Policy
Directive
Effective Date: August 31, 2005
Expiration Date: August 31, 2010
|
|
NASA Policy Directive |
NPD 2820.1C Effective Date: August 31, 2005 Expiration Date: August 31, 2010 |
This policy covers software created, acquired, or maintained by or for NASA including commercial off-the-shelf software (COTS), Government off- the-shelf software (GOTS), modified off-the-shelf software (MOTS), and open source, embedded, reuse, legacy, and heritage software. This software shall be classified consistent with risk and functionality.
NASA policy regarding software activities for each project is to accomplish the following:
a. Manage, engineer, acquire, create, assure, and maintain software to deliver quality software on time, within budget, and within technical acceptability. Elaboration of the Agency's approach for delivering software is provided in NASA Policy Directives (NPDs), NASA Procedural Requirements (NPRs), technical standards, and processes (see Attachment 1, NASA Policy Directives (NPD) and NASA Procedural Requirements (NPR), that apply to NASA software activities, Attachment 2 for relevant references, and Attachment 3 for the NASA Software Documentation Tree).
b. Consistent with the software classification:
(1) Implement and integrate software engineering processes and practices with other system development/acquisition and program/project processes and practices.
(2) Require software providers (includes internal NASA providers) to have proven organizational capabilities and experience to deliver quality software on time, within budget, and within technical acceptability.
(3) Require software providers to develop a plan to manage software throughout the program/project life cycle. This plan shall include the collection and reporting of actual software related expenditures at the project level by life cycle phases.
(4) Include NASA software assurance practitioners in software acquisition, review, verification, maintenance, and certification processes.
(5) Projects shall ensure software providers allow access to software and associated artifacts to enable insight/oversight by software engineering and software assurance which includes Independent Verification and Validation (IV&V) and NASA's Safety and Mission Assurance organizations.
c. Use the NASA IV&V Facility as the sole provider of IV&V services when software created by or for NASA is selected for IV&V by the NASA Chief Safety and Mission Assurance Officer.
d. NASA's policy regarding intellectual property protection of software and the release of software is to accomplish the following:
(1) Report and inventory software created by or for NASA as valuable intellectual property as required in NPR 2210.1.
(2) Manage and protect software created by or for NASA as valuable intellectual property during all phases of the life cycle. Assert intellectual property rights for software, where deemed appropriate, in order to facilitate its transfer and reuse by commercial, industrial, educational, and government organizations.
(3) Establish uniform procedures and requirements concerning the release of software created by or for NASA that will maximize its benefit to NASA, the U.S. public, and the U.S. economy.
(4) Release software in accordance with NPR 2210.1, External Release of NASA Software, consistent with law and applicable agreements, for commercial, industrial, educational, and governmental purposes.
(5) Establish procedures to ensure Agency compliance with copyright laws protecting computing software and with the provisions of Executive Order 13103, Computer Software Piracy, including the adoption of software asset management procedures to ensure that the Agency does not acquire, reproduce, distribute, or transmit computer software in violation of applicable copyright laws.
a. This directive applies to NASA Headquarters and Centers, including Component Facilities, and to the Jet Propulsion Laboratory to the extent defined in its contract, for all software activities initiated by NASA after the effective date of this directive. This directive applies to software activities initiated by NASA prior to the effective date when determined by either the responsible Official-in-Charge of the sponsoring Mission Directorate, Mission Support Office, or the Center Director of the implementing Center.
b. For purposes of release under NPR 2210.1, this Directive is applicable to the release of all unclassified software: (1) created exclusively by, or jointly with, NASA employees as part of their official duties; (2) created by a non-federal party where intellectual property rights to the software have been assigned to the U.S. Government, or licensed to the Government with the right to grant sublicenses; or (3) in the lawful possession of NASA, except as otherwise provided in Section P.2 of NPR 2210.1.
c. Definitions: Software - as used in this NPD means computer programs, procedures, rules, and associated documentation and data pertaining to the development and operation of a computer system. Software also includes COTS, GOTS, MOTS, embedded software, reuse, heritage, legacy, auto generated code, firmware (instructions, logic, or associated data loaded into programmable devices), and open source software components. Note that only for purposes of the NASA Software Release program, the term "software," as utilized in NPR 2210.1, does not include computer databases nor software documentation.
