3.13.2 The project manager shall participate in any joint NASA/supplier audits of the software development process and software configuration management process.
NPR 7150.2, NASA Software Engineering Requirements, does not include any notes for this requirement.
1.2 Applicability Across Classes
Classes F and G are labeled as "X (not OTS)" which means that the project is required to meet this requirement for all software that is not considered off-the-shelf.
Per IEEE STD 1028-2008, Software Reviews and Audits, "The purpose of a software audit is to provide an independent evaluation of conformance of software products and processes to applicable regulations, standards, guidelines, plans, specifications, and procedures."
Audits are conducted by audit teams and require the participation and cooperation of the personnel involved with the software being audited, both acquirer and provider personnel, including contractors, as appropriate for the particular audit being performed.
This requirement is not intended to force joint audits, but when audits occur, the project needs to be made aware of and participate at some level in those audits, whether they are internal audits, contractor audits, external audits by an independent organization, or any other type of internal or external audit. Project participation can benefit the audit by providing domain knowledge, planning assistance, and technical expertise to the audit team.
This requirement was written to require projects to participate in audits that include any or all of the software portion of a project. The project's participation can take many forms, including, but not limited to, simply keeping abreast of the audit's progress as well as participating as an observer in the actual audit.
It is the responsibility of the project to make available appropriately prepared and qualified project personnel to participate or support audits as needed to fulfill the project's chosen level of involvement, including software assurance personnel described in the project's software assurance plan (see NASA-STD-8739.8, Software Assurance Standard
See the Topic 7.3 - Acquisition Guidance in this Handbook for additional guidance. Additionally, guidance related to joint audits may be found in the following related requirements in this Handbook:
4. Small Projects
For projects with limited personnel, consider limiting the audit participation to monitoring progress and reviewing the results as this would causes less interference and requires fewer personnel.
6. Lessons Learned
The NASA Lesson Learned database contains the following lesson learned related to joint audits:
Acquisition and Oversight of Contracted Software Development. Lesson Number 0921: "The loss of Mars Climate Orbiter (MCO) was attributed to, among other causes, the lack of a controlled and effective process for acquisition of contractor-developed, mission critical software. NASA Centers should ... assure ... verification of the adequacy of the software design approach and overall contractor implementation throughout the software life cycle." Audits are one way to assess the adequacy of contractor implementation throughout the software life cycle."