<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
</head>
<body bgcolor="#ffffff" text="#000000">
As some of you know, the QA/CI department is developing a "Software
Control" procedure as part of the Lab's overall QA framework. Many
comments on the draft document have to do with the scope. Basically,
the document must apply to all JLab software development - everyone
needs some form of software assurance with some minimum set of
attributes that depend on how important the software is to the lab.
However, we have to use a little common sense and know that not every
little piece of software is subject to the QA process. This makes the
definition of the scope of the procedure very important. I include a
copy of the latest draft scope below. <br>
1.) If you would, take a look and give me some constructive feedback on
how it can be both more succinct and utile to you.<br>
2.) How should the scope apply to contractors, users, ...etc?<br>
3.) I would like to hear your opinion on the applicability to
reconfigurable devices like FPGAs. (NASA and DOD handle them
similarly.)<br>
<br>
Thanks,<br>
<br>
Kelly<br>
<br>
<h1 style="text-align: justify; text-indent: -0.5in; line-height: 125%;"><a
name="_Toc234028251"><!--[if !supportLists]--><span
style="font-family: "Arial Bold","sans-serif"; color: rgb(0, 112, 192);"><span
style="">1</span></span><small><small><span
style="color: rgb(0, 112, 192);">Scope</span></small></small></a><span
style="color: rgb(0, 112, 192);"><o:p></o:p></span></h1>
<p class="MsoBodyText" style="text-align: justify; line-height: 125%;"><span
style="color: rgb(0, 112, 192);">The scope of this procedure
compliments the JLab cyber security enclave structure with the addition
of
Facilities Management and Safety Systems software.<span style=""> </span>The
procedure specifies software assurance activities
and requirements for software developed, acquired, and maintained by
Jefferson
Lab or on behalf of Jefferson Lab. It applies to all JLab projects,
programs,
facilities and activities that may have an impact on JLab’s mission and
goals.
This procedure does not specify specific processes or models; rather it
provides a set of basic requirements and tools applicable to any
lifecycle
model.<span style=""> </span><span style=""> </span><o:p></o:p></span></p>
<p class="MsoBodyText" style="text-align: justify; line-height: 125%;"><span
style="color: rgb(0, 112, 192);">Individuals responsible for
software within each division, department or group that purchases,
develops,
modifies, or produces software applications that may impact JLab’s
mission shall
follow the requirements of this procedure. The impact to JLab’s mission
and
goals is assessed using a software risk assessment tool described in
section 4
of this document.<span style=""> </span><span style=""> </span><o:p></o:p></span></p>
<p class="MsoBodyText" style="text-align: justify; line-height: 125%;"><span
style="color: rgb(0, 112, 192);"><o:p> </o:p><br>
This procedure is applicable
to all Jefferson Lab software assurance activities during the entire
lifecycle
of the software developed or acquired including:<o:p></o:p></span></p>
<p class="MsoBodyText"
style="margin-left: 0.5in; text-align: justify; text-indent: -0.25in; line-height: 125%;"><!--[if !supportLists]--><span
style="font-family: Symbol; color: rgb(0, 112, 192);"><span style="">·<span
style="font-family: "Times New Roman"; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal;">
</span></span></span><!--[endif]--><span
style="color: rgb(0, 112, 192);">internal software development <o:p></o:p></span></p>
<p class="MsoBodyText"
style="margin-left: 0.5in; text-align: justify; text-indent: -0.25in; line-height: 125%;"><!--[if !supportLists]--><span
style="font-family: Symbol; color: rgb(0, 112, 192);"><span style="">·<span
style="font-family: "Times New Roman"; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal;">
</span></span></span><!--[endif]--><span
style="color: rgb(0, 112, 192);">software used to collect and manage
data<o:p></o:p></span></p>
<p class="MsoBodyText"
style="margin-left: 0.5in; text-align: justify; text-indent: -0.25in; line-height: 125%;"><!--[if !supportLists]--><span
style="font-family: Symbol; color: rgb(0, 112, 192);"><span style="">·<span
style="font-family: "Times New Roman"; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal;">
</span></span></span><!--[endif]--><span
style="color: rgb(0, 112, 192);">startup and configuration scripts<o:p></o:p></span></p>
<p class="MsoBodyText"
style="margin-left: 0.5in; text-align: justify; text-indent: -0.25in; line-height: 125%;"><!--[if !supportLists]--><span
style="font-family: Symbol; color: rgb(0, 112, 192);"><span style="">·<span
style="font-family: "Times New Roman"; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal;">
</span></span></span><!--[endif]--><span
style="color: rgb(0, 112, 192);">incorporation of open source software
<o:p></o:p></span></p>
<p class="MsoBodyText"
style="margin-left: 0.5in; text-align: justify; text-indent: -0.25in; line-height: 125%;"><!--[if !supportLists]--><span
style="font-family: Symbol; color: rgb(0, 112, 192);"><span style="">·<span
style="font-family: "Times New Roman"; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal;">
</span></span></span><!--[endif]--><span
style="color: rgb(0, 112, 192);">modified off the shelf (MOTS)
