UNDER CONSTRUCTION
In the beginning of a project, there are a number of processes that are carried out as part of planning. These processes may be repeated as necessary during the life of the project. Even if the project follows a Waterfall methodology, there will be processes that are conducted numerous times. If a project follows an Agile or other iterative methodology, the processes will be exercised regularly. The sub-activities found in the Software Life Cycle Planning Activity are each covered in a tab of this Activity page. Planning the work is always done at the beginning of the project and followed up with a series of regular updates. These updates can be driven by a number of factors: Planning the project encompasses a balance of several related sub-activities: Cost estimation helps Project Managers manage the work within the budget. If work estimates drive the cost estimates over budget, Project Managers have an early opportunity to request more budget or make adjustments in work to prevent budget overruns. Re-estimation of costs are driven by: a. Covers the entire software life cycle. a. Planned and actual effort and cost. Scheduling helps Project Managers manage the work within the time constraints. If work estimates drive the schedule over the time budget, Project Managers have an early opportunity to request more time or make adjustments in work to prevent late deliveries. Re-scheduling is driven by: The workers on a project must have the necessary skills to perform and complete the work and meet quality objectives. Project Managers have the obligation to select these workers for the project and see that training opportunities are available to improve the skills needed. Training for workers must be planned for both in the budget (cost estimation) and the schedule. Training can come from a number of sources: Re-training is driven by: Monitoring plans as they are carried out is critical for maintaining awareness of progress. It also allows the Project Team to know when there are deviations from the plan. When those deviations are significant, control actions may be made to get the project back on track. If the project cannot be gotten back on track, some amount of re-planning may be called for. The earlier correction actions are taken, the less severe they will be. Some monitoring is done frequently. In some life cycles, like Agile, include daily "stand-up meetings" where team members report on progress and their "plan for the day". This keeps all team members aware of what the team is doing at the moment. Additional opportunities for monitoring is more formal. These include regular reporting of progress to management and stakeholders. These include reviews of various work products and formal reviews at certain project and program milestones. Software that is not actually developed by the team for the project, is acquired. It may be: Regardless of the origins of the code, it must be properly licensed so that it can be legally used on the project. When Acquiring software it is important to receive a User's Manual or some other form of instructions on how to use the software. This will be valuable when it comes time to produce the Software User's Manual for the finished product. This activity is performed whenever there is a change in the reused software. a. The requirements to be met by the software component are identified. b. The software component includes documentation to fulfill its intended purpose (e.g., usage instructions). c. Proprietary rights, usage rights, ownership, warranty, licensing rights, transfer rights, and conditions of use (e.g., required copyright, author, and applicable license notices within the software code, or a requirement to redistribute the licensed software only under the same license (e.g., GNU GPL, ver. 3, license)) have been addressed and coordinated with Center Intellectual Property Counsel. d. Future support for the software product is planned and adequate for project needs. e. The software component is verified and validated to the same level required to accept a similar developed software component for its intended use. f. The project has a plan to perform periodic assessments of vendor reported defects to ensure the defects do not impact the selected software components. a. Software Title. a. A NASA civil servant to a NASA civil servant: (1) Verify the requesting NASA civil servant has requested and completed an Acknowledgment (as set forth in the note following paragraph 3.10.2e). b. A NASA civil servant to a NASA contractor: (1) Verify a NASA civil servant (e.g., a Contracting Officer (CO) or Contracting Officer Representative (COR)) has confirmed the NASA contractor requires such software for the performance of Government work under their NASA contract and that such performance of work will be a Government purpose. Center Intellectual Property Counsel should be consulted for any questions regarding what is or is not a Government purpose. c. A NASA civil servant to any NASA grantees, Cooperative Agreement Recipients or any other agreement partners or to any other entity under U.S. Government Agency Release, Open source Release, Public Release, U.S. Release, Foreign Release: (1) If the release is to any NASA grantees, Cooperative Agreement Recipients, or any other agreement (e.g., Space Act Agreement) partners or to any other entity under U.S. Government Agency Release, an Open source Release, a Public Release, a U.S. Release, or a Foreign Release, the software release is completed in accordance with the external release requirements of NPR 2210.1, Release of NASA Software – Revalidated w/change 1. a. Keep a list of all contributors to the software product. b. Ensure that the software product contains appropriate disclaimer and indemnification provisions (e.g., in a “README” file) stating that the software may be subject to U.S. export control restrictions, and it is provided “as is” without any warranty, express or implied, and that the recipient waives any claims against, and indemnifies and holds harmless, NASA and its contractors and subcontractors. This sub-activity is complex and includes requirements from the Institutional Requirements as well as from Software Assurance Requirements. NPR 7150.2, Appendix D contains