Software activities - as used in this NPD includes software management, engineering, acquisition, creation, assurance, maintenance, and release.
Definitions for the terms COTS, GOTS, heritage software, MOTS, legacy software, software reuse, and classes of software are provided in NPR 7150.2.
a. 42 U.S.C. §2451, et seq. of the National Aeronautics and Space Act of 1958, as amended.
b. 44 U.S.C. §3501, et seq., Paperwork Reduction Act of 1995 (Public Law 104-13), as amended.
c. 40 U.S.C. §§11101, et seq., Information Technology Management, Public Law 107-217, repealing and reenacting the Clinger Cohen Act of 1996, as amended.
d. 35 U.S.C. §200, et seq., Patent Rights in Inventions Made With Federal Assistance.
e. 22 U.S.C. §2751, et seq., Arms Export Control Act, as implemented by the International Traffic in Arms Regulations, 22 CFR Part 120-30.
f. 50 U.S.C. §§2401-2420, Export Administration Act of 1979, as implemented by the Export Administration Regulations, 15 CFR Part 730-774.
g. 29 U.S.C. §§794d, the Rehabilitation Act Amendment of 1998.
h. 36 CFR Part 1194, Electronic and Information Technology Accessibility Standards.
i. OMB Circular A-130, Management of Federal Information Resources.
j. Executive Order 13103, Computer Software Piracy.
a. See Attachment 1 for NASA Policy Directives (NPD) and NASA Procedural Requirements (NPR) that apply to NASA software activities.
b. See Attachment 2 for references that are relevant to NASA software activities.
The NASA Chief Engineer, NASA Chief Information Officer (CIO), NASA Chief Safety and Mission Assurance Officer, Associate Administrators for Mission Directorates, and Center Directors are responsible for promoting software policies, standards, best practices, and guidance in their areas of responsibility under this NPD. They shall coordinate efforts to maximize the commonality, clarity, and effectiveness of direction and guidance. Roles and responsibilities for all NASA entities relative to this policy are carried out within the framework of the NPD 1000.0, Strategic Management and Governance Handbook, and are not repeated.
a. The NASA Chief Engineer shall integrate NASA software management, acquisition, engineering, and assurance requirements into policies, directives, and standards applicable to NASA's systems engineering, and program and project management processes. The Chief Engineer shall also document NASA guidance and best practices to support NASA's systems engineering and program and project management processes. The Chief Engineer shall establish and manage the Agency's software classification definitions and maintain the Software Inventory. The Chief Engineer and the Engineering Management Board (EMB) shall charter a Software Working Group (SWG) to oversee the implementation and update of an Agencywide plan to work toward continuous, sustained software engineering process and product improvements, and to ensure appropriate visibility of software issues within the Agency. The Chief Engineer chairs the Software Steering Board (SSB) that is chartered in NPD 1000.3 to strengthen Agencywide coordination and communication of cross-cutting software investments, resolve issues, respond to significant external surveys/audits/reviews, and facilitate the establishment of policies affecting the Agency. The Chief Engineer shall establish a discipline Technical Warrant Holder for software engineering. The NASA Chief Engineer is responsible for the establishment and enforcement of policies and procedural requirements in this directive.
b. The NASA CIO shall establish Information Technology (IT)security and IT policies and ensure that IT and information resources are managed in a manner that best serves the Agency and aligns with Federal policies and directions; manage NASA's IT investments; and enable access to information and services. The CIO chairs the Chief Information Officer Board. The CIO is responsible for ensuring that Executive Order 13103, Computer Software Piracy, is effectively and efficiently implemented by NASA. The CIO shall appoint and support representatives to the Software Working Group.
c. The NASA Chief Safety and Mission Assurance Officer shall:
(1) Assure the safety, quality, and reliability of NASA software.
(2) Review project software processes and make recommendations to projects, governing Program Management Councils (PMC), Mission Directorates, and independent Technical Authorities.
(3) Conduct oversight of NASA's software assurance programs.
(4) Conduct compliance verification audits of programs/projects to ensure compliance with this directive.