software used to design, analyze,
or control safety or mission essential aspects of JLab operations.<span
style=""> </span><span style=""> </span><o:p></o:p></span></p>
<p class="MsoBodyText"
style="margin-left: 0.5in; text-align: justify; text-indent: -0.25in; line-height: 125%;"><!--[if !supportLists]--><span
style="font-family: Symbol; color: rgb(0, 112, 192);"><span style="">·<span
style="font-family: "Times New Roman"; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal;">
</span></span></span><span style="color: rgb(0, 112, 192);">commercial
off the shelf (COTS) software used to design,
analyze, or control safety or mission essential aspects of JLab
operations.<span style=""> </span><span style=""> </span><o:p></o:p></span></p>
<p class="MsoBodyText"
style="margin-left: 0.5in; text-align: justify; text-indent: -0.25in; line-height: 125%;"><!--[if !supportLists]--><span
style="font-family: Symbol; color: rgb(0, 112, 192);"><span style="">·<span
style="font-family: "Times New Roman"; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal;">
</span></span></span><!--[endif]--><span
style="color: rgb(0, 112, 192);">programs and firmware for monitoring
or control, including IOCs
and PLCs<o:p></o:p></span></p>
<p class="MsoBodyText"
style="margin-left: 0.5in; text-align: justify; text-indent: -0.25in; line-height: 125%;"><!--[if !supportLists]--><span
style="font-family: Symbol; color: rgb(0, 112, 192);"><span style="">·<span
style="font-family: "Times New Roman"; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal;">
</span></span></span><!--[endif]--><span
style="color: rgb(0, 112, 192);">modifiable embedded software and
firmware including PICs and
PC104 type SBCs<o:p></o:p></span></p>
<p class="MsoBodyText"
style="margin-left: 0.5in; text-align: justify; text-indent: -0.25in; line-height: 125%;"><!--[if !supportLists]--><span
style="font-family: Symbol; color: rgb(0, 112, 192);"><span style="">·<span
style="font-family: "Times New Roman"; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal;">
</span></span></span><!--[endif]--><span
style="color: rgb(0, 112, 192);">programs and development software for
field programmable
integrated circuits such as Field Programmable Gate Arrays.<o:p></o:p></span></p>
<p class="MsoBodyText"
style="margin-left: 0.5in; text-align: justify; text-indent: -0.25in; line-height: 125%;"><!--[if !supportLists]--><span
style="font-family: Symbol; color: rgb(0, 112, 192);"><span style="">·<span
style="font-family: "Times New Roman"; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal;">
</span></span></span><!--[endif]--><span
style="color: rgb(0, 112, 192);">Other software as defined by the JLab
Chief Information Officer.<o:p></o:p></span></p>
<p class="MsoBodyText" style="text-align: justify; line-height: 125%;"><span
style="">Generally, this procedure applies to
configuration items that may impact Jefferson Lab’s ability to conduct
operations safely and effectively. <span style=""> </span>The
impact a software configuration item may have is assessed using the
software
risk assessment tool referenced in Part 4 of this document.<span
style=""> </span><o:p></o:p></span></p>
<p class="MsoBodyText" style="text-align: justify; line-height: 125%;"><span
style="color: rgb(0, 112, 192);">This procedure only applies to
security software configuration items insofar as the impact ineffective
security software controls may materially affect operations and safety.<span
style=""> </span><o:p></o:p></span></p>
<p class="MsoBodyText" style="text-align: justify; line-height: 125%;"><span
style=""><o:p> </o:p></span></p>
<h2
style="margin-left: 0.5in; text-align: justify; text-indent: -0.5in; line-height: 125%;"><a
name="_Toc234028252"><!--[if !supportLists]--><span
style="font-family: "Arial Bold","sans-serif"; color: rgb(0, 112, 192);"><span
style=""><span
style="font-family: "Times New Roman"; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal;"></span></span></span><!--[endif]--><span
style="color: rgb(0, 112, 192);">Exemptions</span></a><span
style="color: rgb(0, 112, 192);"><o:p></o:p></span></h2>
<p class="MsoBodyText"
style="margin-left: 0.5in; text-align: justify; text-indent: -0.25in; line-height: 125%;"><!--[if !supportLists]--><span
style="color: rgb(0, 112, 192);"><span style="">1.<span
style="font-family: "Times New Roman"; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal;">
</span></span></span><!--[endif]--><span
style="color: rgb(0, 112, 192);">This procedure does not apply to
unmodified general purpose
computing software, unmodified enterprise software, and general purpose
desk-top software managed under the IT/CIO Division.<span style=""> </span>Examples
include office productivity
software, public web pages, and LAN/WAN networking software. <o:p></o:p></span></p>
<p class="MsoBodyText"
style="margin-left: 0.5in; text-align: justify; text-indent: -0.25in; line-height: 125%;"><!--[if !supportLists]--><span
style="color: rgb(0, 112, 192);"><span style="">2.<span
style="font-family: "Times New Roman"; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal;">
</span></span></span><!--[endif]--><span
style="color: rgb(0, 112, 192);">Other software configuration items as
excluded in writing by the
Jefferson Lab Chief Information Officer (CIO).<span style="">
</span><o:p></o:p></span></p>
<br>
</body>
</html>