5.17 - Software Assurance Plan Minimum Content

2.1 Minimum Recommended Content

The following section defines the minimum recommended content for a Software Assurance Plan (SAP). (Note: This content was previously located in Topic 7.18 - Documentation Guidance.) The SA Plan provides insight into the methods, approaches, responsibilities, and processes for the assurance activities of all life cycle and mission phases.  If a content section does not apply, state “Not Applicable.” The SA Plan’s content, collectively, addresses the following:

1. Introduction – The introduction to the plan states its purpose and scope. It also provides an overview of the document's organization and a brief description of each section of the plan.
   1. Purpose – Briefly state the purpose of the document.
   2. Scope – Briefly state the scope of the project.
   3. Overview – Provide an overview of the document's organization and a brief description of each section of the plan. 
2. Software Assurance Activities –
   1. Describe all planned assurance activities.
   2. Identify and define the software assurance planning and oversight activities throughout the life cycle. Examples are:
      1. Planned audits and assessments
      2. Status Reporting
      3. Analysis activities
3. Software Assurance Methods – Specify the SA methods used to confirm, monitor, assess, analyze, and perform software activities. Examples are:
   1. Standing meetings w/ Project Manager and software engineering
   2. Standing meetings w/ SA Team
   3. Milestone Reviews and Peer Reviews to be supported
   4. Reviewing products and processes
   5. Test Witnessing and reviewing test results
   6. Reporting inconsistencies, defects, non-conformances, risks, etc.
   7. Analysis Methods (PHAs, HAs, FMEAs, FTAs, Static Code Analysis, etc.)
4. Stakeholder Management Plan – Identify the stakeholders and their involvement in the project.

5. Project Resources -

   1. Personnel Allocation – Identify the total SA personnel needed to perform the SA activities and their organization. Obtain Center SMA approval for personnel from SMA, if necessary.
   2. Technical Resources – Identify resources needed to perform the SA activities, e.g.,
      1. Project Tools – List of the tools and versions needed to perform SA activities.
      2. Access Requirements – Access to project information and repositories, websites, databases, etc.
   3. Project Roles & Responsibilities – Identify the project’s SA roles and responsibilities. Indicate the division of responsibilities for implementing the requirements of NASA-STD-8739.8, clearly indicating Center SMA organization versus Project SA roles and responsibilities.
   4. Organization and Management – Illustrate/Describe the software assurance organization's structure and relationships to project management and the provider's organization.
6. Data Management Plan - The Data Management Plan includes products used to document plans and report on SA analysis and reviews of SW development activities, products, and results.  
   1. SA Products – Identify the SA products (i.e., see Topic 8.16 - SA Products) that SA will generate during the project.
   2. Product Storage – Specify the location where the SA products will be stored, the level of control needed (e.g., configuration management), and the retention schedule.  
7. Acceptance Criteria – Specify the acceptance for all identified software assurance and software safety products.
8. Software Safety-Critical Assessment (if needed) – Include the initial safety criticality assessment results. Update at milestones, as necessary, including any concerns or push-back on the safety criticality determination.
9. Software Classification – Include the results of the independent software classification or concur with the engineering software classification of the software per the descriptions in NPR 7150.2. 
10. Risk Management – Identify the process used for risk management of any SA-identified software risks. 
11. Project-Specific Training – Identify any Project-specific training that is necessary for SA personnel to implement their Software Assurance activities properly.
12. Communication Plan – Describe how SA personnel will communicate processes, schedules, methods, and deliverables among the SA teams.
13. Software Assurance Requirements Mapping Matrix – Identify all NPR 7150.2 requirements to be implemented and the associated NASA-STD-8739.8 tasking to be performed. Include any tailoring of the SA tasking requirements. This requirement may be satisfied through the use of the SA Tasking Checklist Tool (see Topic 8.15 - SA Tasking Checklist Tool).
14. Metrics – Identify the SA metrics to be collected with their analysis procedures, storage procedures, and reporting plans. At a minimum, collect and report on the software assurance metrics specified in NASA-STD-8739.8.
15. Issue tracking and reporting – Describe the problem reporting and corrective action system used during the software life cycle. Identify the practices and procedures that are to be used for reporting, tracking, and resolving problems or issues.
16. Acronyms – In alphabetic order, define all abbreviations and acronyms used in the plan.
17. Glossary – Define all terms that are unique to the SA document.
18. Document Change Procedure and History – Define the procedures that are to be used to modify the plan and maintain the history of all changes and modifications that are defined by the SA section of the plan.
19. Project Schedule – Provide a schedule with SA activities and audits aligned with the project schedule, milestones, and life cycle products or an aligned schedule location.