E-mail a link to this directive

PROTECTION OF THE COMMERCE BUSINESS SYSTEMS (CBS) SOURCE CODE

DAO 203-31: PROTECTION OF THE COMMERCE BUSINESS SYSTEMS (CBS) SOURCE CODE
Number: DAO 203-31
Effective Date: 2015-09-18
SECTION 1.  PURPOSE.

.01      This Order prescribes the policy and procedures for the protection of the CBS source code from licensing agreement violations, unauthorized modification, destruction or disclosure.

.02      CBS is a Department-wide financial management system comprised of a standard Core Financial System (CFS), a data warehouse, and standard interfaces that communicate with administrative systems containing financial data.  It was acquired as a Commercial Off-The-Shelf (COTS) product in 1994 and has been modified to support Departmental business functions. 

.03      The overall management concept for CBS is that a single integrated set of software, which has been acquired by the Department of Commerce (DOC), functions under a cooperative effort which includes the active participation of all the bureaus within the Department.

.04      CBS is maintained by the Office of Financial Management (OFM) Commerce Business Systems Solutions Center (CSC) in Gaithersburg, Maryland, which is responsible for the requirements identification, design, programming, testing, software configuration management, CBS system documentation, and other activities associated with the deployment and maintenance of the CBS software.

.05      This revision:  updates process for conducting CBS code review; changes contractual information; revises definitions; and modifies attachments.

SECTION 2.  POLICY.

The OFM/CSC and the bureaus using CBS will protect the CBS source code from licensing agreement violations, unauthorized modification, or destruction. 

SECTION 3.  AUTHORITY.

.01      Office of Management and Budget (OMB) Circular No. A-127, “Financial Management Systems.”

.02      OMB Circular No. A-130, “Management of Federal Information Resources,” Section 8, Policy, “Use of Information Resources.”

.03       General Accountability Office, Accounting and Information Management Division, “Federal Information System Controls Audit Manual, 12.19.6,” Section 3.3, “Application Software Development and Change Control,” Section 3.4, “System Software,” and Section 3.5, “Segregation of Duties.”

.04       “DOC IT Security Program Policy and Minimum Implementation Standards,” Section 2.1,“IT Security Roles and Responsibilities.”

.05       National Institute of Standards and Technology (NIST) Special Publication 800-18, “Guide for Developing Security Plans for Information Technology Systems,” Section 4, “Management Controls,” and Section 5.MA.5, “Application Software Maintenance Controls.”

SECTION 4.  DEFINITIONS.

01.       The Director, Financial Management Systems is designated by the Director, Office of Financial Management, as the individual responsible for the department-wide management of the CBS program.

.02       “CBS bureau” is defined as any bureau or operating unit which currently uses CBS, such as the Bureau of the Census, the Economic Development Administration (EDA), the National Oceanic and Atmospheric Administration (NOAA), and NIST, or any other bureau which may implement CBS in the future.

.03       The “bureau CBS manager” or designee is the individual responsible for determining access authorization and for maintaining an up-to-date list of all personnel who have been granted access to the CBS source code.

.04       “Authorized OFM/CSC and CBS bureau and contractor personnel” are those individuals who have written approval by a bureau CBS manager for access to the CBS source code.

.05       “Single, integrated financial management system” means a unified set of financial systems and the financial portions of mixed systems encompassing the software, hardware, personnel, processes (manual and automated), procedures, controls and data necessary to carry out financial management functions, manage financial operations for the agency and report on the agency’s financial status to central agencies, Congress, and the public.  Unified means that the systems are planned for and managed together, operated in an integrated fashion, and linked together electronically in an efficient and effective manner to provide agency-wide financial system support necessary to carry out the agency’s mission and support the agency’s financial management needs. (OMB Circular A-127).

.06       The “CBS software” is defined as: 

a. All software modules of the CFS, all interfaces with the CFS, the CFS Data Warehouse (DW), and any administrative module containing financial data maintained by the OFM/CSC.  This includes database objects, e.g., Structured Query Language (SQL) scripts, triggers, and stored procedures and functions and packages that the OFM/CSC delivers to or maintains for the bureaus.

b.         Any software not covered in Section .06a above that the OFM/CSC acquires, develops, or maintains for the bureaus and for which the OFM/CSC provides software configuration management and versioning control.