guidance on the classifications used for software. Appendix C contains a matrix specifying the requirements that are applicable to a specific class. In the planning for a project, the Project Manager documents the requirements that will be satisfied in the project using the "Requirements Mapping and Compliance Matrix". If there are one or more requirements that cannot be satisfied by the project, the Project Manager determines what alternative to the requirement can be satisfied (called tailoring) and seeks relief from the original requirement from the appropriate level of Technical Authorities. In the course of a project, it may be necessary to re-classify the software. This can be due to a change in the mission for which the software is planned to be used, or some other change. Classification can be either increased or decreased. Both SWE-021 - Transition to a Higher Class, and topic 7.13 - Transitioning to a Higher Class deal specifically with moving to a higher classification. a. Project/program name and Work Breakdown Structure (WBS) number. (1) The name of the software development organization. a. Assess projects’ requirements mapping matrices and tailoring from requirements in this directive by: (1) Checking the accuracy of the project’s classification of software components against the definitions in Appendix D. b. Indicate the Technical Authority or Technical Authorities approval by signature(s) in the Requirements Mapping Matrix itself, when the Requirements Mapping Matrix is used to tailor from the applicable “X” requirement(s). The purpose of security risk management is to identify potential software security problems before they occur so that software security risk handling activities can be planned and invoked as needed across the life of the space flight software product or project. Software defects have the potential to leave a system compromised and open to cyber-attacks. Identifying risks and planning appropriate mitigations early in the project life cycle help increase the overall security and enhance the survivability of the space flight software system. Provide the capability to monitor key software observables (e.g. number of failed login attempts, performance changes, internal communication changes) to detect adversarial actions that threaten mission success. The project manager shall implement protections for software systems with communications capabilities against unauthorized access per the requirements contained in the NASA-STD-1006, Space System Protection Standard. Mitigations identified to address security risks need to be confirmed as appropriate and adequate. Software verification and validation (V&V) processes are used to determine whether the software security risk mitigations, as planned and implemented, satisfy their intended use to address security risks in space flight software. The results of V&V activities serve as a documented assurance that the correct mitigations were identified, implemented, and will reduce to an acceptable level or eliminate known software security risks. Secure coding practices should be identified, recorded, and implemented to include all life cycle phases of the project. Unsafe coding practices result in costly vulnerabilities in application software that leads to the theft of sensitive data. Some secure practices include but not limited to the strict language adherence and use of automated tools to identify problems either at compile time or run time; language-specific guidance, domain-specific guidance, local standards for code organization and commenting, and standard file header format are often specified as well. The use of uniform software coding methods, standards, and/or criteria ensures uniform coding practices, reduces errors through safe language subsets, and improves code readability. Verification that these practices have been adhered to reduces the risk of software malfunction for the project during its operations and maintenance phases. This activity is repeated when there are changes in Requirements, Coding, or Testing where security vulnerabilities are detected or need to be investigated. Software development requires documentation and implementation. Software development activities require decisions and work results (e.g., requirements, design, the outcome of reviews, etc.) to be captured as building blocks throughout the software life cycle. Software developers and software acquisitions need to know what documentation expectations exist for a development project. Having defined and approved content descriptions for project documentation allows these needs and more to be met. Work products may need to be updated as requirements and design changes. Other work products are updated almost continuously, such as code and testing. Many work products also benefit from Peer Reviews (see Activity A.10 Software Peer Reviews and Inspections.)
See edit history of this section
Post feedback on this section
01.00. Activity Overview
Software Life Cycle Planning is a large activity. It includes a number of related sub-activities that are performed throughout the life of a development project. 1.1 Sub-Activities in the Software Life Cycle Planning Activity
01.01. Planning the Work
Frequency Of This Activity
01.01.1 Related SWEs
01.01.2 Related Work Products
01.01.2.1 Related Process Asset Templates
01.01.3 Related Topics
01.01.4 Related SPAN Links
01.02. Cost Estimation
Frequency Of This Activity
01.02.1 Related SWEs
b. Is based on selected project attributes (e.g., programmatic assumptions/constraints, assessment of the size, functionality, complexity, criticality, reuse code, modified code, and risk of the software processes and products).
c. Is based on the cost implications of the technology to be used and the required maturation of that technology.
d. Incorporates risk and uncertainty, including end state risk and threat assessments for cybersecurity.
e. Includes the cost of the required software assurance support.
f. Includes other direct costs.
b. Planned and actual schedule dates for major milestones.
c. Both planned and actual values for key cost parameters that typically include software size, requirements count, defects counts for maintenance or sustaining engineering projects, and cost model inputs.
