[Jlab_software] Help With Software Assurance Scope

Kelly Mahoney mahoney at jlab.org
Mon Jul 27 08:48:18 EDT 2009 

As some of you know, the QA/CI department is developing a "Software 
Control" procedure as part of the Lab's overall QA framework.  Many 
comments on the draft document have to do with the scope.  Basically, 
the document must apply to all JLab software development - everyone 
needs some form of software assurance with some minimum set of 
attributes that depend on how important the software is to the lab.  
However, we have to use a little common sense and know that not every 
little piece of software is subject to the QA process.  This makes the 
definition of the scope of the procedure very important.  I include a 
copy of the latest draft scope below. 
1.) If you would, take a look and give me some constructive feedback on 
how it can be both more succinct and utile to you.
2.) How should the scope apply to contractors, users, ...etc?
3.) I would like to hear your opinion on the applicability to 
reconfigurable devices like FPGAs.  (NASA and DOD handle them similarly.)

Thanks,

Kelly


  1Scope

The scope of this procedure compliments the JLab cyber security enclave 
structure with the addition of Facilities Management and Safety Systems 
software.  The procedure specifies software assurance activities and 
requirements for software developed, acquired, and maintained by 
Jefferson Lab or on behalf of Jefferson Lab. It applies to all JLab 
projects, programs, facilities and activities that may have an impact on 
JLab's mission and goals. This procedure does not specify specific 
processes or models; rather it provides a set of basic requirements and 
tools applicable to any lifecycle model.   

Individuals responsible for software within each division, department or 
group that purchases, develops, modifies, or produces software 
applications that may impact JLab's mission shall follow the 
requirements of this procedure. The impact to JLab's mission and goals 
is assessed using a software risk assessment tool described in section 4 
of this document.   

 
This procedure is applicable to all Jefferson Lab software assurance 
activities during the entire lifecycle of the software developed or 
acquired including:

·         internal software development

·         software used to collect and manage data

·         startup and configuration scripts

·         incorporation of open source software

·      modified off the shelf (MOTS) software used to design, analyze, 
or control safety or mission essential aspects of JLab operations.

·    commercial off the shelf (COTS) software used to design, analyze, 
or control safety or mission essential aspects of JLab operations.   

·         programs and firmware for monitoring or control, including 
IOCs and PLCs

·         modifiable embedded software and firmware including PICs and 
PC104 type SBCs

·         programs and development software for field programmable 
integrated circuits such as Field Programmable Gate Arrays.

·         Other software as defined by the JLab Chief Information Officer.

Generally, this procedure applies to configuration items that may impact 
Jefferson Lab's ability to conduct operations safely and effectively. 
 The impact a software configuration item may have is assessed using the 
software risk assessment tool referenced in Part 4 of this document.  

This procedure only applies to security software configuration items 
insofar as the impact ineffective security software controls may 
materially affect operations and safety. 

 


    Exemptions

1.    This procedure does not apply to unmodified general purpose 
computing software, unmodified enterprise software, and general purpose 
desk-top software managed under the IT/CIO Division.  Examples include 
office productivity software, public web pages, and LAN/WAN networking 
software.

2.    Other software configuration items as excluded in writing by the 
Jefferson Lab Chief Information Officer (CIO). 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.jlab.org/pipermail/jlab_software/attachments/20090727/60053452/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mahoney.vcf
Type: text/x-vcard
Size: 240 bytes
Desc: not available
Url : https://mailman.jlab.org/pipermail/jlab_software/attachments/20090727/60053452/attachment.vcf

More information about the Jlab_software mailing list