NESDIS Quality Procedure [NQP] – 3416 Effective Date: September 1, 2011
Revision 1.3 Expiration Date: Until Superseded
11
The SO may add additional fields as necessary for local purposes.
7.1.2.
Software Inventory
The Software inventory shall be used to track licenses and identify specific
implementations of software products and packages. The specific implementation
information includes version, revision numbers, and service pack, and is intended to
support identification and mitigation when vulnerabilities are identified in software
running on the system. The software inventory supports the implementation of SA-6
Software Usage Restrictions. Copyright and licensing information shall be maintained for
all software products utilized on the system. Each software item shall be explicitly linked
to each instance of the physical hardware that hosts the software, and if applicable, to
each instance of a virtual machine on which the software runs. Users shall be prevented
from unauthorized copying of Government licensed commercial software except through
approved distributing that includes updating the software inventory.
Virtual machines are instances of operating systems running on a physical component
where a physical component may host multiple instances of an operating system running
at the same time. Typically, a virtual machine is an instance of an operating system that
runs within another operating system. However, with advanced hardware, it is possible
for the hardware to manage the operating system instances without a traditional host
operating system. Each operating system has its own configuration and possible
vulnerabilities. The ISSO must track and maintain every instance of each operating
system. Likewise, software running within a virtual machine may be
3
considered a
separate instance of the software for licensing purposes and therefore must be verifiable
as appropriately licensed.
The SO shall maintain a complete list of software packages on each physical and logical
entity in the inventories. Software inventory shall identify revision/service pack and the
specific identification and configuration for every component upon which it is installed,
including hardware components and virtual machines. The SO must track (at a minimum)
the following software packages:
• All authorized user-controlled software installations
• All configuration controlled software (including each variant of the operating
systems)
• Commercial and licensed products including licensed and used quantities
• Products that offer services to other components
4
3
Depending on manufacturer software licensing agreements. Software is typically licensed by installation, CPU, or
site license. Regardless of the software license agreement, each installation must be tracked.