SECTION 1. PURPOSE.

.01 This Order prescribes the policy and procedures for the protection of the CBS source code from licensing agreement violations, unauthorized modification, or destruction.

.02 CBS is a Department-wide financial management system comprised of a standard Core Financial System (CFS), a data warehouse, and standard interfaces that communicate with administrative systems containing financial data. It was acquired as a Commercial Off-The-Shelf (COTS) product in 1994 and has been modified to support Departmental business functions.

.03 The overall management concept for CBS is that a single integrated set of software, which has been acquired by the Department of Commerce (DOC), functions under a cooperative effort which includes the active participation of all the bureaus within the Department.

.04 CBS is maintained by the Office of Financial Management (OFM) Commerce Business Systems Solutions Center (CSC) in Gaithersburg, Maryland, which is responsible for the requirements identification, design, programming, testing, software configuration management, CBS system documentation, and other activities associated with the deployment and maintenance of the CBS software.

.05 This revision changes the name of the Commerce Administrative Management System (CAMS) to the Commerce Business Systems (CBS) and provides a general update of the Order.

SECTION 2. POLICY.

.01 The OFM/CSC and the bureaus using CBS will protect the CBS source code from licensing agreement violations, unauthorized modification, or destruction.

SECTION 3. AUTHORITY.

.01 Office of Management and Budget (OMB) Circular No. A-127, “Financial Management Systems.”

.02 OMB Circular No. A-130, “Management of Federal Information Resources,” Section 8, Policy, “Use of Information Resources.”

.03 General Accountability Office, Accounting and Information Management Division, “Federal Information System Controls Audit Manual, 12.19.6,” Section 3.3, “Application Software Development and Change Control,” Section 3.4, “System Software,” and Section 3.5, “Segregation of Duties.”

.04 Contract 50-SAAA-5-00032, effective date December 1, 1994, with Andersen Consulting LLP, that provided a CFS, including all software, documentation, warranty, technical support, training, and maintenance for the DOC.

.05 “DOC IT Security Program Policy and Minimum Implementation Standards,” Section 2.1, “IT Security Roles and Responsibilities.”

.06 National Institute of Standards and Technology (NIST) Special Publication 800-18, “Guide for Developing Security Plans for Information Technology Systems,” Section 4, “Management Controls,” and Section 5.MA.5, “Application Software Maintenance Controls.”

SECTION 4. DEFINITIONS.

01. The Director, Financial Management Systems is designated by the Director, Office of Financial Management, as the individual responsible for the department-wide management of the CBS program.

.02 “CBS bureau” is defined as any bureau or operating unit which currently uses CBS, such as the Bureau of the Census, the Economic Development Administration (EDA), the National Oceanic and Atmospheric Administration (NOAA), and NIST, or any other bureau which may implement CBS in the future.

.03 The “bureau CBS manager” or designee is the individual responsible for determining access authorization and for maintaining an up-to-date list of all personnel who have been granted access to the CBS source code.

.04 “Authorized OFM/CSC and CBS bureau and contractor personnel” are those individuals who have written approval by a bureau CBS manager for access to the CBS source code.

.05 “Single, integrated financial management system” means a unified set of financial systems and the financial portions of mixed systems encompassing the software, hardware, personnel, processes (manual and automated), procedures, controls and data necessary to carry out financial management functions, manage financial operations for the agency and report on the agency’s financial status to central agencies, Congress, and the public. Unified means that the systems are planned for and managed together, operated in an integrated fashion, and linked together electronically in an efficient and effective manner to provide agency-wide financial system support necessary to carry out the agency’s mission and support the agency’s financial management needs. (OMB Circular A-127).

.06 The “CBS software” is defined as:

a. All software modules of the CFS, all interfaces with the CFS, the CFS Data Warehouse (DW), and any administrative module containing financial data maintained by the OFM/CSC. This includes database objects, e.g., Structured Query Language (SQL) scripts, triggers, and stored procedures and functions and packages that the OFM/CSC delivers to or maintains for the bureaus.

b. Any software not covered in Section .06a above that the OFM/CSC acquires, develops, or maintains for the bureaus and for which the OFM/CSC provides software configuration management and versioning control.

.07 “Bureau software” is defined as any software developed and maintained by a bureau to support or enhance CBS. This includes unique administrative modules, interfaces, documentation, and additional database objects such as tables, indices, views, snapshots, reports, and so forth.

.08 “Modifications to the CBS Software” include:

a. All changes to CBS software, documentation, and supporting database objects as listed in Section .06a above.

b. The creation of any new programs or database structures that modify CBS software.

c. Any upgrades to the software development technologies and database technologies (technology migration) upon which the CBS applications have been developed. These technologies are COTS software necessary for the installation of CBS software as provided in the CSC Standard System Configuration. CSC Standard System Configuration contains CSC supported desktop and server system configurations. The configurations listing can be found at the CBS Web site: www.camsic.osec.doc.gov/design/designdocs.htm., scroll down and click on "CSC Certified Software and Hardware."

