2.1 Minimum Recommended Content
The following section defines the minimum recommended content for a Software Assurance Plan (SAP). (Note: This content was previously located in Topic 7.18 - Documentation Guidance.) The SA Plan provides insight into the methods, approaches, responsibilities, and processes for the assurance activities of all life cycle and mission phases. If a content section does not apply, state “Not Applicable.” The SA Plan’s content, collectively, addresses the following:
- Introduction – The introduction to the plan states its purpose and scope. It also provides an overview of the document's organization and a brief description of each section of the plan.
- Purpose – Briefly state the purpose of the document.
- Scope – Briefly state the scope of the project.
- Overview – Provide an overview of the document's organization and a brief description of each section of the plan.
- Software Assurance Activities – Describe all planned assurance activities. Identify and define the software assurance planning and oversight activities throughout the life cycle. Examples are:
- Planned audits and assessments
- Status Reporting
- Analysis activities
- Software Assurance Methods – Specify the SA methods used to confirm, monitor, assess, analyze, and perform software activities. Examples are:
- Standing meetings w/ Project Manager and software engineering
- Standing meetings w/ SA Team
- Reviewing products and processes
- Test Witnessing and reviewing test results
- Reporting inconsistencies, defects, non-conformances, risks, etc.
- Analysis Methods (PHAs, HAs, FMEAs, FTAs, Static Code Analysis, etc.)
- Stakeholder Management Plan – Identify the stakeholders and their involvement in the project.
Project Resources -
- Personnel Allocation – Identify the total SA personnel needed to perform the SA activities and their organization. Obtain Center SMA approval for personnel from SMA, if necessary.
- Technical Resources – Identify resources needed to perform the SA activities (e.g., necessary tools, access to information)
- Project Roles & Responsibilities – Identify the project’s SA roles and responsibilities. Indicate the division of responsibilities for implementing the requirements of the SA standard, clearly indicating Center SMA organization versus Project SA roles and responsibilities.
- Organization and Management – Illustrate/Describe the software assurance organization's structure and relationships to project management and the provider's organization.
- Data Management Plan -
- Identify the SA products (i.e., from the SA Products List) that SA will generate during the project, and
- Specify the location where the SA products will be stored, the level of control needed (e.g., configuration management), and the retention schedule.
- The Data Management Plan includes products used to document and report on SA analysis and reviews of SW development activities, products, and results.
- Acceptance criteria for all identified software assurance and software safety products.
- Software Safety-Critical Assessment (if needed) – Include the initial safety criticality assessment results. Update at milestones, as necessary, including any concerns or push-back on the safety criticality determination.
- Software Classification – Include the results of the independent software classification or concur with the engineering software classification of the software per the descriptions in NPR 7150.2.
- Risk Management – Identify the process used for risk management of any SA-identified software risks.
- Project-Specific Training – Identify any Project-specific training that is necessary for SA personnel to implement their Software Assurance activities properly.
- Communication Plan – Describe how SA personnel will communicate processes, schedules, methods, and deliverables among the SA teams.
- Software Assurance Requirements Mapping Matrix showing the implementation of the requirements in the Software Assurance and Software Safety Standard.
- Metrics – Identify the SA metrics to be collected with their analysis procedures, storage procedures, and reporting plans. At a minimum, collect and report on the list of software assurance metrics specified in the Software Assurance and Software Safety Standard.
- Issue tracking and reporting – Describe the problem reporting and corrective action system used during the software life cycle. Identify the practices and procedures that are to be used for reporting, tracking, and resolving problems or issues.
- Acronyms – In alphabetic order, define all abbreviations and acronyms used in the plan.
- Glossary – Define all terms that are unique to the SA document.
- Document Change Procedure and History – Define the procedures that are to be used to modify the plan and maintain the history of all changes and modifications that are defined by the SA section of the plan.
- Project Schedule – Provide a schedule with SA activities aligned with the project schedule and life cycle products or an aligned schedule location.