(5) Independently assess project software management, engineering, and assurance practices.
(6) Oversee the functional management of the NASA IV&V Program and assure the performance of all of IV&V processes, services, and activities.
(7) Establish and manage processes for the selection of software to which to apply IV&V.
(8) Charter the IV&V Board of Directors (IBD) which makes prioritized recommendations for allocating IV&V services to projects based on the annual Software Inventory (maintained by the Chief Engineer) and the Office of Safety and Mission Assurance(OSMA) defined process.
(9) Select and maintain the list of software projects to which IV&V is to be applied.
(10) Appoint and support representatives to the Software Working Group.
d. The IV&V Program Manager shall 1) establish and manage the Agency's software IV&V services and procedures; 2) establish, maintain, and report on the results of IV&V services and findings; and 3) support NASA's program for improving software assurance and other trusted verifications (e.g., independent assessments, peer reviews, and research). The IV&V Facility shall determine and document the services provided by the Facility on projects selected for IV&V by the NASA Chief Safety and Mission Assurance Officer.
e. The Associate Administrator for Exploration Systems (AA-ESMD) or designee, the Director of the Innovative Partnership Program (IPP), is responsible for the overall management of the NASA software release program under NPR 2210.1 and shall establish and implement software release procedures, requirements, and supplemental policy in cooperation with the General Counsel or designee. The AA-ESMD shall charter a Software Release Authority Working Group (SRAWG) to oversee the software release process. The SRAWG will coordinate with the SWG to ensure appropriate visibility of software issues within the Agency. Additional responsibilities for the NASA software release program are provided in NPR 2210.1.
f. Mission Directorate Associate Administrators and Center Directors shall appoint and support representatives to the SWG. The Center Directors are responsible for the center's software improvement activities, as defined in the Center Software Improvement Plans and Center Software Training Plans. The Center Directors shall appoint and support an individual as the Center's Software Release Authority (SRA) and may appoint a group of individuals as the Software Release Group to be chaired by the Center SRA in accordance with NPR 2210.1. The SRA shall be the Center representative on the SRAWG. The Chairperson of the SRAWG shall be a member of the SWG.
g. The governing PMC shall review program and project software processes and products including, but not limited to, evidence of conformance to this policy; use of insight/oversight; use of IV&V and other trusted verifications (e.g., independent assessments and peer reviews); and risk mitigation processes, as appropriate, based on program/project consequences of failure, risk, complexity, life span, size, and cost.
h. Center Directors shall provide the Chief Engineer with information to support the creation of the Software Inventory.
i. The Assistant Administrator for Diversity and Equal Opportunity shall provide assistance, advice, and coordination to ensure voluntary compliance with equal opportunity requirements regarding the accessibility of information electronic technology, including software, for persons with disabilities.
None
a. Specific responsibilities for collecting, analyzing, and reporting software engineering and releasing metrics are contained in NPR 7150.2 and NPR 2210.1.
b. Performance measures will be implemented to assess the Agency's compliance with intellectual property rights associated with computer software acquired, distributed, or used by the Agency in accordance with Executive Order 13103, Computer Software Piracy.
a. NPD 2820.1A dated May 29, 1998, and NPD 2820.1B dated April 29, 2005.
b. NPD 2210.1B dated December 26, 2001, and revalidated April 29, 2004.
c. NPD 8730.4A dated August 1, 2001, and revalidated April 29, 2004.
The following NASA Policy Directives (NPD) and NASA Procedural Requirements (NPR) apply to NASA software activities:
(1) NPD 1000.0, Strategic Management and Governance Handbook.
(2) NPD 1000.3, The NASA Organization.
(3) NPD 1280.1, NASA Management Systems Policy.
(4) NPD 1440.6, NASA Records Management.
(5) NPD 2081.1, Nondiscrimination in Federally Assisted and Federally Conducted Programs of NASA - Delegation of Authority.
(6) NPD 2091.1, Inventions Made by Government Employees.
(7) NPD 2110.1, Foreign Access to NASA Technology Transfer Materials.
(8) NPD 2190.1, NASA Export Control Program.
(9) NPD 2800.1, Managing Information Technology.
(10) NPD 2810.1, NASA Information Security Policy.
