Software Assurance in Acquisition and Contract Language
Software Assurance in Acquisition and Contract Language
Software Assurance in Acquisition and Contract Language
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Acquisition</strong> Process<br />
This pocket guide is organized around the major phases of a<br />
generic acquisition process. Figure 2 depicts the relationship<br />
of these phases to those of several other processes. Figure 3<br />
depicts the sequence of the plann<strong>in</strong>g, contract<strong>in</strong>g, monitor<strong>in</strong>g<br />
<strong>and</strong> acceptance, <strong>and</strong> follow-on phases of the software<br />
acquisition process.<br />
Figure 3 – Generic <strong>Software</strong> <strong>Acquisition</strong> Process<br />
Plann<strong>in</strong>g<br />
Phase<br />
identify<strong>in</strong>g risks associated with various software acquisition<br />
strategies; <strong>and</strong> (4) develop<strong>in</strong>g evaluation criteria <strong>and</strong> an<br />
evaluation plan. SwA considerations are discussed for each of<br />
the major activities. See the “<strong>Software</strong> Supply Cha<strong>in</strong> Risk<br />
Management <strong>and</strong> Due-Diligence” pocket guide where the<br />
development <strong>and</strong> use of SwA due-diligence questionnaires are<br />
discussed.<br />
Needs Determ<strong>in</strong>ation – Dur<strong>in</strong>g the needs determ<strong>in</strong>ation process,<br />
an organization assesses its mission to determ<strong>in</strong>e if there<br />
are problems <strong>in</strong> mission performance that could be solved<br />
by a software solution. This is followed by an assessment of<br />
alternative software-based solutions. Determ<strong>in</strong><strong>in</strong>g the need<br />
to acquire software products or services (<strong>in</strong>clud<strong>in</strong>g software<strong>in</strong>tensive<br />
systems) is the first step <strong>in</strong> lay<strong>in</strong>g the groundwork<br />
for full development of software requirements, <strong>in</strong>clud<strong>in</strong>g SwA<br />
requirements.<br />
<strong>Contract</strong><strong>in</strong>g<br />
Phase<br />
Monitort<strong>in</strong>g &<br />
Acceptance<br />
Phase<br />
Follow-on<br />
Phase<br />
Risk Assessment Questions<br />
»»<br />
What is the value of the software <strong>in</strong> dollars to protect?<br />
»»<br />
What software assets need to be protected <strong>and</strong> why,<br />
consequences?<br />
»»<br />
What is the impact of software unpredictability?<br />
»»<br />
How is residual risk determ<strong>in</strong>ed <strong>and</strong> managed?<br />
»»<br />
What are the potential adverse conditions to be prevented<br />
<strong>and</strong> managed?<br />
Plann<strong>in</strong>g Phase<br />
This phase beg<strong>in</strong>s with (1) needs determ<strong>in</strong>ation for acquir<strong>in</strong>g<br />
software services or products, identify<strong>in</strong>g potential alternative<br />
software approaches, <strong>and</strong> identify<strong>in</strong>g risks associated with those<br />
alternatives. This set of activities is followed by (2) develop<strong>in</strong>g<br />
software requirements to be <strong>in</strong>cluded <strong>in</strong> work statements;<br />
(3) creat<strong>in</strong>g an acquisition strategy <strong>and</strong>/or plan that <strong>in</strong>cludes<br />
Risk assessment (synonymous with risk analysis) is the process<br />
of identify<strong>in</strong>g the risks to system security <strong>and</strong> determ<strong>in</strong><strong>in</strong>g the<br />
probability of occurrence, the result<strong>in</strong>g impact, <strong>and</strong> additional<br />
safeguards that would mitigate this impact.<br />
An <strong>in</strong>itial risk assessment helps determ<strong>in</strong>e the security category,<br />
basel<strong>in</strong>e security controls <strong>and</strong> assurance case required for the<br />
acquired software. The acquirer should ask <strong>and</strong> have answered<br />
all of the risk assessment questions.<br />
10<br />
<strong>Software</strong> <strong>Assurance</strong> Pocket Guide Series:<br />
<strong>Software</strong> <strong>Assurance</strong> <strong>in</strong> <strong>Acquisition</strong> <strong>and</strong> <strong>Contract</strong> <strong>Language</strong><br />
11<br />
<strong>Acquisition</strong> & Outsourc<strong>in</strong>g, Volume I – Version 1.1, July 31, 2009