bannerc

Last used in rev NPR 7150.2C

RevSWE Statement
A

6.3.3 The Engineering Technical Authority(s) for this NPR shall consider the following information when assessing waivers and deviations from requirements in this NPR:

    1. The NASA software inventory data on the project.
    2. The classification of systems and subsystems containing software, as defined in Appendix E.
    3. Applicable Center-level software directives that meet the intent of this NPR.
    4. Applicable contractor and subcontractor software policies and procedures that meet the intent of this NPR.
    5. Potential impacts to NASA missions.
    6. Potential impacts to health, medical concerns, or safety.
Difference between A and BRe-write of the requirement
B

2.1.3.6  Serving as Technical Authorities for requirements in this directive, Center Directors, or designees shall:

a. Assess project’s compliance matrices, tailoring, waivers, and deviations from requirements in this directive by:  

(1)  Checking the accuracy of the project’s classification of software components against the definitions in Appendix D.

(2)  Evaluating the project’s compliance matrix for commitments to meet applicable requirements in this directive, consistent with software classification.

(3)  Confirming that requirements marked “Not-Applicable” in the project’s compliance matrix are not relevant or not capable of being applied.

(4)  Determining whether the project’s risks, mitigations, and related requests for relief from requirements designated with “X” in Appendix C, are reasonable and acceptable.

(5) Coordinate with the Center S&MA organization that the compliance matrix implementation approach does not impact safety and mission assurance on the project.

(6)  Approving/disapproving request for relief from requirements designated with “X” in Appendix C, which fall under this Technical Authority’s scope of responsibility.

(7)  Facilitating the processing of projects’ tailoring/compliance matrices, tailoring, waivers, or deviations from requirements in this directive, which fall under the responsibilities of a different Technical Authority (see column titled “Technical Authority” in Appendix C).

(8)  Ensuring that approved compliance matrices, including any waivers and deviations against this directive, are archived as part of retrievable project records.

Difference between B and C- Added Institutional Authority(s) to the requirement; Changed "compliance" to "Requirements Mapping" matrix / matrices (RMM) everywhere;
- Removed "waivers, and deviations" in items a., (7) and (8);
- Removed item (5) in Rev B which is "Coordinate with the Center S&MA organization that the compliance matrix implementation approach does not impact safety and mission assurance on the project.";
- Removed "Technical" in Rev B items (6) and (7), which are items (5) and (6) in Rev C;
- Added requirement item (7) in Rev C;
- Changed "waivers, and deviations" to "tailoring rationale" in item (8);
- Added requirement b. which requires the Technical Authority to approve tailoring of the RMM by signature - this merges SWE-145 into this SWE #.
C

2.1.5.6 Serving as technical and institutional authorities for requirements in this directive, Center Director, or designee, shall:  

a. Assess projects’ requirements mapping matrices and tailoring from requirements in this directive by: 

(1) Checking the accuracy of the project’s classification of software components against the definitions in Appendix D. 

(2) Evaluating the project’s Requirements Mapping Matrix for commitments to meet applicable requirements in this directive, consistent with software classification. 

(3) Confirming that requirements marked “Not-Applicable” in the project’s Requirements Mapping Matrix are not relevant or not capable of being applied. 

(4) Determining whether the project’s risks, mitigations, and related requests for relief from requirements designated with “X” in Appendix C are reasonable and acceptable. 

(5) Approving/disapproving requests for relief from requirements designated with “X” in Appendix C, which falls under this Authority’s scope of responsibility. 

(6) Facilitating the processing of projects’ requirements mapping matrices and tailoring decisions from requirements in this directive, which falls under the responsibilities of a different Authority (see the column titled “Authority” in Appendix C). 

(7) Include the Center CIO and CISO (or delegate) in all software reviews to ensure software cybersecurity is included throughout software development, testing, maintenance, retirement, operations, management, acquisition and assurance activities. 

(8) Ensuring that approved requirements mapping matrices, including any tailoring rationale against this directive, are archived as part of retrievable project records.


b. Indicate the Technical Authority or Technical Authorities approval by the signature(s) in the Requirements Mapping Matrix itself, when the Requirements Mapping Matrix is used to tailor from the applicable “X” requirement(s).



  • No labels