.09 An “interface” is defined as an automated process for transferring data between CBS databases and external systems consisting of one or more programs that load data files into the CBS databases. The interface may include interactive user screens needed to control the processes or correct problems in the transfer. An interface does not include the creation of data entry screens to manually enter data from a feeder system.

.10 The “Technical Advisory Council” (TAC), represented by functional accounting staff from OFM and the CBS bureaus, considers proposed changes to software functionality; assesses their technical feasibility; assesses their impact on system architecture and performance; identifies alternative approaches to achieve desired result(s) of proposed change; and recommends to CBS managers the preferred approach (or presents issues if no recommended approach).

SECTION 5. RESPONSIBILITIES.

.01 The OFM/CSC (for organizational structure see Department of Commerce OFM/CSC website: http://www.camsic.osec.doc.gov) will:

a. Serve as the Department’s CBS software manager and ensure that policies concerning the protection of CBS software are followed.

b. Develop and implement modifications to the CBS software and manage the DOC software change control process under which all software changes are made.

c. Coordinate and control the release and deployment of CBS software releases, new CBS software modules, and emergency fixes to operational sites within bureaus, and investigate and correct any logic errors detected in the CBS software code and database.

d. Authorize, when necessary, CBS bureaus to provide requirements development, design, or programming resources to complete software development assignments according to the process discussed in Attachments A, “Making Changes to CBS Software” and B, “Development of Bureau-Specific Programs.”

e. Analyze their CBS production environments and identify all occurrences of code not in compliance with the DAO and follow Remediation Procedures outlines in Attachment C “Remediation of Non-Compliant CBS and Bureau Software.”

.02 The CBS bureaus will:

a. Provide a secure site for the operations of the CBS software and ensure that access to the CBS source code is given only to authorized government and contractor personnel who have a specific need to know the code.

b. Implement security controls to protect the CBS source code, including the following:

1. Designate a secure drive, in which the source code will be saved, to which access is restricted.

2. Restrict user access to the network drive to only those individuals required to process the CBS source code.

3. Separate duties for those individuals handling the source code so that more than one person is responsible for performing the functions of the database administrator, system administrator, tester, and configuration manager.

c. Distribute the “Rules of Behavior” form (see Attachment D) to all personnel and specify that the rules must be followed with respect to the CBS source code.

d. Maintain “Request for CBS Source Code” forms (see Attachment E) and a listing of approvals, including the name of the requestor, medium onto which the CBS source has been copied, location to which the copy is to be transported, purpose of use, and duration of authorization.

e. Ensure that contractors who are granted access to the CBS source code sign a Non-Disclosure Agreement (see Attachment F) that prohibits them from distributing the code to any non-authorized individuals, and from using the code other than in direct support of the bureaus’ use of CBS.

f. Not modify CBS software, the financial system of record for the CBS bureaus. CBS bureaus are prohibited from modifying CBS software and from executing the modified CBS software in bureau production environments. The only exceptions to this policy are found in Attachments A, “Making Changes to CBS Software” and B, “Development of Bureau-Specific Programs.”

.03 The bureau CBS manager or designee will:

a. Determine access authorization and grant permission, on a case-by-case basis, to government and/or contractor personnel to make or transport copies of the CBS source code outside of bureau-controlled facilities.

b. Maintain a list of approvals, including the name of the requestor, medium onto which the CBS source code was copied, location to which copy is to be transported, purposes of use, and duration of authorization. Also maintain completed “Request for CBS Source Code” (Attachment E) forms.

.04 Authorized OFM/CSC and CBS bureau personnel will:

a. Read and sign the “Rules of Behavior” document (Attachment D) that specifies the rules which must be followed with respect to the CBS source code.

b. Use the “Request for CBS Source Code” form (Attachment E) for any requests to make and/or transport copies of the CBS source code outside bureau-controlled facilities.

c. At the end of the authorization period, return the CBS source code copy to the bureau CBS manager or designee, or provide written notice to the bureau CBS manager or designee that the copy has been destroyed.

.05 OFM/CSC and CBS bureau contractors will sign a Non-Disclosure Agreement (Attachment F) that prohibits them from distributing the code to any non-authorized individuals, and from using the code other than in direct support of the bureaus’ use of CBS.

SECTION 6. EFFECT ON OTHER ORDERS.

This Order supersedes Department Administrative Order 203-31, dated
February 9, 2004.

Signed: by: Director, Office of Financial Management

Approved by: Chief Financial Officer and Assistant Secretary for Administration

Office of Primary Interest: Office of Financial Management CBS Solutions Center

Attachment A