.07       “Bureau software” is defined as any software developed and maintained by a bureau to support or enhance CBS.  This includes unique administrative modules, interfaces, documentation, and additional database objects such as tables, indices, views, snapshots, reports, and so forth.

.08       “Modifications to the CBS Software” include:

a. All changes to CBS software, documentation, and supporting database objects as listed in
Section .06a above. 

b.         The creation of any new programs or database structures that modify CBS software. 

c. Any upgrades to the software development technologies and database technologies (technology migration) upon which the CBS applications have been developed.  These technologies are COTS software necessary for the installation of CBS.

.09       An “interface” is defined as an automated process for transferring data between CBS databases and external systems consisting of one or more programs that load data files into the CBS databases.  The interface may include interactive user screens needed to control the processes or correct problems in the transfer.  An interface does not include the creation of data entry screens to manually enter data from a feeder system.

SECTION 5.  RESPONSIBILITIES.

.01       The OFM/CSC (for organizational structure see Department of Commerce OFM/CSC website: https://csc.eas.commerce.gov/csc/home/aboutus) will:

a. Serve as the Department’s CBS software manager and ensure that policies concerning the protection of CBS software are followed.

b.         Develop and implement modifications to the CBS software and manage the DOC software change control process under which all software changes are made.

c. Coordinate and control the release and deployment of CBS software releases, new CBS software modules, and emergency fixes to operational sites within bureaus, and investigate and correct any logic errors detected in the CBS software code and database. 

d.         Conduct code reviews of the Bureaus’ CBS production environments and identify occurrences of code not in compliance with the DAO and follow procedures outlined in the “CBS Code Verification Process.”

.02       The CBS bureaus will:

a. Provide a secure site for the operations of the CBS software and ensure that access to the CBS source code is given only to authorized government and contractor personnel who have a specific need to know the code.   

b.         Implement security controls to protect the CBS source code, including the following:

1.         Designate a secure drive, in which the source code will be saved, to which access is restricted. 

2.         Restrict user access to the network drive to only those individuals required to process the CBS source code.

3.         Separate duties for those individuals handling the source code so that more than one person is responsible for performing the functions of the database administrator, system administrator, tester, and configuration manager.

c. Distribute the “Rules of Behavior” form (see Attachment B) to all personnel and specify that the rules must be followed with respect to the CBS source code.

d.         Ensure that contractors who are granted access to the CBS source code sign a Bureau Non-Disclosure Agreement (see Attachment C) that prohibits them from distributing the code to any non-authorized individuals, and from using the code other than in direct support of the bureaus’ use of CBS.

e. Not modify CBS software, the financial system of record for the CBS bureaus.  CBS bureaus are prohibited from modifying CBS software and from executing the modified CBS software in bureau production environments.  The only exceptions to this policy are found in Attachment A “Development of Bureau-Specific Programs.”

.03       The bureau CBS manager or designee will:

a. Determine access authorization and grant permission, on a case-by-case basis, to government and/or contractor personnel to make or transport copies of the CBS source code outside of bureau-controlled facilities.

b.         Maintain a list of approvals, including the name of the requestor, medium onto which the CBS source code was copied, location to which copy is to be transported, purposes of use, and duration of authorization. 

.04       Authorized OFM/CSC and CBS bureau personnel will read and sign the “Rules of Behavior” document (Attachment B) that specifies the rules which must be followed with respect to the CBS source code prior to accessing CBS.

SECTION 6. EFFECT ON OTHER ORDERS.

This Order supersedes Department Administrative Order 203-31, dated December 7, 2007.

Signed: by: Director, Office of Financial Management

Approved by: Chief Financial Officer and Assistant Secretary for Administration

Office of Primary Interest: Office of Financial Management CBS Solutions Center

 

Questions and Comments

Send Questions or Comments on the Commerce Directives Management program to Directives@doc.gov.

Office of Privacy and Open Government
Office of the Chief Financial Officer and Assistant Secretary for Administration
U.S. Department of Commerce

 

Page last updated:February 2, 2010