Software Assurance in Acquisition and Contract Language
Software Assurance in Acquisition and Contract Language
Software Assurance in Acquisition and Contract Language
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
The software supply cha<strong>in</strong> consists of (but is not exclusive to) the<br />
follow<strong>in</strong>g: the acquirers <strong>in</strong> <strong>in</strong>dustry <strong>and</strong> government, <strong>in</strong>formation<br />
assurance personnel support<strong>in</strong>g acquisition managers, decision<br />
makers for software procurements (<strong>in</strong>clud<strong>in</strong>g program/project<br />
managers <strong>and</strong> requirements personnel), prime contractors <strong>and</strong><br />
subcontractors <strong>in</strong> their supply cha<strong>in</strong>, <strong>and</strong> software suppliers.<br />
Figure 1 illustrates a few potential paths that software can take.<br />
Figure 1 – Potential <strong>Software</strong> Supply Cha<strong>in</strong> Paths<br />
Reuse<br />
User<br />
Purchaser<br />
Acquire/<br />
Outsource<br />
COTS<br />
Develop<br />
In-House<br />
Supplier<br />
Custom<br />
Open-Source<br />
Supplier<br />
Reuse<br />
Develop<br />
In-House<br />
?<br />
Supplier<br />
Reuse<br />
?<br />
?<br />
?<br />
Domestic<br />
Foreign<br />
?<br />
?<br />
Domestic<br />
Acquire/<br />
Outsource<br />
Open-Source<br />
Foreign<br />
Purpose <strong>and</strong> Scope<br />
The purpose of this pocket guide is to provide <strong>in</strong>formation <strong>and</strong><br />
<strong>in</strong>crease awareness on how to <strong>in</strong>corporate SwA considerations<br />
<strong>in</strong> key decisions when acquir<strong>in</strong>g software products <strong>and</strong><br />
services by contract. The bottom l<strong>in</strong>e is to “build security <strong>in</strong>”<br />
<strong>and</strong> <strong>in</strong>corporate SwA considerations throughout the software<br />
acquisition process. This pocket guide may also be used as a<br />
foundation for tra<strong>in</strong><strong>in</strong>g <strong>and</strong> education.<br />
Figure 2 depicts the scope of this pocket guide which addresses<br />
SwA considerations when acquir<strong>in</strong>g software products <strong>and</strong><br />
services by contract (also called the acquisition process). This<br />
pocket guide is written from an acquisition process perspective<br />
(activities lead<strong>in</strong>g to the award <strong>and</strong> monitor<strong>in</strong>g of contracts)<br />
versus the software development life cycle process perspective<br />
(technical activities <strong>in</strong>volv<strong>in</strong>g requirements analysis, construction<br />
of the software solution, test<strong>in</strong>g, etc.). These processes <strong>in</strong>teract<br />
dur<strong>in</strong>g the life of a contract because technical activities are<br />
normally addressed <strong>in</strong> a contract work statement.<br />
In addition, as noted <strong>in</strong> Figure 2, this guide addresses the SwA<br />
perspective versus a system assurance perspective, although, at<br />
times, SwA considerations may overlap with system assurance<br />
Figure 2 – Scope<br />
Systems<br />
<strong>Assurance</strong><br />
<strong>Software</strong><br />
<strong>Assurance</strong><br />
IN<br />
<strong>Acquisition</strong> Process<br />
(Phases: plann<strong>in</strong>g,<br />
contract<strong>in</strong>g, monitor<strong>in</strong>g<br />
& acceptance, & follow-on)<br />
<strong>Software</strong> Development<br />
Life Cycle Process<br />
(Phases: requirements analysis,<br />
design, construction,<br />
<strong>in</strong>tegration, test, etc.)<br />
6<br />
<strong>Software</strong> <strong>Assurance</strong> Pocket Guide Series:<br />
<strong>Software</strong> <strong>Assurance</strong> <strong>in</strong> <strong>Acquisition</strong> <strong>and</strong> <strong>Contract</strong> <strong>Language</strong><br />
7<br />
<strong>Acquisition</strong> & Outsourc<strong>in</strong>g, Volume I – Version 1.1, July 31, 2009