d. Project descriptors or metadata that typically includes software class, software domain/type, and requirements volatility.01.02.2 Related Work Products
01.02.2.1 Related Process Asset Templates
01.02.3 Related Topics
01.02.4 Related SPAN Links
01.03. Scheduling the Work
Frequency Of This Activity
01.03.1 Related SWEs
01.03.2 Related Work Products
01.03.2.1 Related Process Asset Templates
01.03.3 Related Topics
01.03.4 Related SPAN Links
01.04. Training
Frequency Of This Activity
01.04.1 Related SWEs
Institutional SWEs (A.13 NASA Institutional Requirements)
01.04.2 Related Work Products
01.04.2.1 Related Process Asset Templates
01.04.3 Related Topics
01.04.4 Related SPAN Links
01.05. Monitor and Control
Frequency Of This Activity
01.05.1 Related SWEs
01.05.2 Related Work Products
01.05.2.1 Related Process Asset Templates
01.05.3 Related Topics
01.05.4 Related SPAN Links
01.06. Acquisition and Reuse of Software
Frequency Of This Activity
01.06.1 Related SWEs
b. Software Description.
c. The Civil Servant Software Technical POC for the software product.
d. The language or languages used to develop the software.
e. Any third-party code contained therein, and the record of the requisite license or permission received from the third party permitting the Government’s use and any required markings (e.g., required copyright, author, applicable license notices within the software code, and the source of each third-party software component (e.g., software URL & license URL)), if applicable.
f. Release notes.
(2) Provide the software to the requesting NASA civil servant.
(2) Verify a NASA civil servant (e.g., a CO or COR) has confirmed an appropriate Government Furnished Software clause (e.g., 1852.227-88, “Government-furnished computer software and related technical data”) is in the subject contract (or, if not, that such clause is first added); or the contractor may also obtain access to the software in accordance with the external release requirements of NPR 2210.1, Release of NASA Software.
(3) Verify NASA contractor is not a foreign person (as defined by 22 CFR §120.16).
(4) Verify there is a requesting NASA Civil servant (e.g., a CO or COR), and the requesting NASA civil servant has executed an Acknowledgment (as set forth in the note following paragraph 3.10.2e).
(5) After items (1), (2), (3), and (4) are complete, provide the software to the requesting NASA civil servant. The requesting NASA civil servant is responsible for furnishing the software to the contractor pursuant to the subject contract’s terms.01.06.2 Related Work Products
01.06.2.1 Related Process Asset Templates
01.06.3 Related Topics
01.06.4 Related SPAN Links
01.07. Classification, Tailoring and Waivers
Frequency Of This Activity
01.07.1 Related SWEs
b. Software name(s) and WBS number(s).
c. Software size estimate (report in Kilo/Thousand Source Lines of Code (KSLOCs)).
d. The phase of development or operations.
e. Software Class or list of the software classes being used on the project.
f. Software safety-critical status.
g. For each Computer Software Configuration Item (CSCI)/Major System containing Class A, B, or C software, provide:
(2) Title or brief description of the CSCI/Major System.
(3) The estimated total KSLOCs, the CSCI/Major System, represents.
(4) The primary programming languages used.
(5) The life cycle methodology on the software project.
(6) Name of responsible software assurance organization(s).
(2) Evaluating the project’s Requirements Mapping Matrix for commitments to meet applicable requirements in this directive, consistent with software classification.
(3) Confirming that requirements marked “Not-Applicable” in the project’s Requirements Mapping Matrix are not relevant or not capable of being applied.
(4) Determining whether the project’s risks, mitigations, and related requests for relief from requirements designated with “X” in Appendix C are reasonable and acceptable.
(5) Approving/disapproving requests for relief from requirements designated with “X” in Appendix C, which falls under this Authority’s scope of responsibility.
(6) Facilitating the processing of projects’ requirements mapping matrices and tailoring decisions from requirements in this directive, which falls under the responsibilities of a different Authority (see column titled “Authority” in Appendix C).
(7) Include the SAISO (or delegate) in all software reviews to ensure software cybersecurity is included throughout software development, testing, maintenance, retirement, operations, management, acquisition, and assurance activities.
(8) Ensuring that approved requirements mapping matrices, including any tailoring rationale against this directive, are archived as part of retrievable project records.01.07.2 Related Work Products
01.07.2.1 Related Process Asset Templates
01.07.3 Related Topics
01.07.4 Related SPAN Links
01.08. Cybersecurity
Frequency Of This Activity
01.08.1 Related SWEs
01.08.1.1 - SWEs in A.01 Software Life Cycle Planning
01.08.1.2 - SWEs in A.05 Implementation
01.08.1.3 - SWEs in A.06 Testing
01.08.2 Related Work Products
01.08.2.1 Related Process Asset Templates
01.08.3 Related Topics
01.08.4 Related SPAN Links
01.09. Work Products
Frequency Of This Activity
01.09.1 Related SWEs
01.09.2 Related Work Products
01.09.2.1 Related Process Asset Templates
01.09.3 Related Topics
01.09.4 Related SPAN Links