(11) NPD 7120.4, Program/Project Management.
(12) NPD 7500.2, NASA Technology Commercialization Policy.
(13) NPD 8700.1, NASA Policy for Safety and Mission Success.
(14) NPR 1441.1, NASA Records Retention Schedule.
(15) NPR 2190.1, NASA Export Control Program.
(16) NPR 2210.1, External Release of NASA Software.
(17) NPR 2800.1, Managing Information Technology.
(18) NPR 2810.1, Security of Information Technology.
(19) NPR 7120.5, NASA Program and Project Management Processes and Requirements.
(20) NPR 7150.2, NASA Software Engineering Requirements.
(21) NPR 7500.1, NASA Technology Commercialization Process.
(22) NPR 8705.2, Human-Rating Requirements for Space Systems.
The following references are relevant to NASA software activities:
(1) NASA-STD-8719.13, NASA Software Safety Standard.
(2) NASA-STD-8739.8, NASA Software Assurance Standard.
(3) NASA-GB-A201-89, NASA Software Assurance Guidebook.
(4) NASA-GB-8719.13, NASA Software Safety Guidebook.
(5) NASA-GB-001-96, Software Engineering Program - Software Management Guidebook, November 1996.
(6) NASA/TP-98-208193, NASA Formal Methods Specification and Analysis Guidebook for the Verification of Software and Computer Systems, Volume I: Planning and Technology Insertion, December 1998.
(7) NASA-GB-001-97, NASA Formal Methods Specification and Analysis Guidebook for the Verification of Software and Computer Systems, Volume II: A Practitioner's Companion, May 1997.
(8) NASA-STD-2202-93, NASA Software Formal Inspection Standard.
(9) Carnegie Mellon University/Software Engineering Institute, Continuous Risk Management Guidebook, 2002.
(10) CMU/SEI-93-TR-24, The Capability Maturity Model for Software, Version 1.1, February 1993.
(11) CMU/SEI-93-TR-25, Key Practices of the Capability Maturity Model, Version 1.1, February 1993.
(12) CMU/SEI-2002-TR-010, Software Acquisition Capability Maturity Model (SA-CMM), Version 1.03, March 2002.
(13) CMU/SEI-2002-TR-011, CMMI for Systems Engineering/Software Engineering/Integrated Product and Process Development/Supplier Sourcing, Version 1.1, Continuous Representation (CMMI-SE/SW/IPPD/SS, V1.1, Continuous), March 2002.
(14) CMU/SEI-2002-TR-012, CMMI for Systems Engineering/Software Engineering/Integrated Product and Process Development/Supplier Sourcing, Version 1.1, Staged Representation (CMMI-SE/SW/IPPD/SS, V1.1, Staged), March 2002.
(15) RTCA/DO-178B - 1992, Software Considerations in Airborne Systems and Equipment Certification, 3/26/1999.
(16) IEEE/EIA 12207.0-1996, Industry Implementation of International Standard ISO/IEC 12207: 1995 Standard for Information Technology Software -- Life Cycle Processes.
(17) IEEE/EIA 12207.1-1997, Industry Implementation of International Standard ISO/IEC 12207: 1995 Standard for Information Technology - Software Life Cycle Processes - Life Cycle Data.
(18) IEEE/EIA 12207.2-1997, Industry Implementation of International Standard ISO/IEC 12207: 1995 Standard for Information Technology - Software Life Cycle Processes - Implementation Considerations.
(19) IEEE 1012-2002, Standard for Software Verification and Validation.
(20) IEEE 610.12-1990, IEEE Standard Glossary of Software Engineering Terminology.
(21) ISO 9000-3, 1997 Quality Management and Quality Assurance - Part 3 Guidelines for the Application of ISO 9001: 1994, to the Design, Development, Supply, Installation, and Maintenance of Computer Software.
(22) ISO 9001, ANSI/ASQC Q9001 - 1994, Quality Systems - Model for Quality Systems - Model for Quality Assurance in Design, Development, Production, Installation, and Servicing.
(23) ISO 9001-2000, ANSI/ISO/ASQ Q9001-2000, American National Standard - Quality Management Systems-Requirements.