwA Forums are open to all participants<br />
<strong>and</strong> free of charge. Please visit https://buildsecurity<strong>in</strong>.us-cert.<br />
gov for further <strong>in</strong>formation.<br />
No Warranty<br />
This material is furnished on an “as-is” basis for <strong>in</strong>formation only.<br />
The authors, contributors, <strong>and</strong> participants of the SwA Forum<br />
<strong>and</strong> Work<strong>in</strong>g Groups, their employers, the U.S. Government,<br />
other participat<strong>in</strong>g organizations, all other entities associated<br />
with this <strong>in</strong>formation resource, <strong>and</strong> entities <strong>and</strong> products<br />
mentioned with<strong>in</strong> this pocket guide make no warranties of any<br />
k<strong>in</strong>d, either expressed or implied, as to any matter <strong>in</strong>clud<strong>in</strong>g,<br />
but not limited to, warranty of fitness for purpose, completeness<br />
or merchantability, exclusivity, or results obta<strong>in</strong>ed from use of<br />
the material. No warranty of any k<strong>in</strong>d is made with respect<br />
to freedom from patent, trademark, or copyright <strong>in</strong>fr<strong>in</strong>gement.<br />
Reference or use of any trademarks is not <strong>in</strong>tended <strong>in</strong> any way<br />
to <strong>in</strong>fr<strong>in</strong>ge on the rights of the trademark holder. No warranty is<br />
made that use of the <strong>in</strong>formation <strong>in</strong> this pocket guide will result<br />
<strong>in</strong> software that is secure. Examples are for illustrative purposes<br />
<strong>and</strong> are not <strong>in</strong>tended to be used as is or without undergo<strong>in</strong>g<br />
analysis.<br />
Repr<strong>in</strong>ts<br />
Any <strong>Software</strong> <strong>Assurance</strong> Pocket Guide may be reproduced<br />
<strong>and</strong>/or redistributed <strong>in</strong> its orig<strong>in</strong>al configuration, with<strong>in</strong> normal<br />
distribution channels (<strong>in</strong>clud<strong>in</strong>g but not limited to on-dem<strong>and</strong><br />
Internet downloads or <strong>in</strong> various archived/compressed formats).<br />
Anyone mak<strong>in</strong>g further distribution of these pocket guides via<br />
repr<strong>in</strong>ts may <strong>in</strong>dicate on the pocket guide that their organization<br />
made the repr<strong>in</strong>ts of the document, but the pocket guide should<br />
not be otherwise altered.<br />
These resources have been developed for <strong>in</strong>formation purposes<br />
<strong>and</strong> should be available to all with <strong>in</strong>terests <strong>in</strong> software security.<br />
For more <strong>in</strong>formation, <strong>in</strong>clud<strong>in</strong>g recommendations for<br />
modification of SwA pocket guides, please contact<br />
<strong>Software</strong>.<strong>Assurance</strong>@dhs.gov or visit the <strong>Software</strong> <strong>Assurance</strong><br />
Community Resources <strong>and</strong> Information Clear<strong>in</strong>ghouse:<br />
https://buildsecurity<strong>in</strong>.us-cert.gov/swa to download this document<br />
either format (4”x8” or 8.5”x11”).<br />
46<br />
<strong>Software</strong> <strong>Assurance</strong> Pocket Guide Series:<br />
<strong>Software</strong> <strong>Assurance</strong> <strong>in</strong> <strong>Acquisition</strong> <strong>and</strong> <strong>Contract</strong> <strong>Language</strong><br />
47<br />
<strong>Acquisition</strong> & Outsourc<strong>in</strong>g, Volume I – Version 1.1, July 31, 2009