NASA Procedural Requirements

NPR 2210.1C Effective Date: August 11, 2010 Expiration Date: August 11, 2015

Subject: Release of NASA Software

Responsible Office: Office of the Chief Technologist

Chapter 1. Responsibilities

1.1 Office of the Chief Technologist (OCT)

1.1.1 The Chief Technologist is responsible for the overall management of the NASA software release policy established by NPD 7120.4 and shall establish and implement software release procedures, requirements, and supplemental policy with the General Counsel or designee.

1.1.2 The Chief Technologist shall charter a Software Release Authority Working Group (SRAWG) to oversee the software release process.

1.1.2.1 The SRAWG shall coordinate with the Software Working Group (SWG), chartered by the Office of the Chief Engineer and defined in NPD 7120.4, to ensure appropriate visibility of software issues within the Agency.

1.1.2.2 The Chairperson of the SRAWG shall be a member of the SWG.

1.1.2.3 The Center official designated by the Center Director, or his/her designee(s), is responsible for coordinating a technology commercialization assessment of software deemed within the scope and purpose of this NPR.

1.2 General Counsel

1.2.1 The General Counsel and the Agency Counsel for Intellectual Property (ACIP), or their designee(s), are responsible for providing and maintaining the NASA Model Software Usage Agreement(s) (SUA), the legal instrument(s) employed in releasing NASA software, as described herein. 

1.2.2 Uniformity in SUA(s) across Centers shall be achieved to the maximum extent practicable. 

1.2.2.1 When requested to modify a NASA model SUA, or create a new model SUA, the Center official designated by the Center Director, and the ACIP, or their designee(s), shall work jointly toward establishing mutually acceptable standardized language for SUA(s), as well as determining acceptability of requests for modifications to the model SUA(s). A list of the types of model SUAs is provided in Appendix D.

1.2.3 The ACIP and the Center Patent or Intellectual Property (IP) Counsel (or Center Chief Counsel, at Centers without Patent or IP Counsel), or their designee(s), are responsible for providing appropriate legal counsel with respect to an Intellectual Property and Releasability Rights Assessment under Section 2.4 of this NPR on software prior to its approval for all releases defined in Appendix A, paragraphs A.2.2 through A.2.6, except for an Approved for NASA Release (A.2.6.5). Where applicable, the Center Chief Counsel shall also be consulted.

1.2.4 The ACIP and the Center Patent or IP Counsel (or Center Chief Counsel, at Centers without Patent or IP Counsel), or their designee(s), in cooperation with the Center SRA, are responsible for preparing the SUA(s) and any other necessary legal instruments(s) employed in releasing NASA software and for consulting applicable contracting officers regarding release of software as Government Furnished Information (GFI) under Section 2.8.6.2.

1.3 Center Export Administrator (CEA)

1.3.1 The CEA is responsible for coordinating an export control assessment on all software prior to its Approval for Public Release, Approval for Open Source Release, or Approval for U.S. and Foreign Release, as described under paragraphs A.2.2,A.2.3, or A.2.4 (i.e., assisting with a determination whether the software, or some portion thereof, is subject to export restrictions under either the Export Administration Regulations or the International Traffic in Arms Regulations).

1.3.2 When a foreign release of software is contemplated (including a release to a foreign entity within the United States), the CEA shall be consulted to ensure that such release complies with applicable export laws and regulations, and the NASA Export Control Program.  See also      NPD 2190.1A and NPR 2190.1, both entitled “NASA Export Control Program.”

1.4 Center Directors

1.4.1 The Center Director, or designee, is responsible for appointing an individual(s) to carry out responsibilities specified in sections 1.1.2.3, 1.2.2.1, 1.7.2, 2.3.1, 2.4.4.5, 2.5.1, 3.6.2, and A.1.9 of this NPR.

1.4.2 The Center Director, or designee, is responsible for appointing an individual as the Center Software Release Authority (SRA) or for appointing a group of individuals as the Software Release Group. A Software Release Group shall have a team leader or chairperson designated as the Center SRA.

1.5 NASA Inspector General

1.5.1 The NASA Inspector General, or designee, is responsible for appointing an individual or group of individuals as SRA for the purpose of determining the release of forensic software developed by the Office of Inspector General for law enforcement purposes. The SRA appointed for this purpose shall comply with the requirements of this NPR.

1.6 Center Information Technology Security Manager (ITSM)

1.6.1 The ITSM is responsible for identifying to the Center SRA security risks inherent in the release of specific software and for determining how to eliminate or manage those risks as needed. The Center ITSM shall develop guidance on when an IT security assessment may be needed, including a standard checklist to assist the Center SRA in the identifying IT security risks associated with the release of software that shall require an IT security assessment, and shall be consulted, as warranted by the guidance, by the Center SRA and the responsible software development and assurance organizations prior to the release of the software. An example of a standard checklist for IT Security compliance is provided in Appendix F - Example Checklist for Identification and Mitigation or Elimination of Information Technology Security Risks Associated With the Release of Software.

1.7 Software Release Authority (SRA)

1.7.1 The Center SRA is responsible for ensuring that all releases of applicable software are accomplished in accordance with this NPR.

1.7.2 The Center SRA is responsible for managing the software release process implemented by this NPR in coordination with the Center Patent or IP Counsel, the Center official designated by the Center Director, or his/her designee(s), the CEA, the Center ITSM, the Center Procurement Office, the Center Office or Project responsible for the software, and other Center offices as necessary.

1.7.3 The Center SRA may establish supplemental procedures and guidance to support the implementation and administration of the software release process and to determine the applicability of this NPR to software funded or developed by the Center (e.g., determining the applicability of this NPR to software that may be outside the purpose and scope of this NPR).

1.7.3.1 Minor code enhancements to pre-existing software that do not materially alter the operation of the pre-existing software may not be subject to the requirements of this NPR. When requested, the Center SRA shall review minor code enhancements and consult with the Center Patent or IP Counsel to determine the applicability of this NPR to the minor code enhancement. Where the Center SRA determines that this NPR does not apply to a particular minor code enhancement, the minor code enhancement alone may be released without complying with the requirements of this NPR.

1.7.3.2 Previously released software that has been modified only by incorporating such a minor code enhancement may be released to the same recipient(s) without requiring additional reporting, reviews, or SUAs under this NPR.

1.7.3.3 Given that NASA is in the forefront in development and enhancement of systems to support human capital programs and processes and that NASA proactively shares such systems with the Federal community in support of the e-Government Act of 2002 (PL 107-347, Chapter 36 of Title 44 U.S.C.) and the Office of Management and Budget’s Human Resources Line of Business Initiative of 2008, NASA human capital software applications shall generally be assigned release restrictions of  “Approved for Public Release,” “Approved for Open Source Release,” or “Approved for U.S. Government Purpose Release,” as defined in paragraphs A.2.2, A.2.3, and A.2.6, respectively.

1.7.4 The Center SRA shall:

a. Be the Center representative on the SRAWG;

b. Retain an original SUA or Software Release Record, as described in paragraphs A.1.18 and A.1.17, respectively, for each software released in accordance with this NPR and NPR 1441.1; and

c. Document each individual release of software in the Software Release section of the NASA Technology Transfer System (NTTS).  If an electronic copy of the original signed SUA or release record is maintained by the Center SRA, the original paper copy may be discarded. A backup copy may also be attached electronically to the appropriate NTTS record.

1.8 Responsible Center Offices or Projects

1.8.1 The Center Office or Project that has responsibility for a particular software is responsible for recommending a desired release category under section A.2 and shall notify the Center SRA of the following:

a. Any programmatic restrictions on release of the software;

b. The software’s classification (i.e, Class A - H) as defined in NPR 7150.2, NASA Software Engineering Requirements;

c. Whether the software complies with the software engineering and assurance requirements of NPR 7150.2 and NASA-STD-8739.8, Software Assurance Standard, for the applicable software classification;

d. Whether the software is safety-critical software as defined in NASA-STD-8739.8, and if so, whether it complies with the software safety requirements of NASA-STD-8719.13, Software Safety Standard;

e. The software’s Technology Readiness Level (TRL) as defined in NPR 7120.8, NASA Research and Technology Program and Project Management Requirements (and reproduced in Appendix E of this NPR);

f. Any software documentation, as defined in paragraph A.1.14, that is proposed (or available) for release with the software;

g. Whether any known export restrictions apply to the software;

h. Whether the software includes any Open Source or other third party software;

i. Whether Open Source Release of the software is proposed; and

j. Whether the software includes any embedded computer databases.

1.8.2 Before the release of any software, the Office or Project that has responsibility for the software, with the assistance of the SRA, shall coordinate with the NASA Center 508 Coordinator, as defined in A.1.10, for the purposes of obtaining a decision from the Coordinator regarding the software’s Section 508 compliance, including any appropriate exceptions in accordance with NASA policy and implementation of Section 508 compliance.

1.8.3 Open Source Software Development, as defined in paragraph A.1.8, may be used as part of a NASA project only if the Office or Project that has responsibility for acquisition or development of the software supports incorporation of external Open Source Software into software. In addition, the Office or Project responsible for the software acquisition or development shall:

a. Determine the ramifications of incorporating such external Open Source Software during the acquisition planning process specified in NASA FAR Supplement Subpart 1807.1, Acquisition Plans; and 

b. Consult with the Center Patent or IP Counsel early in the planning process (see 2.4.2.1) as the license under which the Open Source software was acquired may negatively impact NASA’s intended use.

DISTRIBUTION:
NODIS